[nsp-sec] Ack 14745: wwwDOTen-us18DOTcom and wwwDOTlocale48DOTcom sql injection sites.
Mike Palladino
mpalladino at internap.com
Tue Jun 3 19:55:46 EDT 2008
Thanks!
-Mike
--------------------------------------------------------------------------
Mike Palladino, CCDP, CCNP Internap Network Operations Center
Manager, Network Operations Center
NOC: 1.877.THE.INOC
Email: mpalladino at internap.com Email: noc at internap.com
*The contents of this email message are confidential and proprietary*
--------------------------------------------------------------------------
On Tue, 3 Jun 2008, Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
>
> wwwDOTen-us18DOTcom has been injected into 560 pages or so and is
> fastfluxed so it requires dns blackholing.
> This leads to flash exploits that loads an information stealer.
> There is no other visible content on this site.
> Diary here:
> http://isc.sans.org/diary.html?storyid=4519
>
> Here are the addresses I saw yesterday.
> They will of course change. The ttl for the A records was 10 mins.
>
>
> $ cat whois | sort -nk1
> Bulk mode; whois.cymru.com [2008-06-02 21:21:39 +0000]
> 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable Communications
> Inc.
> 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
> 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> 5617 | 83.23.188.93 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.27.126.102 | TPNET Polish Telecom_s commercial IP
> network
> 6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
> network,Wroclaw, Poland
> 12479 | 85.53.64.13 | UNI2-AS Uni2 Autonomous System
> 12741 | 87.205.33.92 | INTERNETIA-AS Netia SA
> 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> 19287 | 216.170.109.251 | INFLOW19287 - Inflow Inc.
> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
>
>
> UPSTREAMS:
> $ cat whois.up| sort -nk 1
> Bulk mode; peer-whois.cymru.com [2008-06-02 21:22:15 +0000]
> 174 | 69.65.91.5 | COGENT Cogent/PSI
> 174 | 82.159.61.76 | COGENT Cogent/PSI
> 174 | 84.121.210.189 | COGENT Cogent/PSI
> 174 | 85.53.64.13 | COGENT Cogent/PSI
> 174 | 99.225.66.211 | COGENT Cogent/PSI
> 701 | 216.170.109.251 | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> 1273 | 82.159.61.76 | CW Cable and Wireless plc
> 1273 | 84.121.210.189 | CW Cable and Wireless plc
> 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356 | 216.170.109.251 | LEVEL3 Level 3 Communications
> 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> 3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
> 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> 5511 | 83.23.188.93 | OPENTRANSIT France Telecom
> 5511 | 83.27.126.102 | OPENTRANSIT France Telecom
> 5511 | 85.53.64.13 | OPENTRANSIT France Telecom
> 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National Research and
> Education Network in Poland
> 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
> Education Network in Poland
> 11537 | 99.225.66.211 | ABILENE - Internet2
> 12887 | 87.205.33.92 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> Services
> 15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB Autonomous System -
> Commercial
> 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> 39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP Transit Networks
>
> They recently (last night?) added wwwDOTlocale48.com as a new sql
> injection site.
> wwwDOTlocale48.com/b.js leads to the same secondary download site
> sysid72DOTcom with the same flash exploits.
> It is also fast fluxed so I expect the ip addresses to change.
> Based on a google for that string it has been injectioned around 16k
> sites.
>
>
> -bash-2.05b$ dig wwwDOTlocale48.com
>
> ; <<>> DiG 8.1 <<>> wwwDOTlocale48.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; wwwDOTlocale48.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> wwwDOTlocale48.com. 10M IN A 12.207.206.75
> wwwDOTlocale48.com. 10M IN A 82.159.61.76
> wwwDOTlocale48.com. 10M IN A 91.192.58.61
> wwwDOTlocale48.com. 10M IN A 89.77.176.150
> wwwDOTlocale48.com. 10M IN A 83.8.14.226
> wwwDOTlocale48.com. 10M IN A 83.25.133.174
> wwwDOTlocale48.com. 10M IN A 87.205.166.191
> wwwDOTlocale48.com. 10M IN A 83.20.171.223
> wwwDOTlocale48.com. 10M IN A 216.234.120.157
> wwwDOTlocale48.com. 10M IN A 208.44.10.200
> wwwDOTlocale48.com. 10M IN A 89.228.212.197
> wwwDOTlocale48.com. 10M IN A 69.65.91.5
> wwwDOTlocale48.com. 10M IN A 82.143.130.48
> wwwDOTlocale48.com. 10M IN A 81.190.41.4
>
> ;; AUTHORITY SECTION:
> locale48.com. 1d22h4m59s IN NS ns4.locale48.com.
> locale48.com. 1d22h4m59s IN NS ns1.locale48.com.
> locale48.com. 1d22h4m59s IN NS ns2.locale48.com.
> locale48.com. 1d22h4m59s IN NS ns3.locale48.com.
>
> ;; Total query time: 46 msec
> ;; FROM: jp-script to SERVER: default -- 205.171.3.65
> ;; WHEN: Tue Jun 3 12:13:13 2008
> ;; MSG SIZE sent: 34 rcvd: 330
>
> Bulk mode; whois.cymru.com [2008-06-03 16:17:56 +0000]
> 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> 5617 | 83.20.171.223 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.25.133.174 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
> network
> 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
> 9141 | 89.77.176.150 | AS9141 UPC Poland
> 12129 | 216.234.120.157 | 123NET - Internet 123
> 12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
> 12968 | 91.192.58.61 | CDP Crowley Data Poland, sp. z o.o.
> 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 21021 | 89.228.212.197 | MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
> 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> UPSTREAMS:
> Bulk mode; peer-whois.cymru.com [2008-06-03 16:18:17 +0000]
> 174 | 69.65.91.5 | COGENT Cogent/PSI
> 174 | 82.159.61.76 | COGENT Cogent/PSI
>
> 701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> 1273 | 82.159.61.76 | CW Cable and Wireless plc
> 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3257 | 91.192.58.61 | TISCALI-BACKBONE Tiscali Intl Network BV
> 3320 | 89.228.212.197 | DTAG Deutsche Telekom AG
> 3356 | 216.234.120.157 | LEVEL3 Level 3 Communications
> 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> 3356 | 91.192.58.61 | LEVEL3 Level 3 Communications
> 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> 3561 | 216.234.120.157 | SAVVIS - Savvis
> 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> 5511 | 83.20.171.223 | OPENTRANSIT France Telecom
> 5511 | 83.25.133.174 | OPENTRANSIT France Telecom
> 5511 | 83.8.14.226 | OPENTRANSIT France Telecom
> 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 89.228.212.197 | TPNET Polish Telecom_s commercial IP
> network
> 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> 6453 | 91.192.58.61 | GLOBEINTERNET TATA Communications
> 6830 | 89.77.176.150 | UPC UPC Broadband
> 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
> 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> 12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> 13293 | 89.228.212.197 | PIONIER-AS-COM PIONIER
> 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
>
>
>
> sysid72.com is also fastfluxed.
> dig sysid72.com
> ; <<>> DiG 8.1 <<>> sysid72.com
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; sysid72.com, type = A, class = IN
>
> ;; ANSWER SECTION:
> sysid72.com. 10M IN A 84.121.210.189
> sysid72.com. 10M IN A 84.38.90.168
> sysid72.com. 10M IN A 83.8.14.226
> sysid72.com. 10M IN A 99.194.80.27
> sysid72.com. 10M IN A 69.65.91.5
> sysid72.com. 10M IN A 156.17.227.218
> sysid72.com. 10M IN A 83.242.74.153
> sysid72.com. 10M IN A 83.9.95.62
> sysid72.com. 10M IN A 87.205.166.191
> sysid72.com. 10M IN A 79.173.2.187
> sysid72.com. 10M IN A 87.206.249.92
> sysid72.com. 10M IN A 83.11.232.151
> sysid72.com. 10M IN A 62.21.112.61
>
> ;; AUTHORITY SECTION:
> sysid72.com. 1d23h47m50s IN NS ns2.sysid72.com.
> sysid72.com. 1d23h47m50s IN NS ns4.sysid72.com.
> sysid72.com. 1d23h47m50s IN NS ns3.sysid72.com.
> sysid72.com. 1d23h47m50s IN NS ns1.sysid72.com.
>
> ;; Total query time: 58 msec
> ;; FROM: jp-script to SERVER: default -- 205.171.3.65
> ;; WHEN: Tue Jun 3 12:52:13 2008
> ;; MSG SIZE sent: 29 rcvd: 325
> $ cat whois| sort -n
> Bulk mode; whois.cymru.com [2008-06-03 17:13:03 +0000]
> 2828 | 69.65.91.5 | XO-AS15 - XO Communications
> 5617 | 83.11.232.151 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.8.14.226 | TPNET Polish Telecom_s commercial IP
> network
> 5617 | 83.9.95.62 | TPNET Polish Telecom_s commercial IP
> network
> 6739 | 84.121.210.189 | ONO-AS Cableuropa - ONO
> 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational part of WASK
> netWroclaw, Poland
> 9141 | 87.206.249.92 | AS9141 UPC Poland
> 12741 | 87.205.166.191 | INTERNETIA-AS Netia SA
> 13110 | 62.21.112.61 | ICP-AS Internet Cable Provider network
> 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa Diana s.j.
> 39834 | 79.173.2.187 | TESAT-AS Tesat Telewizja Kablowa
>
> $ cat whois.up | sort -n
> Bulk mode; peer-whois.cymru.com [2008-06-03 17:13:45 +0000]
> 174 | 69.65.91.5 | COGENT Cogent/PSI
> 174 | 84.121.210.189 | COGENT Cogent/PSI
> 701 | 69.65.91.5 | UUNET - MCI Communications Services, Inc.
> d/b/a Verizon Business
> 1239 | 69.65.91.5 | SPRINTLINK - Sprint
> 1273 | 84.121.210.189 | CW Cable and Wireless plc
> 1299 | 62.21.112.61 | TELIANET TeliaNet Global Network
> 1299 | 69.65.91.5 | TELIANET TeliaNet Global Network
> 2914 | 69.65.91.5 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356 | 69.65.91.5 | LEVEL3 Level 3 Communications
> 3356 | 84.121.210.189 | LEVEL3 Level 3 Communications
> 3549 | 62.21.112.61 | GBLX Global Crossing Ltd.
> 3549 | 69.65.91.5 | GBLX Global Crossing Ltd.
> 4134 | 69.65.91.5 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4565 | 69.65.91.5 | MEGAPATH2-US - MegaPath Networks Inc.
> 5511 | 83.11.232.151 | OPENTRANSIT France Telecom
> 5511 | 83.8.14.226 | OPENTRANSIT France Telecom
> 5511 | 83.9.95.62 | OPENTRANSIT France Telecom
> 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
> network
> 6453 | 69.65.91.5 | GLOBEINTERNET TATA Communications
> 6830 | 87.206.249.92 | UPC UPC Broadband
> 7018 | 24.178.199.82 | ATT-INTERNET4 - AT&T WorldNet Services
> 7473 | 69.65.91.5 | SINGTEL-AS-AP Singapore Telecom
> 8246 | 79.173.2.187 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> 8364 | 79.173.2.187 | POZMAN-COM
> 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National Research and
> Education Network in Poland
> 9112 | 79.173.2.187 | POZMAN-EDU
> 12887 | 87.205.166.191 | TDC-TRANSIT Swiat Internet SA Transit
> Network
> 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> Services
> 15744 | 83.242.74.153 | SILWEB-AS-COM SILWEB Autonomous System -
> Commercial
> 20960 | 79.173.2.187 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
> ISP operating in Poland
> 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja Kolejowa is an
> ISP operating in Poland
> 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
> 24724 | 62.21.112.61 | ATMAN-FOREIGN-AS ATM S.A.
> 39869 | 83.242.74.153 | SITEL-PL SITEL - Polish IP Transit Networks
>
> H8Hz
> Donald.Smith at qwest.com giac
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list