Server-wide iframe injections

Dennis (from unmask) posted about some iframe injections that he has beenseeing lately: RFI: Server-wide iframe injections.

The post is interesting, so read that first. We are also seeing many variationsof this attack, always with the iframes being injected as domain.com/[randomnumbers].html and redirecting the user to Fake AV. This are some of the URLs we are seeing:

     15 http://tiergefluester.ch/37624443.html
      8 http://qmg2.com/96344443.html
      6 http://52943578.nl.strato-hosting.eu/49404443.html
      5 http://nw-transporte.de/31374443.html
      4 http://soka.saitama-eastern.jp/68844443.html
      3 http://tvhr9.com/59304443.html
      3 http://tvhr9.com/48204443.html
      3 http://tijerasycosmetica.es/32154443.html
      3 http://sepatch.org/74734443.html
      3 http://qmg2.com/51204443.html
      3 http://photopassion34.eu/84364443.html
      2 http://sipsnstrokesstudios.com/90144443.html
      2 http://relance-clients.com/18304443.html
      2 http://langaz.pl/28074443.html
      2 http://kopian.net.pl/10344443.html
      2 http://huskiesfootball.ca/54924443.html
      2 http://humourr.com/77204443.html
      2 http://fam-vandenberg.nl/33604443.html
      2 http://dev.look-whos-talking.co.uk/75584443.html
      2 http://cadeauxentreprise.ca/40104443.html
      1 http://www.sportman.nl/44554443.html
      1 http://vanaden.nl/76644443.html
      1 http://tvhr9.com/92824443.html
      1 http://tvhr9.com/15374443.html
      1 http://tijerasycosmetica.es/68134443.html
      1 http://tiergefluester.ch/71834443.html
      1 http://tiergefluester.ch/47254443.html
      1 http://thomasvillefurnishings.ca/66124443.html
      1 http://soka.saitama-eastern.jp/76924443.html
      1 http://soka.saitama-eastern.jp/31164443.html
      1 http://sipsnstrokesstudios.com/82464443.html
      1 http://shopmassive.com/72534443.html
      1 http://shopmassive.com/60754443.html
      1 http://shopmassive.com/50284443.html
      1 http://sepatch.org/58814443.html
      1 http://sepatch.org/35224443.html
      1 http://sepatch.org/14244443.html
      1 http://santeayurveda.com/48804443.html
      1 http://sacem.com.tr/95534443.html
      1 http://s1050444.iie.nl/76384443.html
      1 http://roswitha-jacobi.de/67874443.html
      1 http://roswitha-jacobi.de/52194443.html
      1 http://roswitha-jacobi.de/22914443.html
      1 http://roswitha-jacobi.de/15584443.html
      1 http://reisendefamilie.net/70004443.html
      1 http://rectol.com/76084443.html
      1 http://rectol.com/11154443.html
      1 http://radiocanvas.co.uk/97984443.html
      1 http://qmg2.com/82474443.html
      1 http://qmg2.com/76574443.html
      1 http://qmg2.com/74054443.html
      1 http://qmg2.com/34794443.html
      1 http://qmg2.com/20054443.html
      1 http://qmg2.com/14934443.html
      1 http://pohlgruppe.de/89314443.html
      1 http://pohlgruppe.de/73684443.html
      1 http://photopassion34.eu/93154443.html
      1 http://photopassion34.eu/35484443.html
      1 http://ozturannakliyat.com/94564443.html
      1 http://opracowaniagraficzne.pl/10474443.html
      1 http://nw-transporte.de/96284443.html
      1 http://mukogawa.jp/98984443.html
      1 http://moodle.fortpointdesign.com/31844443.html
      1 http://missweekderbesten.nl/12714443.html
      1 http://lojastelefrio.com.br/18854443.html
      1 http://linkeddoc.com/31974443.html
      1 http://langaz.pl/16524443.html
      1 http://kulycap.fr/63464443.html
      1 http://kopian.net.pl/69004443.html
      .. many many more ...

Note that all (or most) of these sites are compromised and being used by the attackers to spread malware botnet style. Dennis also questioned how are these sites being hacked.

Initially, all of them were running Plesk (at least I could access it as site.com:8443). However, as the infection is growing, I am seeing many sites not using Plesk with this type of malware, so we can\'t know for sure. We assume it is a mix of attacks (brute force FTP + outdated Plesk + anything they can find).