[nsp-sec] Compromised websites
Serge Droz
serge.droz at switch.ch
Tue Jul 26 06:19:18 EDT 2011
ACK ASNs: 8404, 47302, 35206, 34146, 29097, 25563, 21217, 21069, 20634, 12620,
12333
On 18/7/11 16:22, Thomas Hungenberg wrote:
> Hi,
>
> in the past weeks, we have been investigating on a successor of this attack:
> <http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/>
>
> We worked with LE and managed to get hold of the harddisk from the C&C server
> the malicious PHP scripts injected into the compromised websites regularly contacted.
> The requests to the C&C server contain the domain name of the compromised website,
> so the logfiles for 2011-07-01 until 2011-07-08 found on the harddisk allowed us
> to extract a list of compromised websites that contacted the C&C server during this period.
>
> Please find below the list of ~10.000 compromised websites.
> Format: ASN | IP | CC | domain name | AS desc
>
> In a compromised webspace, you should find the malicious PHP script, a directory ".log"
> with spam pages generated by the script, a file "xml.cgi" which holds the domain name
> of the C&C server (base64 encoded), etc.
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
More information about the nsp-security
mailing list