[nsp-sec] Linux webserver botnet

Thomas Hungenberg th.lab at hungenberg.net
Tue Sep 15 10:36:33 EDT 2009 

Several compromised websites that had an IFRAME pointing to dyndns hosts
(like <hXXp://a2stu.blogdns.com:8080/ts/in.cgi?open>) injected last week
now have an IFRAME pointing to <hXXp://red-wolf.ru:8080/index.php>.

It appears the attackers are updating the injected IFRAMEs.

Currently I do not get any content from the new URL.

16265   | 85.17.237.5      | NL | red-wolf.ru     | LEASEWEB LEASEWEB AS
16276   | 91.121.121.6     | FR | red-wolf.ru     | OVH OVH
16276   | 91.121.134.229   | FR | red-wolf.ru     | OVH OVH
16276   | 91.121.74.84     | FR | red-wolf.ru     | OVH OVH
20857   | 80.69.74.73      | NL | red-wolf.ru     | TRANSIP-AS TransIP BV


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team

Thomas Hungenberg schrieb:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Regarding the article on The Register:
> 
> I was working with Roman from abuse.ch on this last week and
> he blogged about it on Friday: <http://www.abuse.ch/?p=1801>
> 
> We've seen 1500+ unique dyndns hostnames used with IFRAMEs injected
> into compromised websites so far.
> 
> Please find attached a list of dyndns hostnames we have seen that are
> currently resolving (837 hostnames resolving to 105 unique IPs).
> Format: ASN | IP | CC | hostname | AS name
> 
> All these IPs most likely are compromised servers that are/were running
> an nginx proxy on port 8080 (it appears some servers have already been
> cleaned up).
> 
> 
>      - Thomas
> 
> CERT-Bund Incident Response & Anti-Malware Team
> 
> 
> SURFcert - Peter schrieb:
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> Coincidence or not? Just today I read
>> http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ and
>> at the same time I got a report about a linux web server that was
>> infected and part of a botnet. I have ordered to not re-install that
>> specific server but try to get the services running on another one.
>>
>> The got into the system through an old vulnerable phpMyAdmin version.
>> The strange thing is there shouldn't be any phpMyadmin on that box. We
>> will sort that out later. We can probably pull the source of the botnet
>> malware from the logging (at first sight it appears to be a host in
>> Germany). And we probably will get some information about the IRC
>> channel and passwords used to access 82.197.159.61 on port 9999.
>>
>> I hope to be able to get as much as possible out of that host before I
>> am off on holiday and without e-mail for about two weeks. Important
>> stuff will of course be shared as much as possible.
>>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list