It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


RunForestRun DGA Update

page: 1

log in


posted on Jul, 27 2012 @ 03:20 PM
Heads up Server / Site Owners..Keep yourslef and others informed.

A few days ago Jindrich Kubec (Avast) pinged me that the RunForestRun malware changed the domain generating algorithm (DGA) and now uses subdomains (instead of .ru) in malicious URLs.

Just a quick recap of the RunForestRun attack: It began in mid-June and infected many servers with Plesk Panel since then. Hackers used Plesk’s File Manager to inject malicious code (mainly) at the bottom of .js files. That malicious code used a Black Hole obfuscator and was always surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments, which made it very easy to clean up whole servers using just a single regexp.

geek p0rn
( http:///fikpCNck )

edit on 27-7-2012 by cerebralassassins because: (no reason given)

edit on 27-7-2012 by cerebralassassins because: oops link :-)


log in