Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, has discovered infected web hosting servers that run legitimate websites but have been hacked to also run a nginx which serves malware.

The malware is installed via iframe redirection example below

i_frame src=”http ://a86x . homeunix . org:8080/ts/in.cgi?open2

He goes on to describe the evolution of the campaign from his perspective starting this spring.

“They started with gambling-related .cn domains (like cheapslotplay .cn). They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack. They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income. They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80). In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).”

I have also been watching this campaign dubbed the “pepsi campaign” for the use of the word “in.cgi?pepsi18″ within the GET requests generated by the series of redirects which ultimately leads to the installation of malware. The article can be found here.

Listed below are the latest ones from today.

20090914 _a5i.at:8080/welcome.php?id=0
20090914 _digifero.com:8080
20090914 _f8a.ru:8080/welcome.php?id=0
20090914 _gianttoplocate.cn:8080/landig.php?id=4
20090914 _gianttoplocate.cn:8080/load.php?id=0