[nsp-sec] Some malware on a Web server of ours
Joel Rosenblatt
joel at columbia.edu
Wed Feb 11 16:09:45 EST 2009
Hi,
There was some malware on a less than fully protected web server in one of our departments
Here are the command that uploaded it
189.129.97.12 - - [05/Feb/2009:22:12:14 -0500] "GET /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1424
189.129.97.12 - - [05/Feb/2009:22:12:14 -0500] "GET /favicon.ico HTTP/1.1" 404 308
189.129.97.12 - - [05/Feb/2009:22:12:17 -0500] "GET /favicon.ico HTTP/1.1" 404 308
189.129.97.12 - - [05/Feb/2009:22:13:21 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1982
189.129.97.12 - - [05/Feb/2009:22:13:27 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 2959
189.129.97.12 - - [05/Feb/2009:22:13:31 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 2002
189.129.97.12 - - [05/Feb/2009:22:13:37 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1976
189.129.97.12 - - [05/Feb/2009:22:13:40 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1939
189.129.97.12 - - [05/Feb/2009:22:13:43 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 2003
189.129.97.12 - - [05/Feb/2009:22:13:50 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 2074
189.129.97.12 - - [05/Feb/2009:22:13:54 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1546
189.129.97.12 - - [05/Feb/2009:22:14:20 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1483
189.129.97.12 - - [05/Feb/2009:22:14:24 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1482
189.129.97.12 - - [05/Feb/2009:22:14:33 -0500] "GET /FX/Databases/store/safeoff.txt HTTP/1.1" 200 1476
189.129.97.12 - - [05/Feb/2009:22:18:42 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1479
189.129.97.12 - - [05/Feb/2009:22:18:48 -0500] "POST /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1432
The command to access it
hxxp://128.59.122.24/FX/Databases/store/safeon.txt
VirusTotal results:
http://www.virustotal.com/analisis/353fc81df3d27f410c168e20db115136
and some IPs that apparently downloaded it
62.193.13.163 - - [05/Feb/2009:22:32:10 -0500] "GET /FX/Databases/store/safeon.txt?? HTTP/1.1" 200 656
62.193.13.163 - - [05/Feb/2009:22:47:04 -0500] "GET /FX/Databases/store/safeon.txt?? HTTP/1.1" 200 656
84.38.64.218 - - [05/Feb/2009:22:54:14 -0500] "GET /FX/Databases/store/safeon.txt?? HTTP/1.1" 200 656
Joel
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list