New Browlock under compromised Godaddy doms - Jan 18, 2014

Sat, Jan 18, 2014
#DhiaLite - New Browlock subdomains injected under compromised GoDaddy domains appeared on 62.75.197.221 to 62.75.197.224

More subdomains are appearing.

#Sample compromised Godaddy 2LDs

doctorsofbradenton.com
coolaging.info
coolaging.net
doctorsofboulder.com
doctorsofbirmingham.com
cyberwarriors-usa.info
cyberwarriors-usa.net
cyberwarriors-usa.com
cloudmemorials.info
cloudmemorials.net
cloudmemorials.com
cloudmemorials.org
doctorsofaustin.com
doctorsofatlanta.com
cookiestores.net

#Sample url of the Browloack page

http://zdgstr.cloudmemorials.org/soft/M2kywhQfuKBrEWnvcCahUHqueGhNmG0Nmd5V547BVNUdPmgX6uNeK0wwgeAuSmkOd7u/H0Z1idBn9Udlm1zMc-g%7E%7E/YmVmMDMyYTI0ODgzNTE2Y2FiODgzYjQ1ZmVmZWMzNjc

Same path will work for most domains below.

/soft/M2kywhQfuKBrEWnvcCahUHqueGhNmG0Nmd5V547BVNUdPmgX6uNeK0wwgeAuSmkOd7u/H0Z1idBn9Udlm1zMc-g%7E%7E/YmVmMDMyYTI0ODgzNTE2Y2FiODgzYjQ1ZmVmZWMzNjc

VT reports
https://www.virustotal.com/en/ip-address/62.75.197.221/information/
https://www.virustotal.com/en/ip-address/62.75.197.222/information/
https://www.virustotal.com/en/ip-address/62.75.197.223/information/

#Sample Browlock subdomains on 62.75.197.221-224

zdgstr.cloudmemorials.org
zdfgtg.cyberwarriors-usa.com
vrfhdrt.cyberwarriors-usa.com
sdgserg.cookiestores.net
sdfgsert.cyberwarriors-usa.net
nhtryd.cloudmemorials.org
hdtrud.cyberwarriors-usa.info
gvferstg.cookiestores.net
fvgret.coolaging.net
dsgere.coolaging.net
drghdtrjh.cyberwarriors-usa.info
bxfgth.cloudmemorials.net
bhtrdyh.coolaging.info
sdfsth.coolaging.info
dsgsgr.cloudmemorials.net
zsdgth.doctorsofbradenton.com
zdgrgz.doctorsofboulder.com
xtgjtyjtd.doctorsofaustin.com
dsffvse.cloudmemorials.info
cfvserf.cloudmemorials.info
cfawert.cloudmemorials.com
brtdhy.doctorsofaustin.com
bnxttt.doctorsofbirmingham.com
asfrcf.cloudmemorials.com
btrhst.doctorsofatlanta.com
xjtyjdt.doctorsofatlanta.com

END