[nsp-sec] Spate of "anjelina" video EXE malware
Tom Fischer
tfischer at bfk.de
Wed Jul 30 08:06:21 EDT 2008
Hi,
On Wed, Jul 30, 2008 at 12:04:03AM -0400, Jose Nazario wrote:
> Do we know how these EXEs are getting on these servers? Am I correct in
> assuming these are compromised websites?
usually via compromised FTP accounts:
"STOR video-nude-anjelia.avi.exe" 226 177152
FTP fingerprint
"CWD www" 550 -
"CWD html" 550 -
"CWD web" 550 -
"CWD Web" 550 -
"CWD htdocs" 550 -
"CWD public_html" 550 -
"CWD webseiten" 550 -
"CWD httpdocs" 550 -
"CWD ." 250 -
"TYPE I" 200 -
"PASV" 227 -
followed by http requests e.g. from 72.9.98.234 ...
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list