Recently, the website Cyanogenmod.com has been compromised, and was spreading a piece of malware loaded from warlikedisobey.org/coehegzxw8xgahtrb, hosted on Indo Network Solutions, Scranton, Pennsylvania (USA) (66.197.158.102)
Whois info for 66.197.158.102IP Information - 66.197.158.102 IP address: 66.197.158.102 Reverse DNS: static-ip-102-158-197-66.host.cybernet.co.id. ASN: 21788 ASN Name: NOC IP range connectivity: 7 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 66.197.0.0 to 66.197.255.255 Country fraud profile: Normal City (per outside source): Reno, Nevada Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? NoIf we query on urlquery.net for the URL, we can see that this server has been used since 2011-09-27 to spread malware on multiple domains hosted.
2011-10-20 02:41:46 0 warlikedisobey.org/coehegzxw8xgahtrb 66.197.158.102 2011-10-11 01:20:45 0 warlikedisobey.org/osnp91icm/?5 66.197.158.102 2011-10-11 01:16:42 0 nestjolt.org/5gbd3jzxwfqjnp1eh/ 66.197.158.102 2011-10-11 01:14:31 0 nestjolt.org/5gbd3jzxwfqjnp1eh/ 66.197.158.102 2011-10-11 00:59:42 0 http://turbidworship.org/osnp91icm/?1 66.197.158.102 2011-10-06 20:24:52 0 nationearn.org 66.197.158.102 2011-09-27 12:45:01 0 http://starryplank.org/bp1tezzxwtauh 66.197.158.102 2011-09-27 12:35:14 0 http://starryplank.org/bp1tezzxwtauh 66.197.158.102 2011-09-27 12:02:07 0 http://starryplank.org/but3os0wp/ 66.197.158.102 2011-09-27 12:00:59 0 http://starryplank.org/but3os0wp/?3a75067eb1353ae040165 66.197.158.102
Its seems that Indo Network servers has been used to spread malware and spamming issues several times. If we search on the Proyect HoneyPot website for the offending IP, we can see that a number of servers withing Indo Network range has been used for spamming.
The cyanogenmod site has been target of attacks before,and maybe has been spreading malware quietly. These has been already commented on cyanogen's forum before (25 september 2011).
The original post at pastebin here
You should take a look at the last line of the following code:
No hay comentarios:
Publicar un comentario