Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

More DIRECTI

July 23rd 2009 in Uncategorized

I have expressed concerned about DIRECTI in the past few posts, and I now have even more cause for concern.

Paul Ferguson of TrendMicro let me know about a slew of DIRECTI registered domains which are serving up exploits.  How is this for a list (all of which were registered on 22 July 2009):

IP 78.47.25.168:
q0i.in, u1w.in, u1y.in, u3h.in, u3j.in, u3v.in, u3y.in, u4w.in, u5c.in, u5k.in, u5m.in, u5t.in, u5w.in, u6d.in, u6l.in, u6n.in, u6v.in, u6x.in, u7f.in, u8b.in, u8j.in, u8t.in, u9b.in, u9c.in, u9j.in, q1b.in, q1l.in, q1m.in, q1w.in, q3b.in, q3c.in, q3o.in, q5a.in, q5k.in, q5m.in, q5u.in, q0a.in, q0k.in, q0l.in, q0v.in, q0w.in, q0x.in, q5v.in, u1j.in, u3m.in, u5d.in, u7o.in, u8v.in, q1e.in, u1m.in, u6c.in, u0s.in

IP 91.121.174.19:
u7e.in

IP 91.121.141.101:
q1k.in, q1v.in

IP 91.121.167.41:
u0c.in, u5e.in, u5v.in, u7p.in, u8i.in, u9i.in, u9k.in,

IP 80.93.90.88:
x9d.in, q1d.in, q0c.in, u7g.in, u7z.in,

 

To be fair, there were some domains at the same IP address that were registered via “Vivesh Infotechnics Ltd”, also based in India (just like Directi).   I’ll leave it to others to try and find if there is any connection between DIRECTI and Vivesh Infotechnics Ltd.

IP 78.47.25.168:
x0c.in, x0v.in, x1i.in, x3a.in, x6q.in, x6r.in, x7c.in, x7l.in, x8c.in, x8e.in, x8f.in, x8m.in, x8n.in, x8v.in, x9e.in, x9f.in, x9g.in, x9o.in, x9u.in, x9w.in, x9y.in, x3y.in, x7d.in, x8y.in, x1h.in, x6i.in, x8w.in

IP 91.121.174.19:
x8u.in

IP: 91.121.167.41:
x7k.in, x8o.in

IP 80.93.90.88:
x1v.in

As always, the above domains should be treated with EXTREME CAUTION.

Edit:  there are reports that 78.47.25.168 has been replaced (in some cases?) by 87.252.2.86.


4 comments to...
“More DIRECTI”

Hans

Thanks for this one. 🙂



TeMerc


Sarah

An iframe keeps getting inserted on all my servers on any file with “index” in it. One of them is iframe src=<<dangerous link removed>>

what is causing this and how do you get rid of it? I already changed all my hosting account passwords and got rid of all viruses and spyware and then was hit again. Would connecting to my servers with secure FTP help?



sandi

@Sarah,

You are using WordPress?  If so, read this:

codex.wordpress.org/Hardening_WordPress

The most likely way that they are getting in is via a security vulnerability of some type in software that you are running/that is running on the server.

You must also make sure that you are using very strong passwords.  If there is an infection on your local computer, then it is possible that the content is being injected from there.

My personal opinion is you should always use secure FTP if it is available to you.


Directi have “suspended” masters-woodworks.com, but NOT the almost identical masterwood-works.net, or the sites awiron-work.com, freshy-girls.com or sleazy-dreams.net  (all of which are on the same IP and have the same Registrant). They have also “suspended” viorfjoj-1.com (different IP, same registrant), but have NOT suspended viorfjoj-2.com or viorfjoj-3.com (again, same IP, same Registrant) Too […]

Previous Entry

Innovative Marketing and Daniel Sundin continue to ignore proceedings and are unrepresented. Maurice D’Souza Maurice D’Souza’s motion to dismiss for lack of jurisdiction (paper number 90) has been DENIED WITHOUT PREJUDICE.     Sam Jain Sam has been busy, filing a motion for protective order requiring deposition […]

Next Entry

Archives