[nsp-sec] Spate of "anjelina" video EXE malware

Tom Fischer tfischer at bfk.de
Wed Jul 30 10:13:45 EDT 2008 

Hi,

On Wed, Jul 30, 2008 at 02:06:21PM +0200, Tom Fischer wrote:
> On Wed, Jul 30, 2008 at 12:04:03AM -0400, Jose Nazario wrote:
> > Do we know how these EXEs are getting on these servers? Am I correct in  
> > assuming these are compromised websites?
> 
> usually via compromised FTP accounts:
> 
> "STOR video-nude-anjelia.avi.exe" 226 177152
> 
> FTP fingerprint
> "CWD www" 550 -
> "CWD html" 550 -
> "CWD web" 550 -
> "CWD Web" 550 -
> "CWD htdocs" 550 -
> "CWD public_html" 550 -
> "CWD webseiten" 550 -
> "CWD httpdocs" 550 -
> "CWD ." 250 -
> "TYPE I" 200 -
> "PASV" 227 -
> 
> followed by http requests e.g. from 72.9.98.234 ...

oh, the ftp fingerprint changed two days ago - example of new fingerprint:

28/Jul/2008:16:34:47 +0200] "PASS (hidden)" 230 -
28/Jul/2008:16:34:47 +0200] "SYST" 215 -
28/Jul/2008:16:34:48 +0200] "FEAT" 211 -
28/Jul/2008:16:34:49 +0200] "PWD" 257 -
28/Jul/2008:16:34:49 +0200] "TYPE A" 200 -
28/Jul/2008:16:34:49 +0200] "PASV" 227 -
28/Jul/2008:16:34:50 +0200] "LIST -al" 226 314
28/Jul/2008:16:36:11 +0200] "PASS (hidden)" 230 -
28/Jul/2008:16:36:12 +0200] "SYST" 215 -
28/Jul/2008:16:36:12 +0200] "FEAT" 211 -
28/Jul/2008:16:36:13 +0200] "CWD /" 250 -
28/Jul/2008:16:36:13 +0200] "PWD" 257 -
28/Jul/2008:16:36:13 +0200] "TYPE A" 200 -
28/Jul/2008:16:36:13 +0200] "PASV" 227 -
28/Jul/2008:16:36:15 +0200] "LIST -al" 226 314
28/Jul/2008:16:36:17 +0200] "PWD" 257 -
28/Jul/2008:16:36:17 +0200] "PASV" 227 -
28/Jul/2008:16:36:18 +0200] "LIST -al" 226 2673
28/Jul/2008:16:36:21 +0200] "TYPE I" 200 -
28/Jul/2008:16:36:21 +0200] "SIZE video-anjelina.avi.exe" 550 -
28/Jul/2008:16:36:21 +0200] "PASV" 227 -
28/Jul/2008:16:37:04 +0200] "STOR video-anjelina.avi.exe" 226 144384
28/Jul/2008:16:37:05 +0200] "TYPE A" 200 -
28/Jul/2008:16:37:05 +0200] "PASV" 227 -
28/Jul/2008:16:37:07 +0200] "LIST -al" 226 2752
28/Jul/2008:16:37:13 +0200] "QUIT" 221 -

and look for (FTP and HTTP HEAD) communication from 

AS      | IP               | AS Name
11060   | 24.93.178.195    | NEO-RR-COM - Road Runner HoldCo LLC
39823   | 195.5.117.252    | COMPIC Compic Ltd.

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list