[nsp-sec] Compromised websites
Rodolfo Baader
rbaader at arcert.gov.ar
Mon Jul 18 17:42:57 EDT 2011
Hi Thomas,
proxy ACK for AR ASNs:
7303
10318
11664
16814
20207
27823
27953
Notifications were sent to the abuse/noc departments.
Regards,
R.
El 18/07/11 11:22, Thomas Hungenberg escribió:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> in the past weeks, we have been investigating on a successor of this attack:
> <http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/>
>
> We worked with LE and managed to get hold of the harddisk from the C&C server
> the malicious PHP scripts injected into the compromised websites regularly contacted.
> The requests to the C&C server contain the domain name of the compromised website,
> so the logfiles for 2011-07-01 until 2011-07-08 found on the harddisk allowed us
> to extract a list of compromised websites that contacted the C&C server during this period.
>
> Please find below the list of ~10.000 compromised websites.
> Format: ASN | IP | CC | domain name | AS desc
>
> In a compromised webspace, you should find the malicious PHP script, a directory ".log"
> with spam pages generated by the script, a file "xml.cgi" which holds the domain name
> of the C&C server (base64 encoded), etc.
>
>
> - Thomas
More information about the nsp-security
mailing list