[nsp-sec] [Part 2] compromised unix systems

Gabriel Iovino giovino at ren-isac.net
Sat Aug 29 15:42:08 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

Due to the investigation of a compromised Linux machine identified due
to Rolf's mailing, a list of URL's has been discovered that may lead to
other compromised machines.

A Google search of "/twiki/bin/fix?" returns a file with several URL's
and some of them might point to other compromised twiki installations. I
say this as two of the seven IP's Rolf listed in his email are also
listed in the file of URL's.

I have attached a file named urls.txt which is a raw list of the URLs
and a file named asn.txt which resolved the urls -> IP > ASN.

Note: Some of the URLs/machines appear to be legitimate, maybe they are
used by the miscreants in spam runs or something like that. (Thanks Nick I.)

I will likely reach out to the following after some deeper inspection of
the URLs:

> 142.150.237.139|research.msrg.utoronto.ca
> 128.100.75.158|hep-twiki.physics.utoronto.ca
> 129.64.99.240|wiki.brandeis.edu
> 128.95.89.20|www.atmos.washington.edu
> 132.236.6.91|isc.astro.cornell.edu
> 168.7.116.238|www.resource-aware.org
> 128.100.5.29|www.cs.toronto.edu
> 128.100.5.29|www.cs.toronto.edu
> 205.127.225.50|www.uen.org

This site hosting the URLs is:

> http://s11.info/p/

You will find the perl script I attached in my previous mailing and the
list of URL's attached to this mailing and a few IRC chats.

Please feel free to share this information with trusted people but
please leave out the institution that was breached.

If you have any information from an associated compromised twiki
installation, if you could share that with me I would appreciate it.

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqZhJAACgkQwqygxIz+pTtItACfc8KOuRAlp/4kf3Aka6TAWDMS
OM0AoIXQ41o00kV3hbTjVqmCzhHVlOc+
=+dyl
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: urls.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090829/bcad6146/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asn.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090829/bcad6146/attachment-0003.txt>

More information about the nsp-security mailing list