[nsp-sec] Compromised websites
Stéphane Dodeller
dodeller at ip-plus.net
Mon Jul 18 10:39:16 EDT 2011
Ack for AS44038
Regards
Stéphane
Le 18 juil. 2011 à 16:22, Thomas Hungenberg a écrit :
> in the past weeks, we have been investigating on a successor of this attack:
> <http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/>
>
> We worked with LE and managed to get hold of the harddisk from the C&C server
> the malicious PHP scripts injected into the compromised websites regularly contacted.
> The requests to the C&C server contain the domain name of the compromised website,
> so the logfiles for 2011-07-01 until 2011-07-08 found on the harddisk allowed us
> to extract a list of compromised websites that contacted the C&C server during this period.
>
> Please find below the list of ~10.000 compromised websites.
> Format: ASN | IP | CC | domain name | AS desc
>
> In a compromised webspace, you should find the malicious PHP script, a directory ".log"
> with spam pages generated by the script, a file "xml.cgi" which holds the domain name
> of the C&C server (base64 encoded), etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 535 bytes
Desc: Ceci est une signature ?lectronique PGP
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110718/10e64d8b/attachment-0001.sig>
More information about the nsp-security
mailing list