[nsp-sec] ACK 174 RE: Linux webserver botnet
Tom Daly
tom at dyn.com
Mon Sep 14 15:43:12 EDT 2009
> I'm sorry, but I don't have the specific files. An analysis of the
> payload can be found at the following URL.
>
> http://wepawet.iseclab.org/view.php?hash=f3d40a9f37dca288e5382996d5efa5e
> 6&t=1252297985&type=js
Thanks Steve,
We've been scrubbing the logs today and what's odd is we so no pattern of an automated system creating these DDNS hostnames.
All accounts must verify by e-mail. The confirmation e-mail contains a hash they must return to the site with before they can create DDNS hostnames. From reviewing our logs, and comparing to past abuses, it seems that the accounts are being hand created, and bring hand confirmed through various e-mail service providers. >500 unique e-mail domains have been used in creating these accounts.
I'm wondering if the malware is smart enough to look inside an outlook inbox to grab our confirmation hash...
Source IPs for account creation, subsequent login, host creation, and DDNS A record IPs are all over the map, nothing significant there.
I did reach out to one hosting provider who is going to try to get me the contents of the nginx directory so we can have a look at the php and CGI in there.
Tom
--
Tom Daly
CTO, Dynamic Network Services, Inc.
Ph: 603-296-1537
http://dyn.com/
More information about the nsp-security
mailing list