[nsp-sec] Linux webserver botnet

Tue Sep 15 13:26:21 EDT 2009

Hi Team,

I've been informed that the no-ip ones have been nuked as well.  According
to them, sharing w/ permission:

[ ... ]

Yeah this batch was an odd one for us.  Every account was created from
a different IP with a different browser id.  Different email providers
for the login addresses, different passwords and different account
information.  It made it pretty hard to track, if it were not for the
reports we received I'd be in a lot more trouble.

[ ... ]

They also said there was an abnormally high number of e-mail accounts
associated with mail.ru so they have blocked that for now.  They are also
working on adding more verification features to make it harder for this to
happen.

-- steve

On 9/14/09 4:40 AM, "Thomas Hungenberg" <th.lab at hungenberg.net> wrote:

> ----------- nsp-security Confidential --------
> 
> Regarding the article on The Register:
> 
> I was working with Roman from abuse.ch on this last week and
> he blogged about it on Friday: <http://www.abuse.ch/?p=1801>
> 
> We've seen 1500+ unique dyndns hostnames used with IFRAMEs injected
> into compromised websites so far.
> 
> Please find attached a list of dyndns hostnames we have seen that are
> currently resolving (837 hostnames resolving to 105 unique IPs).
> Format: ASN | IP | CC | hostname | AS name
> 
> All these IPs most likely are compromised servers that are/were running
> an nginx proxy on port 8080 (it appears some servers have already been
> cleaned up).
> 
> 
>      - Thomas
> 
> CERT-Bund Incident Response & Anti-Malware Team
> 
> 
> SURFcert - Peter schrieb:
>> ----------- nsp-security Confidential --------
>> 
>> Hi,
>> 
>> Coincidence or not? Just today I read
>> http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ and
>> at the same time I got a report about a linux web server that was
>> infected and part of a botnet. I have ordered to not re-install that
>> specific server but try to get the services running on another one.
>> 
>> The got into the system through an old vulnerable phpMyAdmin version.
>> The strange thing is there shouldn't be any phpMyadmin on that box. We
>> will sort that out later. We can probably pull the source of the botnet
>> malware from the logging (at first sight it appears to be a host in
>> Germany). And we probably will get some information about the IRC
>> channel and passwords used to access 82.197.159.61 on port 9999.
>> 
>> I hope to be able to get as much as possible out of that host before I
>> am off on holiday and without e-mail for about two weeks. Important
>> stuff will of course be shared as much as possible.
>> 
> 

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com