[nsp-sec] ACK 2828 wwwDOTen-us18DOTcom and wwwDOTlocale48DOTcom sqlinjection sites.
Smith, Donald
Donald.Smith at qwest.com
Tue Jun 3 15:46:37 EDT 2008
Thanks Yiming.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: Gong, Yiming [mailto:yiming.gong at xo.com]
> Sent: Tuesday, June 03, 2008 11:37 AM
> To: Smith, Donald; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] ACK 2828 wwwDOTen-us18DOTcom and
> wwwDOTlocale48DOTcom sqlinjection sites.
>
> Ack 2828, sanitized info forwarded to our abuse team.
>
> > 2828 | 69.65.91.5 | XO-AS15 - XO Communications
>
> Regards,
>
> Yiming
>
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > Smith, Donald
> > Sent: Tuesday, June 03, 2008 12:23 PM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] wwwDOTen-us18DOTcom and
> > wwwDOTlocale48DOTcom sqlinjection sites.
> >
> > ----------- nsp-security Confidential --------
> >
> >
> > wwwDOTen-us18DOTcom has been injected into 560 pages or so and is
> > fastfluxed so it requires dns blackholing.
> > This leads to flash exploits that loads an information stealer.
> > There is no other visible content on this site.
> > Diary here:
> > http://isc.sans.org/diary.html?storyid=4519
> >
> > Here are the addresses I saw yesterday.
> > They will of course change. The ttl for the A records was 10 mins.
> >
> >
> > $ cat whois | sort -nk1
> > Bulk mode; whois.cymru.com [2008-06-02 21:21:39 +0000]
> > 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable
> > Communications
> > Inc.
> > 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
> > 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> > 5617 | 83.23.188.93 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 83.27.126.102 | TPNET Polish Telecom_s commercial IP
> > network
> > 6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
> > 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> > 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational
> part of WASK
> > network,Wroclaw, Poland
> > 12479 | 85.53.64.13 | UNI2-AS Uni2 Autonomous System
> > 12741 | 87.205.33.92 | INTERNETIA-AS Netia SA
> > 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> > 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> > 19287 | 216.170.109.251 | INFLOW19287 - Inflow Inc.
> > 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> >
> >
> > UPSTREAMS:
> > $ cat whois.up| sort -nk 1
> > Bulk mode; peer-whois.cymru.com [2008-06-02 21:22:15 +0000]
> > 174 | 69.65.91.5 | COGENT Cogent/PSI
> > 174 | 82.159.61.76 | COGENT Cogent/PSI
> > 174 | 84.121.210.189 | COGENT Cogent/PSI
> > 174 | 85.53.64.13 | COGENT Cogent/PSI
> > 174 | 99.225.66.211 | COGENT Cogent/PSI
> > 701 | 216.170.109.251 | UUNET - MCI Communications
> Services, Inc.
> > d/b/a Verizon Business
> > 701 | 69.65.91.5 | UUNET - MCI Communications
> Services, Inc.
> > d/b/a Verizon Business
> > 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> > 1273 | 82.159.61.76 | CW Cable and Wireless plc
> > 1273 | 84.121.210.189 | CW Cable and Wireless plc
> > 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> > 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> > 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT
> > America, Inc.
> > 3356 | 216.170.109.251 | LEVEL3 Level 3 Communications
> > 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> > 3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
> > 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> > 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> > 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> > 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> > 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> > 5511 | 83.23.188.93 | OPENTRANSIT France Telecom
> > 5511 | 83.27.126.102 | OPENTRANSIT France Telecom
> > 5511 | 85.53.64.13 | OPENTRANSIT France Telecom
> > 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> > 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> > 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> > 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> > 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> > 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> > 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National
> Research and
> > Education Network in Poland
> > 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National
> Research and
> > Education Network in Poland
> > 11537 | 99.225.66.211 | ABILENE - Internet2
> > 12887 | 87.205.33.92 | TDC-TRANSIT Swiat Internet SA Transit
> > Network
> > 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> > 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> > Services
> > 15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB
> Autonomous System -
> > Commercial
> > 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> > 39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP
> > Transit Networks
> >
> > They recently (last night?) added wwwDOTlocale48.com as a new sql
> > injection site.
> > wwwDOTlocale48.com/b.js leads to the same secondary download site
> > sysid72DOTcom with the same flash exploits.
> > It is also fast fluxed so I expect the ip addresses to change.
> > Based on a google for that string it has been injectioned around 16k
> > sites.
> >
> >
> > -bash-2.05b$ dig wwwDOTlocale48.com
> >
> > ; <<>> DiG 8.1 <<>> wwwDOTlocale48.com
> > ;; res options: init recurs defnam dnsrch
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4,
> ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;; wwwDOTlocale48.com, type = A, class = IN
> >
> > ;; ANSWER SECTION:
> > wwwDOTlocale48.com. 10M IN A 12.207.206.75
> > wwwDOTlocale48.com. 10M IN A 82.159.61.76
> > wwwDOTlocale48.com. 10M IN A 91.192.58.61
> > wwwDOTlocale48.com. 10M IN A 89.77.176.150
> > wwwDOTlocale48.com. 10M IN A 83.8.14.226
> > wwwDOTlocale48.com. 10M IN A 83.25.133.174
> > wwwDOTlocale48.com. 10M IN A 87.205.166.191
> > wwwDOTlocale48.com. 10M IN A 83.20.171.223
> > wwwDOTlocale48.com. 10M IN A 216.234.120.157
> > wwwDOTlocale48.com. 10M IN A 208.44.10.200
> > wwwDOTlocale48.com. 10M IN A 89.228.212.197
> > wwwDOTlocale48.com. 10M IN A 69.65.91.5
> > wwwDOTlocale48.com. 10M IN A 82.143.130.48
> > wwwDOTlocale48.com. 10M IN A 81.190.41.4
> >
> > ;; AUTHORITY SECTION:
> > locale48.com. 1d22h4m59s IN NS ns4.locale48.com.
> > locale48.com. 1d22h4m59s IN NS ns1.locale48.com.
> > locale48.com. 1d22h4m59s IN NS ns2.locale48.com.
> > locale48.com. 1d22h4m59s IN NS ns3.locale48.com.
> >
> > ;; Total query time: 46 msec
> > ;; FROM: jp-script to SERVER: default -- 205.171.3.65
> > ;; WHEN: Tue Jun 3 12:13:13 2008
> > ;; MSG SIZE sent: 34 rcvd: 330
> >
> > Bulk mode; whois.cymru.com [2008-06-03 16:17:56 +0000]
> > 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> > 5617 | 83.20.171.223 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 83.25.133.174 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
> > network
> > 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
> > 9141 | 89.77.176.150 | AS9141 UPC Poland
> > 12129 | 216.234.120.157 | 123NET - Internet 123
> > 12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
> > 12968 | 91.192.58.61 | CDP Crowley Data Poland, sp. z o.o.
> > 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> > 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> > 21021 | 89.228.212.197 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> > 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> > UPSTREAMS:
> > Bulk mode; peer-whois.cymru.com [2008-06-03 16:18:17 +0000]
> > 174 | 69.65.91.5 | COGENT Cogent/PSI
> > 174 | 82.159.61.76 | COGENT Cogent/PSI
> >
> > 701 | 69.65.91.5 | UUNET - MCI Communications
> Services, Inc.
> > d/b/a Verizon Business
> > 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> > 1273 | 82.159.61.76 | CW Cable and Wireless plc
> > 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> > 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT
> > America, Inc.
> > 3257 | 91.192.58.61 | TISCALI-BACKBONE Tiscali Intl
> Network BV
> > 3320 | 89.228.212.197 | DTAG Deutsche Telekom AG
> > 3356 | 216.234.120.157 | LEVEL3 Level 3 Communications
> > 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> > 3356 | 91.192.58.61 | LEVEL3 Level 3 Communications
> > 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> > 3561 | 216.234.120.157 | SAVVIS - Savvis
> > 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> > 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> > 5511 | 83.20.171.223 | OPENTRANSIT France Telecom
> > 5511 | 83.25.133.174 | OPENTRANSIT France Telecom
> > 5511 | 83.8.14.226 | OPENTRANSIT France Telecom
> > 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 89.228.212.197 | TPNET Polish Telecom_s commercial IP
> > network
> > 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> > 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> > 6453 | 91.192.58.61 | GLOBEINTERNET TATA Communications
> > 6830 | 89.77.176.150 | UPC UPC Broadband
> > 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
> > 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> > 12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
> > Network
> > 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> > 13293 | 89.228.212.197 | PIONIER-AS-COM PIONIER
> > 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> >
> >
> >
> > sysid72.com is also fastfluxed.
> > dig sysid72.com
> > ; <<>> DiG 8.1 <<>> sysid72.com
> > ;; res options: init recurs defnam dnsrch
> > ;; got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4,
> ADDITIONAL: 0
> > ;; QUERY SECTION:
> > ;; sysid72.com, type = A, class = IN
> >
> > ;; ANSWER SECTION:
> > sysid72.com. 10M IN A 84.121.210.189
> > sysid72.com. 10M IN A 84.38.90.168
> > sysid72.com. 10M IN A 83.8.14.226
> > sysid72.com. 10M IN A 99.194.80.27
> > sysid72.com. 10M IN A 69.65.91.5
> > sysid72.com. 10M IN A 156.17.227.218
> > sysid72.com. 10M IN A 83.242.74.153
> > sysid72.com. 10M IN A 83.9.95.62
> > sysid72.com. 10M IN A 87.205.166.191
> > sysid72.com. 10M IN A 79.173.2.187
> > sysid72.com. 10M IN A 87.206.249.92
> > sysid72.com. 10M IN A 83.11.232.151
> > sysid72.com. 10M IN A 62.21.112.61
> >
> > ;; AUTHORITY SECTION:
> > sysid72.com. 1d23h47m50s IN NS ns2.sysid72.com.
> > sysid72.com. 1d23h47m50s IN NS ns4.sysid72.com.
> > sysid72.com. 1d23h47m50s IN NS ns3.sysid72.com.
> > sysid72.com. 1d23h47m50s IN NS ns1.sysid72.com.
> >
> > ;; Total query time: 58 msec
> > ;; FROM: jp-script to SERVER: default -- 205.171.3.65
> > ;; WHEN: Tue Jun 3 12:52:13 2008
> > ;; MSG SIZE sent: 29 rcvd: 325
> > $ cat whois| sort -n
> > Bulk mode; whois.cymru.com [2008-06-03 17:13:03 +0000]
> > 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> > 5617 | 83.11.232.151 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
> > network
> > 5617 | 83.9.95.62 | TPNET Polish Telecom_s commercial IP
> > network
> > 6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
> > 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> > 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational
> part of WASK
> > netWroclaw, Poland
> > 9141 | 87.206.249.92 | AS9141 UPC Poland
> > 12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
> > 13110 | 62.21.112.61 | ICP-AS Internet Cable Provider network
> > 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> > 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa
> Diana s.j.
> > 39834 | 79.173.2.187 | TESAT-AS Tesat Telewizja Kablowa
> >
> > $ cat whois.up | sort -n
> > Bulk mode; peer-whois.cymru.com [2008-06-03 17:13:45 +0000]
> > 174 | 69.65.91.5 | COGENT Cogent/PSI
> > 174 | 84.121.210.189 | COGENT Cogent/PSI
> > 701 | 69.65.91.5 | UUNET - MCI Communications
> Services, Inc.
> > d/b/a Verizon Business
> > 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> > 1273 | 84.121.210.189 | CW Cable and Wireless plc
> > 1299 | 62.21.112.61 | TELIANET TeliaNet Global Network
> > 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> > 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT
> > America, Inc.
> > 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> > 3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
> > 3549 | 62.21.112.61 | GBLX Global Crossing Ltd.
> > 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> > 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> > 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> > 5511 | 83.11.232.151 | OPENTRANSIT France Telecom
> > 5511 | 83.8.14.226 | OPENTRANSIT France Telecom
> > 5511 | 83.9.95.62 | OPENTRANSIT France Telecom
> > 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
> > network
> > 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> > 6830 | 87.206.249.92 | UPC UPC Broadband
> > 7018 | 24.178.199.82 | ATT-INTERNET4 - AT&T WorldNet Services
> > 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> > 8246 | 79.173.2.187 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> > 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> > 8364 | 79.173.2.187 | POZMAN-COM
> > 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National
> Research and
> > Education Network in Poland
> > 9112 | 79.173.2.187 | POZMAN-EDU
> > 12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
> > Network
> > 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> > 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> > Services
> > 15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB
> Autonomous System -
> > Commercial
> > 20960 | 79.173.2.187 | TKTELEKOM-AS Telekomunikacja
> > Kolejowa is an
> > ISP operating in Poland
> > 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja
> > Kolejowa is an
> > ISP operating in Poland
> > 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
> > 24724 | 62.21.112.61 | ATMAN-FOREIGN-AS ATM S.A.
> > 39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP
> > Transit Networks
> >
> > H8Hz
> > Donald.Smith at qwest.com giac
> >
> >
> > This communication is the property of Qwest and may contain
> > confidential or
> > privileged information. Unauthorized use of this
> > communication is strictly
> > prohibited and may be unlawful. If you have received this
> > communication
> > in error, please immediately notify the sender by reply
> > e-mail and destroy
> > all copies of the communication and any attachments.
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
>
More information about the nsp-security
mailing list