Another day, another iPowerWeb security breach

Last December, I was monkeying around on the Internet doing a Google search for my name, and I discovered a massive security breach at a major Web hosting company that eventually made it to The Register.

So today, I was monkeying around on the Internet doing a Google search for my name, and…

…wait for it…

…discovered that iPower has been hacked again, and hundreds more Web sites hosted by iPower have been penetrated by Russian organized crime and used to spread computer viruses.

To recap, for anyone who didn’t see last month’s rather lengthy and severely technical blog post:

One way that Russian organized crime has taken to spreading computer viruses is to set up a Web server that attempts a bunch of diffeent exploits to download a virus to an unlucky visitor’s computer. In order to get the virus around, though, they need to get people to visit the Web server that contains the virus.

There are a lot of ways to do that–spam, for example. But a new technique that works pretty well is Google keyword spam.

What the hackers do is they set up thousands, or tens of thousands, or hundreds of thousands, of fake Web pages loaded with popular keywords and search terms. These fake Web pages have text that looks like “payments affecting credit approval free ringtones Adidas discount Macbook Air big clit sluts naked Britney Spears refinance mortgage bankruptcy attorney Viagra Cialis wholesale Wal-Mart no prescription” and they exist only to trap Google keyword searches and drive traffic to the virus-dropping sites.

Last December, Russian hackers completely compromised the Web hosting firm iPower and placed hundreds of thousands of these dummy pages onto their Web servers. The owners of the compromised Web sites didn’t even know that they were hijacked, or that new pages redirecting to virus dropping sites in Eastern Europe. At the time, the hackers appeared to be able to penetrate iPower at will and to do whatever they liked with any iPower-hosted Web site.

In an interesting twist to normal redirectors, the hackers set up these new redirection pages in a clever and interesting way: anyone who clicked on a Google link to one of the hacker’s pages would be redirected to the virus dropper, but if you try to access the page directly by typing in its URL, you would see a fake “404 not found” error page–probably to throw off iPower’s abuse and technical team.

Well, here we are two months later, and once again the hackers have waltzed through iPower’s security and compromised a large number of Web sites hosted by them. The attack is identical in every respect to last December’s attack, and even redirects to the same virus-dropping servers (which, amazingly, are still online and operating two months after being exposed–let’s hear it for Russian law enforcement!). A partial list of compromised Web sites, all hosted at iPower, includes:

http://revmarksmith.com/ALA/images/rgrss/her/bad/3/polyamory.html
http://no-frames.com/bond/images/ugpcr/her/bad/8/polyamory.html
http://jeffkramer.net/furniture/images/riyjb/her/bad/3/polyamory.html
http://condocabarete.com/images/bsdgi/her/bad/3/polyamory.html
http://onebluewire.com/images/.thumbs/sdqnd/her/bad/3/polyamory.html
http://keneberhard.com/mp3/horrorandsuspense/bhjlk/her/bad/8/polyamory.html
http://mishawakamike.com/images/nov10/pnrmf/her/bad/3/polyamory.html
http://fathomiers.net/album/images/bpjmm/her/bad/8/polyamory.html
http://touchejewelry.com/osCommerce/catalog/wxuqw/her/bad/3/polyamory.html
http://boydphx.com/qlpcj/her/bad/8/polyamory.html
http://nehemiahinc.org/temp/images/mbkfr/her/bad/3/polyamory.html
http://savoieheritage.org/images/hall/wtcth/her/bad/3/polyamory.html

Each of these, somewhat amusingly, uses my name as one of the Google keywords it attempts to trap. Gee, I must be an official net.celebrity!

Anyhow, as before, if you click on any of these from this blog post, you’ll get a “404 not found” error. But click on any of these with your browser referrer set to “google.com” and it’s a whole different story:

wget –referer=”google.com” http://nehemiahinc.org/temp/images/mbkfr/her/bad/3/polyamory.html
–16:06:22– http://nehemiahinc.org/temp/images/mbkfr/her/bad/3/polyamory.html
=> `polyamory.html’
Resolving nehemiahinc.org… done.
Connecting to nehemiahinc.org[72.22.69.97]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://traffloader.info/go.php?s=nehemiahinc.org&ver=19 [following]
–16:06:24– http://traffloader.info/go.php?s=nehemiahinc.org&ver=19
=> `go.php?s=nehemiahinc.org&ver=19′
Resolving traffloader.info… done.
Connecting to traffloader.info[87.248.180.67]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.chillyclips.com/index.php?id=4161&q= [following]
–16:06:24– http://www.chillyclips.com/index.php?id=4161&q=
=> `index.php?id=4161&q=’
Resolving www.chillyclips.com… done.
Connecting to www.chillyclips.com[78.108.177.85]:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://www.movstube.com/m6/index.php?id=4161&q= [following]
–16:06:25– http://www.movstube.com/m6/index.php?id=4161&q=
=> `index.php?id=4161&q=’
Resolving www.movstube.com… done.
Connecting to www.movstube.com[85.255.118.157]:80… connected.

movstube.com is, of course, the virus payload site. Traffloader.com also sends users to other virus payload sites as well, such as scanner.spyshredderscanner.com.

Doing it again a few minutes later, we get:

wget –referer=”google.com” http://nehemiahinc.org/temp/images/mbkfr/her/bad/3/polyamory.html
–18:36:17– http://nehemiahinc.org/temp/images/mbkfr/her/bad/3/polyamory.html
=> `polyamory.html’
Resolving nehemiahinc.org… done.
Connecting to nehemiahinc.org[72.22.69.97]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://traffloader.info/go.php?s=nehemiahinc.org&ver=19 [following]
–18:36:17– http://traffloader.info/go.php?s=nehemiahinc.org&ver=19
=> `go.php?s=nehemiahinc.org&ver=19′
Resolving traffloader.info… done.
Connecting to traffloader.info[87.248.180.67]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.excitingtube.com/index.php?id=4151&q= [following]
–18:36:17– http://www.excitingtube.com/index.php?id=4151&q=
=> `index.php?id=4151&q=’
Resolving www.excitingtube.com… done.
Connecting to www.excitingtube.com[78.108.177.31]:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://www.magicporntube.com/index.php?id=4151&style=black [following]
–18:36:18– http://www.magicporntube.com/index.php?id=4151&style=black
=> `index.php?id=4151&style=black’
Resolving www.magicporntube.com… done.
Connecting to www.magicporntube.com[78.108.177.27]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]

[ <=> ] 50,637 64.14K/s

18:36:19 (64.14 KB/s) – `index.php?id=4151&style=black’ saved [50637]

magicporntube itself redirects to

http://www.hotvideostube.com/m3/index.php?id=4151&n=mainstream&a=SatyrIconIc&v=407940&preview=http%3A%2F%2Fwww.magicporntube.com%2Fst%2Fthumbs%2F043%2F7131081973.jpg%0A

which automatically downloads a virus to the hapless victim’s computer from

http://fapparatus.com/download.php?id=4151


Obligatory warning:
WARNING * WARNING * WARNING
These malware sites, traffloader.info and chillyclips.com and movstube.com and scanner.spyshredderscanner.com, are live and active. If you visit them on an unpatched Windows box, you will be infected. Do not visit these URLs.


If you read up on the last attack on iPower, you’ll see some familiar players here. Then, as now, the compromised Web sites redirected to traffloader.info; then, as now, traffloader.info redirected to one of several other sites which actually drop the virus. One of those other sites was scanner.spyshredderscanner.com. As before, traffloader.com is hosted in the Eastern European nation of Moldova; chillyclips.com appears to be in the Czech Republic; movstube.com and fapparatus.com is in the Ukraine (though they receive their connections to the Internet from an American ISP, wvfiber.net), and spyshredderscanner.com is now on IP address 77.91.229.106, in Russia.

Now, I’ve worked with IT folks and ISP technical people before, and I can easily believe that sheer incompetence can explain a major security breach. But c’mon, people! iPower is a revolving door for this same group of hackers. At this point, it really strains credibility to believe that this is incompetence; it is looking more and more like one or more employees of iPowerWeb is deliberately permitting the hackers to hijack their customers’ Web sites.

Given the information available on the Web about iPower’s legendary poor security and habitual serving up of malware, how in the name of God does this ISP continue to exist? Why do people still host with them?

14 thoughts on “Another day, another iPowerWeb security breach

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.