[nsp-sec] ACK 12994, 29486, 5381, 8542 probably compromised web sites
Anders Hardangen
anders at nsm.stat.no
Thu Mar 20 11:17:54 EDT 2008
ACK .no
--
12994 | 213.188.129.74 | NO | Active ISP AS
12994 | 213.188.130.107 | NO | Active ISP AS
29486 | 81.27.32.134 | NO | WEBHUSET-AS Webhuset Datasenter AS
29486 | 81.27.32.145 | NO | WEBHUSET-AS Webhuset Datasenter AS
5381 | 195.159.98.131 | NO | POWTECH-AS PowerTech Information Systems AS
5381 | 195.159.98.132 | NO | POWTECH-AS PowerTech Information Systems AS
8542 | 82.134.31.112 | NO | BKKB BKK Bredbaand Autonomous System
--
Best regards
Anders Hardangen
NorCERT
Tom Fischer skrev:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> attached a list of probably compromised web sites.
>
> This list is based on referer stats of a Neosploit
> server - which is used to spread Torpig/Anserin/Hupigon/Sinowal/...
> which btw. uses a new MBR rootkit which is currently not detected
> by GMER or Symantec Mebroot tool :-(
>
> The compromised sites usually contains obfuscated javascript which leads
> to hhipthr.com/cgi-bin/mail.cgi (208.101.34.10 (Softlayer))
More information about the nsp-security
mailing list