[nsp-sec] ACK 174 RE: Linux webserver botnet

Nicholas Ianelli ni at centergate.net
Mon Sep 14 12:53:17 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For folks that are interested, here are some additional data points:

http://www.abuse.ch/?p=1801
http://www.abuse.ch/downloads/dyndns_driveby.txt
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

At one time some of these sites were pointing/distributing
FakeAV/RogueAV - TotalSecurity and AVCare.

All the PDFs I was able to obtain were the same (MD5):
3228c641929bb40475c44a26bda8531a

and utilized a stack-based buffer overflow in Adobe Acrobat and Reader
via crafted format string argument in util.printf

The PDFs pointed to: hXXp://bestlitediscover.cn:8080/landig.php?id=8



URLs I personally saw (did not de-dupe from other lists):

Address:  67.225.168.183
host.degreeforum.net

AS      | IP               | AS Name
32244   | 67.225.168.183   | LIQUID-WEB-INC - Liquid Web, Inc.

Address:  91.121.121.6
stroybumn.is-a-chef.org

AS      | IP               | AS Name
16276   | 91.121.121.6     | OVH OVH

Address:  219.152.120.118
0md.ru
cutaiamortgagegroup.cn
cutalot.cn
cutheatergroup.cn
ohrhrhrhereo.cn
phrhrhrhereo.cn
rhrhrhrhereo.cn
supermixlotonline.cn

AS      | IP               | AS Name
4134    | 219.152.120.118  | CHINANET-BACKBONE No.31,Jin-rong Street

- ---

sokrath.serveftp.net:8080/ts/in.cgi?reopen
rhrhrhrhereo.cn/in.cgi?2

67.225.168.183:8080/cache/readme.pdf
67.225.168.183:8080/index.php
67.225.168.183:8080/ts/in.cgi?pepsi18
beregrzn.myvnc.com:8080/cache/readme.pdf
beregrzn.myvnc.com:8080/index.php
beregrzn.myvnc.com:8080/ts/in.cgi?pepsi18
centertaxi.serveirc.com:8080/cache/readme.pdf
centertaxi.serveirc.com:8080/index.php
centertaxi.serveirc.com:8080/ts/in.cgi?pepsi18
denguir12.serveirc.com:8080/cache/readme.pdf
denguir12.serveirc.com:8080/index.php
denguir12.serveirc.com:8080/ts/in.cgi?pepsi18
dombita.servebeer.com:8080/cache/readme.pdf
dombita.servebeer.com:8080/index.php
dombita.servebeer.com:8080/ts/in.cgi?pepsi18
host.degreeforum.net:8080/cache/readme.pdf
host.degreeforum.net:8080/index.php
host.degreeforum.net:8080/ts/in.cgi?pepsi18
krollbat.servegame.com:8080/cache/readme.pdf
krollbat.servegame.com:8080/index.php
krollbat.servegame.com:8080/ts/in.cgi?pepsi18
minaevaev.servecounterstrike.com:8080/cache/readme.pdf
minaevaev.servecounterstrike.com:8080/index.php
minaevaev.servecounterstrike.com:8080/ts/in.cgi?pepsi18
pullower.mypets.ws:8080/cache/readme.pdf
pullower.mypets.ws:8080/index.php
pullower.mypets.ws:8080/ts/in.cgi?pepsi18
roselonguinho.dnsalias.net:8080/cache/readme.pdf
roselonguinho.dnsalias.net:8080/index.php
roselonguinho.dnsalias.net:8080/ts/in.cgi?pepsi18
stroybumn.is-a-chef.org:8080/cache/readme.pdf
stroybumn.is-a-chef.org:8080/index.php
stroybumn.is-a-chef.org:8080/ts/in.cgi?pepsi18
tamariuvilla.homeftp.org:8080/cache/readme.pdf
tamariuvilla.homeftp.org:8080/index.php
tamariuvilla.homeftp.org:8080/ts/in.cgi?pepsi18

rhrhrhrhereo.cn/in.cgi?3
ohrhrhrhereo.cn/in.cgi?2
phrhrhrhereo.cn/in.cgi?2
cutheatergroup.cn/fl/index.php
cutheatergroup.cn/fl/load.php?id=0
cutheatergroup.cn/fl/cache/readme.pdf
cutheatergroup.cn/fl/cache/fff.swf

0md.ru/404/404.exe
0md.ru/404/404.404
cutalot.cn/abr/bot.exe
cutalot.cn/abr/config.bin
cutaiamortgagegroup.cn/fl/index.php
cutaiamortgagegroup.cn/fl/welcome.php?id=0
supermixlotonline.cn/fl/index.php

Nick

Shelton, Steve wrote:
> ----------- nsp-security Confidential --------
> 
> ACK for 174, can proxy for a few of these.
> 
> I discovered one of these bots [IP not featured on the list] on 9/10,
> nuked shortly after.  The C&C was reported as being 95.211.22.24 and
> roughly 10-15 A' records were pointed to the nginx services running on
> :8080.
> 
> Payload was the usual:
> 
> :8080/index.php
> :8080/cache/readme.pdf
> 
> Domains associated with the A' records aimed at the payload were as
> follows.
> 
> webhop.org.
> .ftpaccess.cc.
> serveblog.net.
> office-on-the.net.
> myphotos.cc.
> .homeunix.org.
> servemp3.com.
> servegame.com.
> mine.nu.
> myvnc.com.
> 
> Best regards,
> 
> Steve Shelton
> Security Engineer
> Cogent Communications
> 
> 
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Thomas
> Hungenberg
> Sent: Monday, September 14, 2009 5:41 AM
> To: NSP-SEC List
> Subject: Re: [nsp-sec] Linux webserver botnet
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________


- --
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkqudP0ACgkQi10dJIBjZIA8RACg/ix3u7357wGZ/6f26BWcLkGd
VssAoNGYwKi6pRNLzXNigCyQzqMoIEpY
=Ts04
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list