Tag: malware

Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1

This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.

hn.kd.ny.adsl: Research, Ban

This guy hn.kd.ny.adsl seems innocent enough, until I tried to look him up, only to find no positive IP address. Others have posted that they, too, cannot find his IP address in order to ban him. Hmmm, let me track him down.

This hacker is prolific in that he rarely repeats the third octet, making it harder to ban by a narrower range. You’ll need to go up to the second octet to cover his IP ranges. He uses predominantly China Unicom Henan. Only once did he go to China Unicon Fujian, which might just be an outlier data point.

zomro.com Content Scraper: Research, Ban

midex.zomro.com scrapes my site for awstat tags. I do not know why, and they do it multiple times. It is very annoying.

There is a ransomware listing for crasher121.zomro.com 93.170.169.52. There are other comments such as “109.248.33.212 is involved in malware incidents, spamming activity, ssh attacks, ddos” so caution is required. I did not research zomro.net, as I do not know if the .com and .net sites are related.

Observation:
midex.zomro.com
178.159.39.142 anconsul.ru 2016-nov-06 zomro

Research:
midex.zomro.com 93.171.158.189 93.171.158.0 – 93.171.159.255 93.171.158.0/23
elk91.zomro.com 93.171.158.47

midex.zomro.com 93.170.141.97 93.170.141.0/24

zuahbbazek1.zomro.com 93.170.253.11 93.170.253.0/24

Pharma Hack: Infected Again but Resolved

Damn I was infected by the Pharma hack yet again. While my web site content was without error, page titles into Google were being hacked, appearing as if I was flogging pharmaceuticals. I assure you that I do not do this. Google stated that my site might be infected, yet in Google Webmaster Tools they saw no malware and there were no fetch errors. This time I found four offending files and two offending SQL table entries. Here’s what I found and how I found them.