[nsp-sec] rundll841.com wwwDOTwin496.com wwwDOTtag58.com err68.comand sysid72.com sqlinjection sites.
Smith, Donald
Donald.Smith at qwest.com
Thu Jun 5 11:26:09 EDT 2008
Hi William.
I assume you checked the IP addresses involved and validated this was
the hydraflux net?
I did a quick comparison between what you had listed in your write-up
and didn't see any matching IP addresses but I am sure they move the IP
addresses frequently. I did see some "near hits" in the domains you
listed and the domains the sql group has been using such as locale7.in
I assume this is in the drive-by category. Does that imply the sql
injection team has leased a portion of the hydra-flux network?
I have not run a netflow report on the fast fluxed hosting addresses but
it might be interesting to see whom they are talking to besides port 80.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: William Salusky [mailto:william.salusky at aol.net]
> Sent: Thursday, June 05, 2008 8:27 AM
> To: Smith, Donald
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] rundll841.com wwwDOTwin496.com
> wwwDOTtag58.com err68.comand sysid72.com sqlinjection sites.
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have some basic overview on the fluxnet that serves much of
> the recent
> mass Sql Injection/Flash based driveby garbage.
>
> I've shared it elsewhere, so sharing here.
> http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux
> http://handlers.sans.org/wsalusky/ws/index.php/HydraFlux_1_forum-php
>
> W
>
>
>
>
> Smith, Donald wrote:
> | ----------- nsp-security Confidential --------
> |
> | wwwDOTrundll841.com leads to wwwDOTwin496.com which leads to
> | sysid72.com which is the same exploit site the other injections were
> | using.
> | sysid72.com shutdown is fast fluxed and was included in yesterday's
> | report.
> | They are reusing some of their compromised systems to host
> more then one
> | domain so you will see some repeats.
> |
> | wwwDOTtag58.com leads to err68.com which is also fast
> fluxed and leads
> | to sysid72.com.
> |
> | These lead to flash exploits served up from sysid72.com.
> | wwwDOTrundll841.com. 10M IN A 81.190.201.98
> | wwwDOTrundll841.com. 10M IN A 83.50.119.14
> | wwwDOTrundll841.com. 10M IN A 81.190.41.4
> | wwwDOTrundll841.com. 10M IN A 156.17.227.218
> | wwwDOTrundll841.com. 10M IN A 83.24.132.177
> | wwwDOTrundll841.com. 10M IN A 62.21.3.212
> | wwwDOTrundll841.com. 10M IN A 78.92.73.240
> | wwwDOTrundll841.com. 10M IN A 99.225.66.211
> | wwwDOTrundll841.com. 10M IN A 77.253.116.48
> | wwwDOTrundll841.com. 10M IN A 83.242.74.153
> | wwwDOTrundll841.com. 10M IN A 82.143.130.48
> | wwwDOTrundll841.com. 10M IN A 82.159.61.76
> |
> | Bulk mode; whois.cymru.com [2008-06-04 17:41:10 +0000]
> | 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable
> Communications
> | Inc.
> | 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> | Network ofDE
> | 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> | 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> | network
> | 8970 | 156.17.227.218 | WASK WROCMAN-EDU educational
> part of WASK
> | network,Wroclaw, Poland
> | 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> | 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> | 16338 | 82.159.61.76 | AUNA_TELECOM-AS Cableuropa - ONO
> | 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> | 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> | UPSTREAMS
> | $ cat whois.up
> | Bulk mode; peer-whois.cymru.com [2008-06-04 17:42:21 +0000]
> | 174 | 82.159.61.76 | COGENT Cogent/PSI
> | 174 | 99.225.66.211 | COGENT Cogent/PSI
> | 1273 | 82.159.61.76 | CW Cable and Wireless plc
> | 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> | 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> | 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> | 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> | 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> | 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> | 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> | 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> | 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> | network
> | 6453 | 82.159.61.76 | GLOBEINTERNET TATA Communications
> | 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> | 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> | 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> | 8501 | 156.17.227.218 | PIONIER-AS PIONIER, National
> Research and
> | Education Network in Poland
> | 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> | 11537 | 99.225.66.211 | ABILENE - Internet2
> | 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> | Network
> | 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone
> Autonomous
> | System
> | 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> | 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> | 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> | 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> | 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
> |
> | wwwDOTwin496.com. 10M IN A 62.21.3.212
> | wwwDOTwin496.com. 10M IN A 81.190.201.98
> | wwwDOTwin496.com. 10M IN A 78.92.73.240
> | wwwDOTwin496.com. 10M IN A 77.253.116.48
> | wwwDOTwin496.com. 10M IN A 78.152.16.102
> | wwwDOTwin496.com. 10M IN A 99.194.80.27
> | wwwDOTwin496.com. 10M IN A 83.24.132.177
> | wwwDOTwin496.com. 10M IN A 83.50.119.14
> | wwwDOTwin496.com. 10M IN A 81.190.41.4
> | wwwDOTwin496.com. 10M IN A 12.207.206.75
> | wwwDOTwin496.com. 10M IN A 62.21.81.188
> | wwwDOTwin496.com. 10M IN A 83.11.193.104
> | wwwDOTwin496.com. 10M IN A 82.143.130.48
> |
> | Bulk mode; whois.cymru.com [2008-06-04 18:21:19 +0000]
> | 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> | Network of TDE
> | 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> | 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> | network
> | 6478 | 12.207.206.75 | ATT-INTERNET3 - AT&T WorldNet Services
> | 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> | 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> | 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> | 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> | 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> | 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
> |
> | UPSTREAMS
> | Bulk mode; peer-whois.cymru.com [2008-06-04 18:21:21 +0000]
> | 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> | 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> | 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> | 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> | 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> | 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> | 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> | 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> | 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> | 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> | 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> | network
> | 7018 | 12.207.206.75 | ATT-INTERNET4 - AT&T WorldNet Services
> | 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> | 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> | 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> | Network
> | 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone
> Autonomous
> | System
> | 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> | 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> | 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> | Services
> | 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> | 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
> | 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> |
> | wwwDOTtag58.com. 10M IN A 82.143.130.48
> | wwwDOTtag58.com. 10M IN A 83.50.119.14
> | wwwDOTtag58.com. 10M IN A 78.92.73.240
> | wwwDOTtag58.com. 10M IN A 78.152.16.102
> | wwwDOTtag58.com. 10M IN A 77.253.116.48
> | wwwDOTtag58.com. 10M IN A 83.24.132.177
> | wwwDOTtag58.com. 10M IN A 81.190.41.4
> | wwwDOTtag58.com. 10M IN A 99.194.80.27
> | wwwDOTtag58.com. 10M IN A 62.21.81.188
> | wwwDOTtag58.com. 10M IN A 62.21.3.212
> | wwwDOTtag58.com. 10M IN A 83.11.193.104
> | wwwDOTtag58.com. 10M IN A 81.190.201.98
> |
> | Bulk mode; whois.cymru.com [2008-06-04 18:10:22 +0000]
> | 3352 | 83.50.119.14 | TELEFONICA-DATA-ESPANA Internet Access
> | Network of TDE
> | 5483 | 78.92.73.240 | HTC-AS Hungarian Telecom
> | 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> | network
> | 7776 | 99.194.80.27 | MEBT7776 - Mebtel Communications
> | 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> | 13110 | 62.21.3.212 | ICP-AS Internet Cable Provider network
> | 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> | 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 28982 | 82.143.130.48 | E-WRO E-WRO Autonomous System
> | 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
> | UPSTREAMS
> | Bulk mode; peer-whois.cymru.com [2008-06-04 18:10:29 +0000]
> | 1299 | 62.21.3.212 | TELIANET TeliaNet Global Network
> | 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> | 1299 | 78.92.73.240 | TELIANET TeliaNet Global Network
> | 3320 | 78.92.73.240 | DTAG Deutsche Telekom AG
> | 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> | 3356 | 75.131.91.215 | LEVEL3 Level 3 Communications
> | 3549 | 62.21.3.212 | GBLX Global Crossing Ltd.
> | 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> | 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> | 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> | 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> | network
> | 8928 | 78.92.73.240 | INTEROUTE Interoute Communications Ltd
> | 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> | 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> | Network
> | 12956 | 83.50.119.14 | TELEFONICA Telefonica Backbone
> Autonomous
> | System
> | 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> | 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> | 14745 | 99.194.80.27 | INTERNAP-BLOCK-4 - Internap Network
> | Services
> | 15857 | 82.143.130.48 | DIALOG-AS DIALOG-NET Autonomuos System
> | 19151 | 24.196.230.18 | WVFIBER-1 - WV FIBER LLC
> | 24724 | 62.21.3.212 | ATMAN-FOREIGN-AS ATM S.A.
> | 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> |
> | err68.com. 10M IN A 78.152.16.102
> | err68.com. 10M IN A 65.78.241.194
> | err68.com. 10M IN A 83.242.74.153
> | err68.com. 10M IN A 81.190.201.98
> | err68.com. 10M IN A 148.81.132.211
> | err68.com. 10M IN A 81.190.41.4
> | err68.com. 10M IN A 83.24.132.177
> | err68.com. 10M IN A 84.38.90.168
> | err68.com. 10M IN A 78.130.145.225
> | err68.com. 10M IN A 77.253.116.48
> | err68.com. 10M IN A 83.11.193.104
> | err68.com. 10M IN A 62.21.81.188
> | err68.com. 10M IN A 80.200.201.15
> | err68.com. 10M IN A 99.225.66.211
> |
> | 812 | 99.225.66.211 | ROGERS-CABLE - Rogers Cable
> Communications
> | Inc.
> | 1887 | 148.81.132.211 | NASK-ACADEMIC NASK
> | 5432 | 80.200.201.15 | BELGACOM-SKYNET-AS Belgacom
> regional ASN
> | 5617 | 83.11.193.104 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 83.24.132.177 | TPNET Polish Telecom_s commercial IP
> | network
> | 12741 | 77.253.116.48 | INTERNETIA-AS Netia SA
> | 13110 | 62.21.81.188 | ICP-AS Internet Cable Provider network
> | 15227 | 65.78.241.194 | WVFIBERNET - FiberNet of West Virginia
> | 21021 | 81.190.201.98 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 21021 | 81.190.41.4 | MULTIMEDIA-AS Multimedia
> Polska Sp.z o.o.
> | 21415 | 78.130.145.225 | INTERNETGROUP-AS-BG Internet Group Ltd.
> | 30838 | 83.242.74.153 | TELPOL PPMUE TELPOL
> | 39349 | 84.38.90.168 | TVKDIANA-AS Telewizja Kablowa
> Diana s.j.
> | 43118 | 78.152.16.102 | EAW-AS East & West Sp. z o.o.
> | UPSTREAMS
> | Bulk mode; peer-whois.cymru.com [2008-06-04 18:05:28 +0000]
> | 174 | 99.225.66.211 | COGENT Cogent/PSI
> | 1239 | 65.78.241.194 | SPRINTLINK - Sprint
> | 1239 | 80.200.201.15 | SPRINTLINK - Sprint
> | 1299 | 62.21.81.188 | TELIANET TeliaNet Global Network
> | 3320 | 81.190.201.98 | DTAG Deutsche Telekom AG
> | 3549 | 62.21.81.188 | GBLX Global Crossing Ltd.
> | 3549 | 99.225.66.211 | GBLX Global Crossing Ltd.
> | 5511 | 83.11.193.104 | OPENTRANSIT France Telecom
> | 5511 | 83.24.132.177 | OPENTRANSIT France Telecom
> | 5617 | 81.190.201.98 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 81.190.41.4 | TPNET Polish Telecom_s commercial IP
> | network
> | 5617 | 84.38.90.168 | TPNET Polish Telecom_s commercial IP
> | network
> | 6453 | 80.200.201.15 | GLOBEINTERNET TATA Communications
> | 6453 | 99.225.66.211 | GLOBEINTERNET TATA Communications
> | 6461 | 99.225.66.211 | MFNX MFN - Metromedia Fiber Network
> | 6774 | 80.200.201.15 | ASN-BICS Belgacom International Carrier
> | Services
> | 7132 | 99.225.66.211 | SBIS-AS - AT&T Internet Services
> | 8246 | 84.38.90.168 | GTS-POLSKA-AS GTS Polska Sp. z o.o.
> | 8501 | 148.81.132.211 | PIONIER-AS PIONIER, National
> Research and
> | Education Network in Poland
> | 8866 | 78.130.145.225 | BTC-AS Bulgarian
> Telecommunication Company
> | Plc.
> | 9070 | 78.130.145.225 | ITD ITD Network Bulgarian ISP
> | 11537 | 99.225.66.211 | ABILENE - Internet2
> | 12741 | 78.152.16.102 | INTERNETIA-AS Netia SA
> | 12887 | 77.253.116.48 | TDC-TRANSIT Swiat Internet SA Transit
> | Network
> | 12968 | 83.242.74.153 | CDP Crowley Data Poland, sp. z o.o.
> | 13293 | 81.190.201.98 | PIONIER-AS-COM PIONIER
> | 13293 | 81.190.41.4 | PIONIER-AS-COM PIONIER
> | 20960 | 84.38.90.168 | TKTELEKOM-AS Telekomunikacja
> Kolejowa is an
> | ISP operating in Poland
> | 24671 | 84.38.90.168 | PILICKA-AS MNI Telecom Sp. z o.o.
> | 24724 | 62.21.81.188 | ATMAN-FOREIGN-AS ATM S.A.
> | 34224 | 78.130.145.225 | NETERRA-AS Neterra Ltd.
> |
> | Security through obscurity WORKS against some worms and ssh
> attacks:)
> | Donald.Smith at qwest.com giac
> |
> |
> | This communication is the property of Qwest and may contain
> confidential or
> | privileged information. Unauthorized use of this communication is
> strictly
> | prohibited and may be unlawful. If you have received this
> communication
> | in error, please immediately notify the sender by reply e-mail and
> destroy
> | all copies of the communication and any attachments.
> |
> |
> | _______________________________________________
> | nsp-security mailing list
> | nsp-security at puck.nether.net
> | https://puck.nether.net/mailman/listinfo/nsp-security
> |
> | Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> | community. Confidentiality is essential for effective Internet
> security counter-measures.
> | _______________________________________________
> |
>
>
>
> - --
>
> William Salusky
> william.salusky at aol.net
> Sr. Technical Security Investigator - AOL Operations Security
> 703-265-4924 (desk)
> 703-201-8873 (cell)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Cygwin)
>
> iD8DBQFIR/fJXyx2ON3+G40RAvltAJ423dCPFgAr84QmKXwSmoW4JB7jtwCfU7QY
> BBnTJ0LPzDDXa41CiRmIN1I=
> =5ypT
> -----END PGP SIGNATURE-----
>
More information about the nsp-security
mailing list