"Babyliss" hacking

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

"Babyliss" hacking

Postby AlphaCentauri » Fri Jan 17, 2014 12:37 am

We've got an busy spammer in the Esteemed Guests section. He's not terribly competent, but when he manages to include links in his posts, they seem to go to websites at the same IP address:

Code: Select all
Babyliss spam links:
http://www.unllais.co.uk/buybabyliss.html
http://www.regencygold.co.uk/babyliss.html
http://www.artychoke.com/babylissviponline.html
http://www.artychoke.com/babylissukvip.html
http://www.bzadv.co.uk/welcome/babylissprouk.html
http://www.openchurchnetwork.co.uk/babylissvipsale.html
http://www.openchurchnetwork.co.uk/babyliss.html
http://www.micro-tag.com/babyliss.html



Code: Select all
Reverse IP on 78.129.221.104:
ambervalleyyurts.co.uk
artychoke.co.uk
artychoke.com
bzadv.co.uk
clwydref.co.uk
fadingmemories.co.uk
frondderwhouse.co.uk
helenparry-jones.com
henblasholidaycottages.co.uk
iainmorton.co.uk
iopt.co.uk
micro-tag.com
milkdrop.co.uk
musicvisuals.com
northwalesdistribution.co.uk
oneplanetadventure.co.uk
openchurchnetwork.co.uk
pandian.co.uk
pennyblacks.co.uk
plan-itcards.com
regencygold.co.uk
rovastar.com
sunnyviewboardingcattery.com
unllais.co.uk
virtualnameserver.net
visitmold.co.uk
you-name-it.co.uk
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: "Babyliss" hacking

Postby NotBuyingIt » Fri Jan 17, 2014 7:51 am

My guess was that the spam was intended to promote keywords for Google searches instead of websites. Were that so, the website currently receiving the (indirect) benefit seems to be
lemontartdiary.com (hosted at IP 74.82.180.122)
which is a clone of
cheapbabyliss.com (IP 81.17.24.208)
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby AlphaCentauri » Fri Jan 17, 2014 9:44 pm

I guess what I'm really questioning is what's going on on that server that the spammer has control of so many websites hosted there.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: "Babyliss" hacking

Postby NotBuyingIt » Fri Jan 17, 2014 11:10 pm

AlphaCentauri wrote:I guess what I'm really questioning is what's going on on that server that the spammer has control of so many websites hosted there.


Off-hand, I'd guess that the server has been hacked, but I cannot guess whether the spammer is the original hacker or is simply an opportunist taking advantage of it.

I don't have the standing to ask about it at
ABUSE REPORTS
https://myservers.rapidswitch.com/reportabuse.aspx

so I'll try abuse@rapidswitch.com instead.

[Edit: Update]
Abuse ticket
https://myservers.rapidswitch.com/Abuse ... ikarwnzaow

Interim reply from sysadmin:
A thorough search of the server for any files with 'baby' in the name has revealed quite a few, they have all been removed from the sites and the backups. We will continue to monitor the files for any more. Meanwhile the server administrator is checking the log files for any sign of intrusion and will report back soon.
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby NotBuyingIt » Sat Jan 18, 2014 10:43 pm

Well, I missed to obvious. Here's a script in the body of the spammed web pages on A.C.'s list (above).


Code: Select all
var s=document.referrer;
if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("yahoo")>0 || s.indexOf("aol")>0)
{
self.location='www.vipbsales.com/';
}


I think that vipbsales.com was promoted by a spammer attacking IBR last May. https://www.mywot.com/en/scorecard/vipb ... t-63442241
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby spamislame » Mon Jan 20, 2014 12:37 pm

That server appears to be fully supported by Alibaba-inc.com, China's largest e-commerce provider.
Code: Select all
dig vipbsales.com
vipbsales.com.          900     IN      A       144.76.104.200

;; AUTHORITY SECTION:
vipbsales.com.          172799  IN      NS      dns7.4cun.com.
vipbsales.com.          172799  IN      NS      dns8.4cun.com.

;; ADDITIONAL SECTION:
dns7.4cun.com.          172799  IN      A       121.199.16.46
dns7.4cun.com.          172799  IN      A       112.124.32.108
dns8.4cun.com.          172799  IN      A       112.124.40.253
dns8.4cun.com.          172799  IN      A       121.199.56.193


144.76.104.200 [Hetzner online]
121.199.16.46 [Alibaba China]
112.124.32.108 ["]
112.124.40.253 ["]
121.199.56.193 ["]

Alibaba server contacts:

ipas@cnnic.cn
guoxin.gao@aliyun-inc.com
guowei.pangw@alibaba-inc.com

They don't allow random contact. You have to register to complain to them. I have no idea how effective any complaint might be, but it might be worth trying.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: "Babyliss" hacking

Postby NotBuyingIt » Tue Jan 21, 2014 12:59 pm

Code: Select all
dig www.vipbsales.com

;; ANSWER SECTION:
www.vipbsales.com.   900   IN   CNAME   da.baofengdns.net.
da.baofengdns.net.   3593   IN   A   178.216.50.14
inetnum: 178.216.48.0 - 178.216.55.255
netname: MNT-WEBEXXPURTS
descr: Deepak Mehta FIE
org: ORG-DMF2-RIPE
country: SE

organisation: ORG-DMF2-RIPE
org-name: Deepak Mehta FIE
org-type: LIR
address: DEEPAK MEHTA FIE
address: DEEPAK MEHTA
address: P.O. BOX 4718 Ehitajate tee 114A
address: 13522
address: TALLINN
address: ESTONIA
phone: +46851972163
fax-no: +46851972163

role: NOC Webexxpurts
address: VINTROSAGATAN 10
address: 124 73 BANDHAGEN
address: STOCKHOLM SE
abuse-mailbox: bd@webexxpurts.com
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby NotBuyingIt » Tue Jan 21, 2014 6:02 pm

Abuse ticket closed:
Nick Aston wrote:All baby liss files have been deleted and a vulnerability has been found through the FCKeditor used on one of the site. This editor has been removed and a check is being carried out to see if there are any more FCKeditors in use on the machine. They will be removed if found.
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby AlphaCentauri » Tue Jan 21, 2014 10:44 pm

Great! It's good to get a reply to know you got through to a human, too.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: "Babyliss" hacking

Postby spamislame » Thu Jan 23, 2014 11:50 am

Except I don't think they removed anything.

Here is the only one that no longer shows that specific "Babyliss" content:

http://www.artychoke.com/babylissviponline.html

What exactly did they remove? One site?!

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: "Babyliss" hacking

Postby NotBuyingIt » Thu Jan 23, 2014 9:18 pm

spamislame wrote:Except I don't think they removed anything.
Here is the only one that no longer shows that specific "Babyliss" content:
http://www.artychoke.com/babylissviponline.html
What exactly did they remove? One site?!

I'll try another trouble ticket :oops:
https://myservers.rapidswitch.com/Abuse ... exxqvrfufk
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby NotBuyingIt » Fri Jan 24, 2014 12:14 am

For the second time, the server at IP 78.129.221.104 is returning HTTP 404 errors for all of the Babyliss webpages. Maybe the server and its hosted sites have actually been secured this time.
NotBuyingIt
Spammer Killing Machine
 
Posts: 611
Joined: Sun Jun 13, 2010 5:22 pm

Re: "Babyliss" hacking

Postby spamislame » Sun Jan 26, 2014 6:37 pm

That seems to have done the trick, but in the days that that took to happen they probably put up several thousand more.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: "Babyliss" hacking

Postby Red Dwarf » Mon Jan 27, 2014 5:30 pm

It's hard to figure out the whole of this Babyliss operation. It seems to be a search engine operation to raise the profile of Babyliss.

I'm seeing many web sites that have been penetrated via some loop-hole. Then additional code is placed on the hacked site, usually with the word "babyliss" in the URL.
Example: http://latexfalt.com/ has a URL http://latexfalt.com/babylissnl.html
Example: http://www.grenadavilla.com/ has a URL http://www.grenadavilla.com/babylisscheapuk.html

The planted code looks like SEO seeding, and contains no links to its pages at Babyliss.com or Babyliss.co.uk etc

Does that sum it up? Just a forum spamming SEO poisoning together with web-site hacking?

That leaves the million dollar question - are the owners of the product aware that their image is being tarnished in this way, and have they unwittingly employed some company to conduct this dirty SEO campaign? Making the CEO (Ronald T. Diamond) aware of what is happening seems to be the quickest and most efficient way to stop the rot.

Historical data from http://en.wikipedia.org/wiki/Conair_Corporation
Leandro P. Rizzuto (CEO), Barry Haber (President), Patrick P. Yannotta (CFO)

More at http://investing.businessweek.com/resea ... d=30824771

And this from a letter from the FDA Aug 2013 ( http://www.fda.gov/ICECI/EnforcementAct ... 364963.htm )

Mr. Ronald T. Diamond
President and CEO
Conair Corporation
One Cummings Point Road
Stamford, Connecticut 06904
Tel. 203-351-9000

And from http://www.answers.com/topic/conair-corporation-1
Officers:
President: Ronald T. Diamond
SVP Finance: Pat Yannotta
CIO: Jon Harding

Press releases have a reply address:
CONTACT: Babe Rizzuto, of Conair Corporation, babe_rizzuto@conair.com, +1-203-708-2106 -0-

"Just saying"
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10485
Joined: Tue Jun 27, 2006 2:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron