[nsp-sec] More password stealers and drops - AS13301, AS24940, AS7738,
Matthew McGlashan
matthew at auscert.org.au
Thu Mar 27 23:43:45 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
G'day Jose,
<snip>
> Over 75 compromised machines with about 2000 compromised accounts (facebook,
> myspace, email, etc).
How are you handling this data? Need a hand processing it and
disseminating to the rightful owners?
Cheers,
- -- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
> -------
>
> Malware md5: 27b22e603bd7d2de9cbcab53962878f7
>
> username="web51f3"
> password="27122712"
>
> More steam password stealer drops.
>
> Bulk mode; whois.cymru.com [2008-03-26 15:18:55 +0000]
> 24940 | 213.239.207.82 | HETZNER-AS Hetzner Online AG RZ-Nuernberg
>
>
> role: Hetzner Online AG - Contact Role
> address: Hetzner Online AG
> address: Industriestr. 6
> address: D-91710 Gunzenhausen
> address: Germany
> phone: +49 9831 61 00 61
> fax-no: +49 9831 61 00 62
> e-mail: ripe at hetzner.de
>
>
>
> Many dozen compromised accounts.
>
> ------
>
> Malware md5: e9a0c8602fe2539270ad03109b23bcbb
>
> username="extremeaudi"
> password="102030,"
>
> 7738 | 200.149.77.62 | Telecomunicacoes da Bahia S.A.
>
> inetnum: 200.149.77/24
> aut-num: AS7738
> abuse-c: CGR13
> owner: Ambiente Design LTDA
> ownerid: 003.445.521/0001-40
> responsible: Luciana C. G. de Souza
> owner-c: HTW
> tech-c: MTJ13
> inetrev: 200.149.77/24
> nserver: ns1.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns2.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns3.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> nserver: ns4.oi.com.br
> nsstat: 20080325 AA
> nslastaa: 20080325
> created: 20060214
> changed: 20080324
> inetnum-up: 200.149.0/17
>
>
> All stored files have 0 bytes, 27 stored unique files.
>
> Same IP, different account, new malware:
>
> Malware md5: 3f797547d6874e2fac7990b6fbaf01e0
>
> username="ftp22"
> password="220901"
>
> Many files (20 dozen or so) stored here, all lightly encrypted/obfuscated.
>
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> security researcher, office of the CTO
> Arbor Networks
> v: +1 734 821 1427
> m: +1 734 693 2969
> PGP: 0x40A7BF94
> www.arbornetworks.com
> -------------------------------------------------------------
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security count
> er-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR+xpcCh9+71yA2DNAQK5FgP/aassB4EzAGmVnRuBwSsmIVJUXQNkNwpl
zw9kbx2H/mS4PvbNiGd8njFP919L04E0EKLD4xwarPXquNu+Ovd36eOPgkaI7odw
VlQd4abc8i91HZMssvhcpHj2107LDcBp9nv/QOPqRde5+wJn0w/UwX87SHd3C9oJ
z6z2B+J1taU=
=vdGR
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list