[nsp-sec] wwwDOTen-us18DOTcom and wwwDOTlocale48DOTcom sql injection sites.
Smith, Donald
Donald.Smith at qwest.com
Tue Jun 3 13:22:44 EDT 2008
wwwDOTen-us18DOTcom has been injected into 560 pages or so and is
fastfluxed so it requires dns blackholing.
This leads to flash exploits that loads an information stealer.
There is no other visible content on this site.
Diary here:
http://isc.sans.org/diary.html?storyid=4519
Here are the addresses I saw yesterday.
They will of course change. The ttl for the A records was 10 mins.
$ cat whois | sort -nk1
Bulk mode; whois.cymru.com [2008-06-02 21:21:39 +0000]
812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
Inc.
1887 | 148.81.132.211 | NASK-ACADEMIC NASK
2828 | 69.65.91.5 | XO-AS15 - XO Communications
5617 | 83.23.188.93 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.27.126.102 | TPNET Polish Telecom_s commercial IP
network
6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
network,Wroclaw, Poland
12479 | 85.53.64.13 | UNI2-AS Uni2 Autonomous System
12741 | 87.205.33.92 | INTERNETIA-AS Netia SA
13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
19287 | 216.170.109.251 | INFLOW19287 - Inflow Inc.
30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
UPSTREAMS:
$ cat whois.up| sort -nk 1
Bulk mode; peer-whois.cymru.com [2008-06-02 21:22:15 +0000]
174 | 69.65.91.5 | COGENT Cogent/PSI
174 | 82.159.61.76 | COGENT Cogent/PSI
174 | 84.121.210.189 | COGENT Cogent/PSI
174 | 85.53.64.13 | COGENT Cogent/PSI
174 | 99.225.66.211 | COGENT Cogent/PSI
701 | 216.170.109.251 | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
1239 | 69.65.91.5 | SPRINTLINK - Sprint
1273 | 82.159.61.76 | CW Cable and Wireless plc
1273 | 84.121.210.189 | CW Cable and Wireless plc
1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 216.170.109.251 | LEVEL3 Level 3 Communications
3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
5511 | 83.23.188.93 | OPENTRANSIT France Telecom
5511 | 83.27.126.102 | OPENTRANSIT France Telecom
5511 | 85.53.64.13 | OPENTRANSIT France Telecom
6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
Education Network in Poland
8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
Education Network in Poland
11537 | 99.225.66.211 | ABILENE - Internet2
12887 | 87.205.33.92 | TDC-TRANSIT Swiat Internet SA Transit
Network
12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
Services
15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB Autonomous System -
Commercial
24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP Transit Networks
They recently (last night?) added wwwDOTlocale48.com as a new sql
injection site.
wwwDOTlocale48.com/b.js leads to the same secondary download site
sysid72DOTcom with the same flash exploits.
It is also fast fluxed so I expect the ip addresses to change.
Based on a google for that string it has been injectioned around 16k
sites.
-bash-2.05b$ dig wwwDOTlocale48.com
; <<>> DiG 8.1 <<>> wwwDOTlocale48.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0
;; QUERY SECTION:
;; wwwDOTlocale48.com, type = A, class = IN
;; ANSWER SECTION:
wwwDOTlocale48.com. 10M IN A 12.207.206.75
wwwDOTlocale48.com. 10M IN A 82.159.61.76
wwwDOTlocale48.com. 10M IN A 91.192.58.61
wwwDOTlocale48.com. 10M IN A 89.77.176.150
wwwDOTlocale48.com. 10M IN A 83.8.14.226
wwwDOTlocale48.com. 10M IN A 83.25.133.174
wwwDOTlocale48.com. 10M IN A 87.205.166.191
wwwDOTlocale48.com. 10M IN A 83.20.171.223
wwwDOTlocale48.com. 10M IN A 216.234.120.157
wwwDOTlocale48.com. 10M IN A 208.44.10.200
wwwDOTlocale48.com. 10M IN A 89.228.212.197
wwwDOTlocale48.com. 10M IN A 69.65.91.5
wwwDOTlocale48.com. 10M IN A 82.143.130.48
wwwDOTlocale48.com. 10M IN A 81.190.41.4
;; AUTHORITY SECTION:
locale48.com. 1d22h4m59s IN NS ns4.locale48.com.
locale48.com. 1d22h4m59s IN NS ns1.locale48.com.
locale48.com. 1d22h4m59s IN NS ns2.locale48.com.
locale48.com. 1d22h4m59s IN NS ns3.locale48.com.
;; Total query time: 46 msec
;; FROM: jp-script to SERVER: default -- 205.171.3.65
;; WHEN: Tue Jun 3 12:13:13 2008
;; MSG SIZE sent: 34 rcvd: 330
Bulk mode; whois.cymru.com [2008-06-03 16:17:56 +0000]
2828 | 69.65.91.5 | XO-AS15 - XO Communications
5617 | 83.20.171.223 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.25.133.174 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
network
6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
9141 | 89.77.176.150 | AS9141 UPC Poland
12129 | 216.234.120.157 | 123NET - Internet 123
12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
12968 | 91.192.58.61 | CDP Crowley Data Poland, sp. z o.o.
16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
21021 | 89.228.212.197 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
UPSTREAMS:
Bulk mode; peer-whois.cymru.com [2008-06-03 16:18:17 +0000]
174 | 69.65.91.5 | COGENT Cogent/PSI
174 | 82.159.61.76 | COGENT Cogent/PSI
701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
1239 | 69.65.91.5 | SPRINTLINK - Sprint
1273 | 82.159.61.76 | CW Cable and Wireless plc
1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257 | 91.192.58.61 | TISCALI-BACKBONE Tiscali Intl Network BV
3320 | 89.228.212.197 | DTAG Deutsche Telekom AG
3356 | 216.234.120.157 | LEVEL3 Level 3 Communications
3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
3356 | 91.192.58.61 | LEVEL3 Level 3 Communications
3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
3561 | 216.234.120.157 | SAVVIS - Savvis
4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
5511 | 83.20.171.223 | OPENTRANSIT France Telecom
5511 | 83.25.133.174 | OPENTRANSIT France Telecom
5511 | 83.8.14.226 | OPENTRANSIT France Telecom
5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
network
5617 | 89.228.212.197 | TPNET Polish Telecom_s commercial IP
network
6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
6453 | 91.192.58.61 | GLOBEINTERNET TATA Communications
6830 | 89.77.176.150 | UPC UPC Broadband
7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
Network
13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
13293 | 89.228.212.197 | PIONIER-AS-COM PIONIER
15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
sysid72.com is also fastfluxed.
dig sysid72.com
; <<>> DiG 8.1 <<>> sysid72.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0
;; QUERY SECTION:
;; sysid72.com, type = A, class = IN
;; ANSWER SECTION:
sysid72.com. 10M IN A 84.121.210.189
sysid72.com. 10M IN A 84.38.90.168
sysid72.com. 10M IN A 83.8.14.226
sysid72.com. 10M IN A 99.194.80.27
sysid72.com. 10M IN A 69.65.91.5
sysid72.com. 10M IN A 156.17.227.218
sysid72.com. 10M IN A 83.242.74.153
sysid72.com. 10M IN A 83.9.95.62
sysid72.com. 10M IN A 87.205.166.191
sysid72.com. 10M IN A 79.173.2.187
sysid72.com. 10M IN A 87.206.249.92
sysid72.com. 10M IN A 83.11.232.151
sysid72.com. 10M IN A 62.21.112.61
;; AUTHORITY SECTION:
sysid72.com. 1d23h47m50s IN NS ns2.sysid72.com.
sysid72.com. 1d23h47m50s IN NS ns4.sysid72.com.
sysid72.com. 1d23h47m50s IN NS ns3.sysid72.com.
sysid72.com. 1d23h47m50s IN NS ns1.sysid72.com.
;; Total query time: 58 msec
;; FROM: jp-script to SERVER: default -- 205.171.3.65
;; WHEN: Tue Jun 3 12:52:13 2008
;; MSG SIZE sent: 29 rcvd: 325
$ cat whois| sort -n
Bulk mode; whois.cymru.com [2008-06-03 17:13:03 +0000]
2828 | 69.65.91.5 | XO-AS15 - XO Communications
5617 | 83.11.232.151 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
network
5617 | 83.9.95.62 | TPNET Polish Telecom_s commercial IP
network
6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
netWroclaw, Poland
9141 | 87.206.249.92 | AS9141 UPC Poland
12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
13110 | 62.21.112.61 | ICP-AS Internet Cable Provider network
30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
39834 | 79.173.2.187 | TESAT-AS Tesat Telewizja Kablowa
$ cat whois.up | sort -n
Bulk mode; peer-whois.cymru.com [2008-06-03 17:13:45 +0000]
174 | 69.65.91.5 | COGENT Cogent/PSI
174 | 84.121.210.189 | COGENT Cogent/PSI
701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
1239 | 69.65.91.5 | SPRINTLINK - Sprint
1273 | 84.121.210.189 | CW Cable and Wireless plc
1299 | 62.21.112.61 | TELIANET TeliaNet Global Network
1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
3549 | 62.21.112.61 | GBLX Global Crossing Ltd.
3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
5511 | 83.11.232.151 | OPENTRANSIT France Telecom
5511 | 83.8.14.226 | OPENTRANSIT France Telecom
5511 | 83.9.95.62 | OPENTRANSIT France Telecom
5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
network
6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
6830 | 87.206.249.92 | UPC UPC Broadband
7018 | 24.178.199.82 | ATT-INTERNET4 - AT&T WorldNet Services
7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
8246 | 79.173.2.187 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
8364 | 79.173.2.187 | POZMAN-COM
8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
Education Network in Poland
9112 | 79.173.2.187 | POZMAN-EDU
12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
Network
12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
Services
15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB Autonomous System -
Commercial
20960 | 79.173.2.187 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
ISP operating in Poland
20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
ISP operating in Poland
24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
24724 | 62.21.112.61 | ATMAN-FOREIGN-AS ATM S.A.
39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP Transit Networks
H8Hz
Donald.Smith at qwest.com giac
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list