Late April we were notified of an Australian site hosting a nasty looking javascript file. We contacted the organisation in question who promptly responded in order to clean their site.

Upon determining the mass scale of this attack (reports indicating up to 800,000 websites infected) we contacted the ISP as well as the CERT team in the malicious servers' country in order to have the domain taken down.

Due the scale of the attack the malicious server was flooded with traffic but we managed to obtain the javascript file from one of our trusted contacts. The javascript file itself redirects the user to another page on the domain which attempts several exploits. By the end of April the malicious domain was returning a 401 (unauthorised).

However a few days later another domain appeared on our radars, exploiting the same vulnerability. Many sites were reinfected as they did not fix the original vulnerability in their websites.

Here's a few domains administrators may wish to block and check their logs for:

nmidahena,com
aspder,com
nihaorr1,com
winzipices,cn
61,188,38,158
jueduizuan,com
bluell,com

free,hostpinoy,info
kisswow,com,cn
ririwow,cn
xprmn4u,info

UPDATE #2 12/05/2008 12:28 PM Thanks to one of our readers for telling us about some of these.

wowgm1,cn
51,la
computershello,cn

Regards,

AusCERT