[nsp-sec] MW injecting IPs

Serge Droz serge.droz at switch.ch
Mon Jun 23 03:06:06 EDT 2008 

Hello again,

we meanwhile got some of the xferlog's and hava list of IP's from which the 
pages got manipulated.
Typically the index page is fetched and few seconds later uploaded again with 
the mentioned javascript inserted.

Serge


> 137     | 143.225.60.66    | May 20 16:59:56 2008 | ASGARR GARR Italian academic and research network
> 137     | 143.225.60.66    | May 20 17:05:44 2008 | ASGARR GARR Italian academic and research network
> 2119    | 213.114.113.142  | May 20 17:12:50 2008 | TELENOR-NEXTEL T.net
> 3320    | 195.243.160.14   | May 20 15:46:13 2008 | DTAG Deutsche Telekom AG
> 3320    | 195.243.160.14   | May 20 16:02:19 2008 | DTAG Deutsche Telekom AG
> 3320    | 195.243.160.14   | May 20 16:07:37 2008 | DTAG Deutsche Telekom AG
> 3320    | 195.243.160.14   | May 20 16:56:01 2008 | DTAG Deutsche Telekom AG
> 3320    | 195.243.160.14   | May 20 17:22:07 2008 | DTAG Deutsche Telekom AG
> 4725    | 210.146.36.175   | May 20 16:17:44 2008 | ODN SOFTBANK TELECOM Corp.
> 4766    | 218.155.24.86    | May 20 15:18:51 2008 | KIXS-AS-KR Korea Telecom
> 4766    | 218.155.24.86    | May 20 16:45:29 2008 | KIXS-AS-KR Korea Telecom
> 5769    | 66.131.68.96     | May 20 15:58:24 2008 | VIDEOTRON - Videotron Telecom Ltee
> 5769    | 66.131.68.96     | May 20 17:22:51 2008 | VIDEOTRON - Videotron Telecom Ltee
> 5769    | 66.131.68.96     | May 20 17:43:20 2008 | VIDEOTRON - Videotron Telecom Ltee
> 5769    | 70.82.219.125    | May 20 15:53:20 2008 | VIDEOTRON - Videotron Telecom Ltee
> 6128    | 67.83.65.215     | May 20 15:53:02 2008 | CABLE-NET-1 - Cablevision Systems Corp.
> 6128    | 67.83.65.215     | May 20 16:19:50 2008 | CABLE-NET-1 - Cablevision Systems Corp.
> 6128    | 67.85.230.13     | May 20 16:30:07 2008 | CABLE-NET-1 - Cablevision Systems Corp.
> 6128    | 69.117.190.222   | May 20 16:56:26 2008 | CABLE-NET-1 - Cablevision Systems Corp.
> 6327    | 68.150.202.163   | May 20 15:19:09 2008 | SHAW - Shaw Communications Inc.
> 6327    | 68.150.202.163   | May 20 17:16:10 2008 | SHAW - Shaw Communications Inc.
> 6739    | 213.254.95.234   | May 20 16:24:38 2008 | ONO-AS Cableuropa - ONO
> 6739    | 213.254.95.234   | May 20 16:51:16 2008 | ONO-AS Cableuropa - ONO
> 6739    | 81.172.47.214    | May 20 15:43:52 2008 | ONO-AS Cableuropa - ONO
> 6739    | 81.172.47.214    | May 20 16:58:28 2008 | ONO-AS Cableuropa - ONO
> 6739    | 81.202.136.43    | May 20 17:04:16 2008 | ONO-AS Cableuropa - ONO
> 6739    | 81.203.110.110   | May 20 16:19:40 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.120.184.13    | May 20 15:09:49 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.120.184.13    | May 20 16:35:17 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.121.45.152    | May 20 15:44:38 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.122.209.213   | May 20 17:24:07 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.122.209.213   | May 20 17:32:56 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.123.18.59     | May 20 15:26:38 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.126.207.145   | May 20 15:37:33 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.127.129.101   | May 20 15:33:29 2008 | ONO-AS Cableuropa - ONO
> 6739    | 84.127.137.244   | May 20 16:48:11 2008 | ONO-AS Cableuropa - ONO
> 6830    | 89.133.62.209    | May 20 16:04:32 2008 | UPC UPC Broadband
> 6830    | 89.133.62.209    | May 20 16:26:50 2008 | UPC UPC Broadband
> 6830    | 89.133.62.209    | May 20 17:03:04 2008 | UPC UPC Broadband
> 6830    | 89.134.227.192   | May 20 15:16:16 2008 | UPC UPC Broadband
> 8612    | 84.223.91.218    | May 20 15:40:47 2008 | TISCALI-IT Tiscali Italia SpA.
> 8612    | 84.223.91.218    | May 20 16:12:51 2008 | TISCALI-IT Tiscali Italia SpA.
> 8612    | 84.223.91.218    | May 20 16:18:16 2008 | TISCALI-IT Tiscali Italia SpA.
> 8612    | 84.223.91.218    | May 20 16:29:04 2008 | TISCALI-IT Tiscali Italia SpA.
> 9044    | 212.41.102.180   | Feb 18 03:06:47 2006 | SOLNET SolNet Internet Solution Provider
> 9141    | 89.79.117.88     | May 20 15:12:17 2008 | AS9141 UPC Poland
> 9141    | 89.79.117.88     | May 20 16:48:57 2008 | AS9141 UPC Poland
> 9141    | 89.79.117.88     | May 20 17:35:08 2008 | AS9141 UPC Poland
> 9824    | 61.22.133.87     | May 20 15:40:24 2008 | ASN-ATHOMEJP 
> 9824    | 61.22.133.87     | May 20 17:25:58 2008 | ASN-ATHOMEJP 
> 9824    | 61.22.133.87     | May 20 17:31:06 2008 | ASN-ATHOMEJP 
> 12322   | 82.235.252.180   | May 20 15:49:35 2008 | PROXAD AS for Proxad/Free ISP
> 12322   | 82.235.252.180   | May 20 16:38:44 2008 | PROXAD AS for Proxad/Free ISP
> 12322   | 88.165.198.127   | May 20 15:59:01 2008 | PROXAD AS for Proxad/Free ISP
> 12322   | 88.165.198.127   | May 20 16:25:59 2008 | PROXAD AS for Proxad/Free ISP
> 12322   | 88.165.198.127   | May 20 16:53:14 2008 | PROXAD AS for Proxad/Free ISP
> 12423   | 158.75.31.37     | May 20 15:48:22 2008 | TORMAN Torun Regional Computer Network
> 12423   | 158.75.31.37     | May 20 17:13:53 2008 | TORMAN Torun Regional Computer Network
> 16338   | 62.57.35.43      | May 20 15:44:24 2008 | AUNA_TELECOM-AS Cableuropa - ONO
> 16338   | 62.57.35.43      | May 20 15:49:44 2008 | AUNA_TELECOM-AS Cableuropa - ONO
> 21229   | 62.165.227.44    | May 20 15:16:28 2008 | TVNETWORK-AS TVNETWORK
> 21229   | 62.165.227.44    | May 20 17:08:27 2008 | TVNETWORK-AS TVNETWORK
> 21415   | 89.25.114.72     | May 20 16:25:35 2008 | INTERNETGROUP-AS-BG Internet Group Ltd.
> 21415   | 89.25.114.72     | May 20 16:57:28 2008 | INTERNETGROUP-AS-BG Internet Group Ltd.
> 21415   | 89.25.114.72     | May 20 17:02:32 2008 | INTERNETGROUP-AS-BG Internet Group Ltd.
> 29113   | 213.192.54.213   | May 20 16:49:15 2008 | SLOANE-AS Sloane Park Property Trust, a.s. Autonomous System
> 33287   | 68.39.171.207    | May 20 16:46:24 2008 | DNEO-OSP4 - Comcast Cable Communications, Inc.
> 35002   | 81.22.144.63     | May 20 16:49:09 2008 | HERTZA-ASN Hertza Computers
> 35002   | 81.22.144.63     | May 20 17:09:47 2008 | HERTZA-ASN Hertza Computers
> 41451   | 82.212.175.83    | May 20 15:10:04 2008 | TELEDIS-AS TELEDIS AS


Serge Droz wrote:
> ----------- nsp-security Confidential --------
> 
> Hello List,
> 
> 36351   | 67.228.238.122   | SOFTLAYER - SoftLayer Technologies Inc.
> 
> 
> hxxp://fxwygfxes.com/cgi-bin/index.cgi?b99e7c610100f060007c06eb38060000000002f1c4fe57ff03656e2d75730000000000 
> 
> hxxp://fxwygfxes.com/cgi-bin/index.cgi?b99e7c610100f060027c06eb38060000000002f1c4fe0000030409000000000200 
> 
> 
> Seems to very be actively distributing sinowal/torpig
> 
> People get to this URL through mass infected webpages (javascript 
> inserted, ....)
> 
> Any help is appreciated
> 
> Serge

-- 
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch

More information about the nsp-security mailing list