[nsp-sec] Linux webserver botnet
Stephen Gill
gillsr at cymru.com
Mon Sep 14 11:29:57 EDT 2009
Have you passed these along to dyndns yet? If not, may I?
-- steve
On 9/14/09 4:40 AM, "Thomas Hungenberg" <th.lab at hungenberg.net> wrote:
> ----------- nsp-security Confidential --------
>
> Regarding the article on The Register:
>
> I was working with Roman from abuse.ch on this last week and
> he blogged about it on Friday: <http://www.abuse.ch/?p=1801>
>
> We've seen 1500+ unique dyndns hostnames used with IFRAMEs injected
> into compromised websites so far.
>
> Please find attached a list of dyndns hostnames we have seen that are
> currently resolving (837 hostnames resolving to 105 unique IPs).
> Format: ASN | IP | CC | hostname | AS name
>
> All these IPs most likely are compromised servers that are/were running
> an nginx proxy on port 8080 (it appears some servers have already been
> cleaned up).
>
>
> - Thomas
>
More information about the nsp-security
mailing list