[nsp-sec] possible malware on sharlatan.ucoz.com

Smith, Donald Donald.Smith at qwest.com
Mon Jul 6 16:36:03 EDT 2009 


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> SURFcert - Peter
> Sent: Thursday, July 02, 2009 2:12 PM
> To: Rob Thomas
> Cc: NSP-SEC List
> Subject: Re: [nsp-sec] possible malware on sharlatan.ucoz.com
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Rob Thomas wrote on 2009-07-02 19:53:
> 
> >> wget sharlatan.ucoz.com/spaniol.tar
Ssh bruteforce tools including a scanner, unix (bash exec),  results and a 10MB dictionary.
A couple of scripts to help automate the whole thing.
It appears to date back to 2006/2007.
The vuln.txt dates back to Jan 2 2007 so probably isn't worth notifying customers.
It does include user:pass:ip_addr.


> >> wget sharlatan.ucoz.com/udp.pl
UDP flooder written shell.

> >> wget sharlatan.ucoz.com/udp.plw
I couldn't retrive that one.

> > 
> > sharlatan.ucoz.com (ha what a name!) presently resolves to
> > 208.100.61.101 for me.
> 
> I see the same IP address at my end of the world.
> 
> > AS      | IP               | BGP Prefix          | CC | Registry |
> > Allocated  | AS Name
> > 32748   | 208.100.61.101   | 208.100.32.0/19     | US | arin     |
> > 2006-02-17 | STEADFAST - NoZone, Inc.
> > 
> > We see 208.100.61.101 hosting malware as far back as 
> 2009-01-01 01:31:56
> > UTC (I didn't go back to 2008).  It's also sourced spam and hosted
> > several phishing sites.
> > 
> > We see quite a few DNS RRs pointed to 208.100.61.101 last month.
> 
> So a connectino to that site might indicate compromised 
> systems? I hope
> not. I checked the flows to see if somebody else downloaded 
> the malware.
> they didn't seem to but there where a whole lot of systems 
> just dying to
> get some data.
> 
> - --
> Peter Peters
> SURFcert Officer on Duty
> cert at surfnet.nl                            http://cert.surfnet.nl/
> office-hours: +31 302 305 305    emergency (24/7): +31 622 923 564
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFKTRSCelLo80lrIdIRAsRgAKCqf/uxzJTVfFa4Kuzxe48rGtYtawCdHVXX
> 26bBURzIDKEqzq1On/xLOWY=
> =p1f4
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list