[nsp-sec] Linux webserver botnet
Thomas Hungenberg
th.lab at hungenberg.net
Mon Sep 14 07:40:51 EDT 2009
Regarding the article on The Register:
I was working with Roman from abuse.ch on this last week and
he blogged about it on Friday: <http://www.abuse.ch/?p=1801>
We've seen 1500+ unique dyndns hostnames used with IFRAMEs injected
into compromised websites so far.
Please find attached a list of dyndns hostnames we have seen that are
currently resolving (837 hostnames resolving to 105 unique IPs).
Format: ASN | IP | CC | hostname | AS name
All these IPs most likely are compromised servers that are/were running
an nginx proxy on port 8080 (it appears some servers have already been
cleaned up).
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
SURFcert - Peter schrieb:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> Coincidence or not? Just today I read
> http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ and
> at the same time I got a report about a linux web server that was
> infected and part of a botnet. I have ordered to not re-install that
> specific server but try to get the services running on another one.
>
> The got into the system through an old vulnerable phpMyAdmin version.
> The strange thing is there shouldn't be any phpMyadmin on that box. We
> will sort that out later. We can probably pull the source of the botnet
> malware from the logging (at first sight it appears to be a host in
> Germany). And we probably will get some information about the IRC
> channel and passwords used to access 82.197.159.61 on port 9999.
>
> I hope to be able to get as much as possible out of that host before I
> am off on holiday and without e-mail for about two weeks. Important
> stuff will of course be shared as much as possible.
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dyndns_driveby_20090914.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090914/141f44eb/attachment-0001.txt>
More information about the nsp-security
mailing list