On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload.
In my OP I was referring to the domain name that the ultimate payload contained, after the cobweb of redirects in the initial spam was followed back to an endpoint. But I only did six or so, early yesterday, so who knows... #EOF - John --