[en] dreamamateurs.com double Exploit WEB

dreamamateurs.com (~4000 on Alexa) leads to two differents Exploits Web.

dreamamateurs_hacked
below the header, a Javascript that loads a remote javascript on jsmeta.com (213.229.69.42).dreamamateurs_hacked2


it loads the Exploit kit throught an iframe.
dreamamateurs_hacked3
The Exploit kit URLs :
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd (91.201.215.173)
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd/
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd/arAlSIS.jar
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd/arAlSIS.jar
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd/arAlSIS.jar
http://dworddb.com/akThrY133st045q10eTsI0ta5x06e1A0I1tL0DpKo0ytTm109Aj0A3J704wvi0wSOS0BoCc0udb10sAqd/arAlSIS.jar
http://dworddb.com/BFJYDH06Kh40NPpW0J40k0ZS270KfE30XzDk0Msjm04lNc07dmP0XrJi06wud0khHJ15cJP0wlvT0dpAk15mPf0b6Nj0BAnm0d7LA0YvwT0Lwx60P4aK0TcQu05Cd50gENB02DBx0DlTB0QjiF0gcA20cyAn0HucU0uXh8/getmyfile.exe?o=1&h=11

dreamamateurs_hacked4

According Kaspersky, it’s a Tepfer so  a FTP Credentials stealer.
The Javascript does not come up a second time, according the location (below the header), guess it’s a hack.
Probably the FTP Credentials has been stolen on the webmaster’s computer by Tepfer and badguys added this iframe.

dreamamateurs_hacked5

The second Exploit is a Malvertising that leads to a Sakura :

http://ads.contextpimp.com/nats=MDhfrjEhnGDbTyoPzkjsdTB71ewnRTqklqRGsbqlowjYWmn
http://c2f1e10b6f.inlihe.asia/iniframe/c4fb89d28ae06c7830cbfd42642fecb2/65/f959045850fcfbc43bbbe35b0127d96f/11aedd0e432747c2bcd97b82808d24a0
http://9070f19b4a.edinar.asia/?b=3

The Sakura :
http://9d7d5917bb.initto.asia:82/forum/index.php?showtopic=715530
http://9d7d5917bb.initto.asia:82/forum/hram.php?hash=true&key=85adc86cca68a5120ade0fa72df730fb
hxxp://cdn1.ads.contentabc.com/ads/design4/ads/mf_300x250_72535/lst_natalie_nunez_soft_cut.flv
http://9d7d5917bb.initto.asia:82/forum/hram.php?hash=no&key=5c01b7b5ac7e17f2b605cfc58cea18a7
http://9d7d5917bb.initto.asia:82/forum/hram.php?hash=no&key=5c01b7b5ac7e17f2b605cfc58cea18a7
http://9d7d5917bb.initto.asia:82/forum/Zend.class
http://9d7d5917bb.initto.asia:82/forum/Zend/class.class
dreamamateurs_hacked6
I know very well this Malvertising because i have already blogged it on past. Targetting  pornerbros (767 on Alexa) on April 20 2012 : The Sakura : http://www.malekal.com/2012/04/20/pornerbros-com-conduit-a-des-infections-via-des-exploits/ (it’s a French).
It loads ZeroAccess / Sirefef Malware.

Guess what ?

The malvertising is still active on pornerbos.com…. so at least for 7 months.
humm.. What is the record ?
(yeah i already contacted them…. but nothing change – hey FBI could you unplugged this website ? 😉 )

dreamamateurs_hacked7

This malvertising is very popular and active on differents websites.
I also blogged it on July for h2porn (seems not active anymore) : http://www.malekal.com/2012/07/10/malvertising-sur-h2porn-com-zeroaccesssirefef/

A remark :

On pornerbros : ads7.pointads.net (212.95.58.45)
On dreamamateurs.com : ads.contextpimp.com (212.95.58.50)

If you are a porn webmaster, be careful 🙂

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 139 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *