[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
steve payne
stevenp8844 at gmail.com
Tue Jan 12 15:04:18 CET 2021
Here is one of the Malware Wordpress Themes that have lots of reports, comments about the virus and more. Yet it still remains online https://wordpress.org/support/plugin/three-column-screen-layout/reviews/ On Tue, Jan 12, 2021 at 6:53 AM steve payne <stevenp8844 at gmail.com> wrote: > Here is the new hacked script call to url that is responsible for > controlling this malware and hacked data. > > http://135.181.21.126/story2020.php?pass=aodhfherkejkerjk&q= > > On Tue, Jan 12, 2021 at 6:40 AM steve payne <stevenp8844 at gmail.com> wrote: > >> " P.S. Please send me via private email the full list of suspicious URLs. >> I may not be able to actually do anything with those, but I can at least >> have a look. (For some reason my browser is not allowing me to just cut >> and paste from your google docs.)" >> >> I have sent you an email with two attachements. Please let me know if you >> do not receive it! >> >> On Tue, Jan 12, 2021 at 6:30 AM steve payne <stevenp8844 at gmail.com> >> wrote: >> >>> Hi, >>> >>> "All abuse complaints must be put through their abuse form: >>> >>> https://www.ovh.com/world/abuse/" >>> >>> I have filled out the form with OVH a few times, almost 2 weeks ago and >>> have not heard any response. The domains I submitted are still active and >>> redirecting to malware. >>> >>> "It must be put through their abuse form: >>> >>> https://www.cloudflare.com/abuse/form" >>> >>> The main form for the Cloudflare Malware submit form only allows for 1 >>> url submission at a time. I have submitted this form many times and support >>> tickets, as I also have a Cloudflare service. >>> >>> I was told this can only be handled by the "Support & Trust" team and >>> they will reach out to me. We have gone through this Twice, yet all domains >>> are still actively hosted through Cloudflare. >>> >>> "I'm confused. How exactly does one "spam" a search engine? >>> >>> And what is "spun text", exactly?" >>> >>> This spam operation is no small operation. The way they are spamming >>> search engines is by using the authority of hacked domains to "link to" >>> these fraud domains. It's bringing link juice and a lot of search engine >>> traffic. >>> >>> By "spun text", it's basically garbled text that has thousands of >>> keywords in it and for some reason Google is not able to detect it. >>> >>> Here are a couple of links. >>> >>> >>> https://www.google.com/search?q=site%3Aatlantidepz.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aatlantidepz.it&aqs=chrome..69i57j69i58.4172j0j7&sourceid=chrome&ie=UTF-8 >>> >>> >>> https://www.google.com/search?q=site%3Aandrea-rubinetterie.it&rlz=1C1GCEA_enUS802US802&oq=site%3Aandrea-rubinetterie.it&aqs=chrome..69i57j69i58.6191j0j7&sourceid=chrome&ie=UTF-8 >>> >>> Basically search google for site:domain and you will see the "spun text". >>> >>> Here is a direct domain (there are many inside of the two files I >>> listed): http://asugroup.ir/bdo-wizard-ziuli/seccomp-bypass-ctf.html >>> >>> " seccomp bypass ctf 첫 Seccomp Bypass 공부 This test will connect to a >>> mail server via SMTP, perform a simple Open Relay Test and verify the >>> server has a reverse DNS (PTR) record. This is the most disappointing and >>> astonishing challenge in this year's DEFCON qual. On Linux, chroot() can be >>> used to break out of a chroot() jail: chroot() does not require your pwd be >>> in the directory that is chroot()'d to the new root. See the complete >>> profile on LinkedIn and discover Ajin’s connections and jobs at similar >>> companies. From the initial plan we know we must change values on >>> _IO_2_1_STDOUT->file->vtable, and values on the _IO_helper_jumps vtable but >>> there will be a lot of values in the middle because we are overflowing >>> everything from the very beginning, in this case from the stdin we can’t >>> just fill everything with nulls and expect everything to run smoothly , >>> obviously the program will Apr 14, 2020 · Allocate a chunk using >>> leave_feedback function and free it and since the seccomp filters uses heap >>> to allocate its rules the freed chunk will never be merged with top chunk >>> and considering the big size of allocation is 0x501 the freed chunk will go >>> to unsorted bin because tcache bins can only holds size lower then 0x408. >>> Fuzzing {{7*7}} Till {{P1}} This is an SSTI writeup. 1. Current list last >>> refreshed on Tue, 2020-12-29 at 00:22:48 (local time) Microsoft, McAfee, >>> Rapid7, and Others Form New Ransomware Task Force id: | 2020-12-23 15:25:00 >>> Thursday, September 17, 2020 OEM Security Newsalert - 17-Oct-2020. The >>> binary initializes some seccomp rules, and then EN | ZH. Hence, an attacker >>> might gain control over some process of a web browser but seccomp will >>> restrict the set of available syscalls to only those it needs. X. If answer >>> is Y\x00 then it calls set_context() else it calls system("/bin/sh") 12 >>> Jul 2018 Introduction After my tutorial on seccomp, thanks for Google CTF >>> for This post will give the write-up for the execve-sandbox in GoogleCTF. 2 >>> man page for review. areas of specialty include exmpedded/IoT CTF / Capture >>> the Flag and IoT Village CTF: Security Innovation will be hosting the CTF >>> event using their CMD+CTRL platform . >>> com/2020/07/26/security-101-backups-protecting-backups <p>I can already >>> hear some readers saying that backups are an 11 Apr 2019 ROP to Shellcode >>> To ease bypassing of the seccomp filter, let's first set up a ROP Service: >>> nc gissa-igen-01. HarveyHunt/howm 451 A lightweight, X11 tiling window >>> manager that behaves like vim trailofbits/ctf 451 CTF Field Guide >>> bwalex/tc-play 451 Free and simple TrueCrypt Implementation based on >>> dm-crypt libharu/libharu 450 libharu - free PDF library gittup/tup 449 Tup >>> is a file-based build system. PHP-FPM/FastCGI bypass disable_functions 6. >>> 43 runtime : 6 remark : size (MB) : 1. Posted on December 13, 2020* in >>> ctf-writeups. club MMA CTF 2nd 2016 PPC pwn format string web sql injection >>> heap ASIS CTF Finals 2016 Use After Free fastbin off-by-one shadow stack >>> CSAW CTF 2016 overflow Crypto Forensic padding oracle attack World-first >>> proof-of-principle to bypass Internet kill switches. clMathLibraries/clBLAS >>> - a software library containing BLAS functions written in OpenCL; >>> andrewrk/libsoundio - C library for cross-platform real-time audio input >>> and output View Ajin Abraham’s profile on LinkedIn, the world’s largest >>> professional community. En este post daremos una posible solución al reto >>> Weird Chall planteado en el DEKRA CTF 2020. Vulc at n Difensiva Senior >>> Engineer, DDTEK Hawaii John CTF organizer, Legit Business Syndicate Chris >>> Eagle CTF organizer, DDTEK Invisigoth CTF organizer, Kenshoto Caezar CTF >>> organizer In this onlin " >>> >>> ETc etc. etc etc. >>> >>> >>> Another easy way to spot them is by searching for 3 letter keywords in >>> the past hour. "PCH" is a big one. >>> >>> >>> https://www.google.com/search?rlz=1C1GCEA_enUS802US802&biw=1920&bih=937&tbs=qdr%3Ah&sxsrf=ALeKk02CH7HNpzS8urRXOtXxUoV-aiqZUw%3A1610457738956&ei=iqL9X8zwOZfA0PEPyuGm-Ak&q=pch&oq=pch&gs_lcp=CgZwc3ktYWIQAzINCAAQsQMQgwEQyQMQQzIKCAAQsQMQgwEQQzIICAAQsQMQgwEyCAgAELEDEIMBMgQILhBDMgIIADIICAAQsQMQgwEyCAgAELEDEIMBMgIIADICCAA6BAgAEEM6CwguELEDEMcBEKMCOgUIABCxA1DjxxFYxckRYJbLEWgAcAB4AIABpwGIAZ4DkgEDMC4zmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=psy-ab&ved=0ahUKEwjM3dLLvpbuAhUXIDQIHcqwCZ8Q4dUDCA0&uact=5 >>> >>> These results are the same with Bing. >>> >>> ------- >>> >>> Here is a new Chrome Extension this malware group is promoting with >>> "download" to continue for search queries: >>> https://chrome.google.com/webstore/detail/search-and-newtab-by-medi/kgmkoajcbbjaobdbmcnhkppmpnejjpkn >>> >>> It has 400,000 downloads and basically changes Google from their default >>> search engine to "MediaNewPage". >>> >>> https://malwaretips.com/blogs/remove-medianewpage-search/ >>> >>> There's pages that talk about how to remove a Chrome Browser Extension >>> Virus, but reporting it does nothing. >>> >>> >>> >>> >>> >>> >>> On Mon, Jan 11, 2021 at 11:25 PM Ronald F. Guilmette < >>> rfg at tristatelogic.com> wrote: >>> >>>> In message < >>>> CAMPzqHa0T9PxyjbvA6AFZMOoVVMqipP1OXS8SNa+eY+KtUrQLA at mail.gmail.com>, >>>> steve payne <stevenp8844 at gmail.com> wrote: >>>> >>>> >There is a huge amount of some type of fraud happening with .it, .pl, >>>> .xyz >>>> >and other domains being registered (see links below). >>>> > >>>> > >>>> https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing >>>> > >>>> > >>>> https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing >>>> > >>>> >These links contain a list of over 5,000 domains that are currently >>>> >spamming search engines with spun text and then cloaking users to >>>> malware >>>> >that have the search engine referrer. >>>> >>>> I'm confused. How exactly does one "spam" a search engine? >>>> >>>> And what is "spun text", exactly? >>>> >>>> >>>> Regards, >>>> rfg >>>> >>>> >>>> P.S. Please send me via private email the full list of suspicious URLs. >>>> I may not be able to actually do anything with those, but I can at least >>>> have a look. (For some reason my browser is not allowing me to just cut >>>> and paste from your google docs.) >>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20210112/ca3738bb/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Huge List of Domains Cloaking to Malware (5, 000+)
- Next message (by thread): [anti-abuse-wg] DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]