[nsp-sec] attn CERT-BR - infostealer FTP site
Jose Nazario
jose at arbor.net
Sat May 3 02:01:54 EDT 2008
site is live, logging infected boxes (what appears to just be markers)
"md5hash","server ip","server hostname","port","user","password","command"
"46e904ff7e313a0979dd907a2933ccc8","200.149.77.62","ftp.xpg.com.br","21","torpedosvip","chuchula","STOR NAME.txt"
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV': command unrecognized.
227 Entering Passive Mode (200,149,77,62,210,214).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 torpedosvip ftp 123 Feb 15 23:05 index.html
drwxr-xr-x 2 torpedosvip ftp 4096 Apr 30 15:47 infect
drwxr-xr-x 2 torpedosvip ftp 48 Mar 10 12:10 info
226 Transfer complete
ftp> cd infect
l250 CWD command successful
s
ftp> ls
227 Entering Passive Mode (200,149,77,62,217,200).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 torpedosvip ftp 299 Apr 30 15:47
AD3GVO7SGQ9Y9HJ.txt
-rw-r--r-- 1 torpedosvip ftp 297 Mar 5 10:09
ATOMO-804058802.txt
-rw-r--r-- 1 torpedosvip ftp 287 Mar 12 15:08 CASA.txt
-rw-r--r-- 1 torpedosvip ftp 297 May 2 22:15
CB2BD6D22CFF4B5.txt
-rw-r--r-- 1 torpedosvip ftp 298 Mar 22 10:23
CIA-BE5B0D077D1.txt
-rw-r--r-- 1 torpedosvip ftp 298 Apr 29 00:43
COMPANY-7A19832.txt
-rw-r--r-- 1 torpedosvip ftp 298 May 2 17:19
CONTABILIDADE3.txt
-rw-r--r-- 1 torpedosvip ftp 298 Feb 29 21:06
FERNANDO-C811FD.txt
-rw-r--r-- 1 torpedosvip ftp 298 Mar 10 19:58
GABI-5B9DB3E070.txt
-rw-r--r-- 1 torpedosvip ftp 300 Apr 15 11:26
HD8R2JDS87REW82.txt
-rw-r--r-- 1 torpedosvip ftp 287 Mar 28 09:29 HOME.txt
-rw-r--r-- 1 torpedosvip ftp 289 Mar 13 10:13 HOME01.txt
-rw-r--r-- 1 torpedosvip ftp 298 Mar 11 11:57
HP-AF5E76A48CD1.txt
-rw-r--r-- 1 torpedosvip ftp 291 Mar 12 11:46 INTERN02.txt
-rw-r--r-- 1 torpedosvip ftp 297 Mar 5 21:03
ITAUTEC-06A7BC2.txt
-rw-r--r-- 1 torpedosvip ftp 297 Mar 12 11:13
JAMESHALL-NOVO.txt
-rw-r--r-- 1 torpedosvip ftp 298 Mar 18 13:19
JO-8D64A1897009.txt
-rw-r--r-- 1 torpedosvip ftp 289 May 2 11:45 JOCEMAR.txt
-rw-r--r-- 1 torpedosvip ftp 291 May 2 10:30 JOCIANE.txt
-rw-r--r-- 1 torpedosvip ftp 288 Apr 21 20:39 JONAS.txt
-rw-r--r-- 1 torpedosvip ftp 290 May 2 09:40 MAURICIO.txt
-rw-r--r-- 1 torpedosvip ftp 292 Mar 12 11:44 NOTEBOOK.txt
-rw-r--r-- 1 torpedosvip ftp 297 Mar 3 19:50
PARTICUL-FA43DC.txt
-rw-r--r-- 1 torpedosvip ftp 297 Mar 1 15:01
PARTICUL-ZZGMHQ.txt
-rw-r--r-- 1 torpedosvip ftp 292 May 2 20:08 PC-USUARIO.txt
-rw-r--r-- 1 torpedosvip ftp 292 Mar 13 16:51 PC4.txt
-rw-r--r-- 1 torpedosvip ftp 292 Apr 1 02:46 POSITIVO.txt
-rw-r--r-- 1 torpedosvip ftp 287 Feb 21 01:30 RICK.txt
-rw-r--r-- 1 torpedosvip ftp 290 Apr 10 08:40 SERVICE.txt
-rw-r--r-- 1 torpedosvip ftp 292 Apr 23 18:17 TERMINAL1.txt
-rw-r--r-- 1 torpedosvip ftp 288 Mar 11 14:39 TESTE.txt
-rw-r--r-- 1 torpedosvip ftp 295 Feb 26 14:12 TOSHIBA-USER.txt
-rw-r--r-- 1 torpedosvip ftp 299 May 3 00:00
USER-956A0D8342.txt
-rw-r--r-- 1 torpedosvip ftp 299 Mar 11 00:08
USER-RE4NFRV8GR.txt
-rw-r--r-- 1 torpedosvip ftp 298 Apr 29 18:07
USUARIO-KYBTG65.txt
-rw-r--r-- 1 torpedosvip ftp 293 Mar 12 19:49 WINDOWS-XP.txt
-rw-r--r-- 1 torpedosvip ftp 290 Mar 12 16:01 WINXP.txt
example logfile:
INFECTADO By N4ruT0
=-=-=-=-=-=-=-=-=-=RoXCoRpOrATioN-=-=-=-=-=-=-=-=-=-=-=
Computador ....: WINXP
MAC ...........: 00-1B-24-28-82-5A
Win. Dir ......: C:\WINDOWS\system32
Data ..........: 3/12/2008
Hora ..........: 2:06:10 PM
=-=-=-=-=-=-=-=-=-=RoXCoRpOrATioN-=-=-=-=-=-=-=-=-=-=-=
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list