[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
steve payne
stevenp8844 at gmail.com
Tue Jan 12 14:53:21 CET 2021
Here is the new hacked script call to url that is responsible for controlling this malware and hacked data. http://135.181.21.126/story2020.php?pass=aodhfherkejkerjk&q= On Tue, Jan 12, 2021 at 6:40 AM steve payne <stevenp8844 at gmail.com> wrote: > " P.S. Please send me via private email the full list of suspicious URLs. > I may not be able to actually do anything with those, but I can at least > have a look. (For some reason my browser is not allowing me to just cut > and paste from your google docs.)" > > I have sent you an email with two attachements. Please let me know if you > do not receive it! > > On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844 at gmail.com> wrote: > >> Hi, >> >> "All abuse complaints must be put through their abuse form: >> >> https://www.ovh.com/world/abuse/" >> >> I have filled out the form with OVH a few times, almost 2 weeks ago and >> have not heard any response. The domains I submitted are still active and >> redirecting to malware. >> >> "It must be put through their abuse form: >> >> https://www.cloudflare.com/abuse/form" >> >> The main form for the Cloudflare Malware submit form only allows for 1 >> url submission at a time. I have submitted this form many times and support >> tickets, as I also have a Cloudflare service. >> >> I was told this can only be handled by the "Support & Trust" team and >> they will reach out to me. We have gone through this Twice, yet all domains >> are still actively hosted through Cloudflare. >> >> "I'm confused. How exactly does one "spam" a search engine? >> >> And what is "spun text", exactly?" >> >> This spam operation is no small operation. The way they are spamming >> search engines is by using the authority of hacked domains to "link to" >> these fraud domains. It's bringing link juice and a lot of search engine >> traffic. >> >> By "spun text", it's basically garbled text that has thousands of >> keywords in it and for some reason Google is not able to detect it. >> >> Here are a couple of links. >> >> >> https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8 >> >> >> https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8 >> >> Basically search google for site:domain and you will see the "spun text". >> >> Here is a direct domain (there are many inside of the two files I >> listed): http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html >> >> " seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a >> mail server via SMTP, perform a simple Open Relay Test and verify the >> server has a reverse DNS (PTR) record. This is the most disappointing and >> astonishing challenge in this year's DEFCON qual. On Linux, chroot() can be >> used to break out of a chroot() jail: chroot() does not require your pwd be >> in the directory that is chroot()'d to the new root. See the complete >> profile on LinkedIn and discover Ajin’s connections and jobs at similar >> companies. From the initial plan we know we must change values on >> _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but >> there will be a lot of values in the middle because we are overflowing >> everything from the very beginning, in this case from the stdin we can’t >> just fill everything with nulls and expect everything to run smoothly , >> obviously the program will Apr 14, 2020 · Allocate a chunk using >> leave_feedback function and free it and since the seccomp filters uses heap >> to allocate its rules the freed chunk will never be merged with top chunk >> and considering the big size of allocation is 0x501 the freed chunk will go >> to unsorted bin because tcache bins can only holds size lower then 0x408. >> Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last >> refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee, >> Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00 >> Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The >> binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker >> might gain control over some process of a web browser but seccomp will >> restrict the set of available syscalls to only those it needs. X. If answer >> is Y\x00 then it calls set_context() else it calls system("/bin/sh") 12 >> Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF >> for This post will give the write-up for the execve-sandbox in GoogleCTF. 2 >> man page for review. areas of specialty include exmpedded/IoT CTF / Capture >> the Flag and IoT Village CTF: Security Innovation will be hosting the CTF >> event using their CMD+CTRL platform . >> com/2020/07/26/security-101-backups-protecting-backups <p>I can already >> hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode >> To ease bypassing of the seccomp filter, let's first set up a ROP Service: >> nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window >> manager that behaves like vim trailofbits/ctf 451 CTF Field Guide >> bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on >> dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup >> is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6. >> 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in >> ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection >> heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack >> CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first >> proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS >> - a software library containing BLAS functions written in OpenCL; >> andrewrk/libsoundio - C library for cross-platform real-time audio input >> and output View Ajin Abraham’s profile on LinkedIn, the world’s largest >> professional community. En este post daremos una posible solución al reto >> Weird Chall planteado en el DEKRA CTF 2020. Vulc at n Difensiva Senior >> Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris >> Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF >> organizer In this onlin " >> >> ETc etc. etc etc. >> >> >> Another easy way to spot them is by searching for 3 letter keywords in >> the past hour. "PCH" is a big one. >> >> >> https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5 >> >> These results are the same with Bing. >> >> ------- >> >> Here is a new Chrome Extension this malware group is promoting with >> "download" to continue for search queries: >> https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn >> >> It has 400,000 downloads and basically changes Google from their default >> search engine to "MediaNewPage". >> >> https://malwaretips.com/blogs/remove-medianewpage-search/ >> >> There's pages that talk about how to remove a Chrome Browser Extension >> Virus, but reporting it does nothing. >> >> >> >> >> >> >> On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette < >> rfg at tristatelogic.com> wrote: >> >>> In message < >>> CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA at mail.gmail.com>, >>> steve payne <stevenp8844 at gmail.com> wrote: >>> >>> >There is a huge amount of some type of fraud happening with .it, .pl, >>> .xyz >>> >and other domains being registered (see links below). >>> > >>> > >>> https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing >>> > >>> > >>> https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing >>> > >>> >These links contain a list of over 5,000 domains that are currently >>> >spamming search engines with spun text and then cloaking users to >>> malware >>> >that have the search engine referrer. >>> >>> I'm confused. How exactly does one "spam" a search engine? >>> >>> And what is "spun text", exactly? >>> >>> >>> Regards, >>> rfg >>> >>> >>> P.S. Please send me via private email the full list of suspicious URLs. >>> I may not be able to actually do anything with those, but I can at least >>> have a look. (For some reason my browser is not allowing me to just cut >>> and paste from your google docs.) >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20210112/b6edc2c1/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]