[nsp-sec] DDoS: Compromised web servers (part 1)
Dave Woutersen (NCSC-NL)
dave.woutersen at ncsc.nl
Tue Oct 9 06:23:29 EDT 2012
ACK for 21155, 16265, 50673 and 8315.
Thx!
Dave
On 9-10-2012 4:51, Nick Ianelli wrote:
> ----------- nsp-security Confidential --------
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> For those that haven't seen, tomorrow will kick off the continuation
> of DDoS attacks targeting various financial organizations. Current
> schedule:
>
> Capital One 20121009
> Suntrust 20121010
> Regions 20121011
>
> Attached are 160 new compromised web servers the malicious actors have
> added in the past 24 hours.
>
> ****
>
> It should be noted that if you try and "GET" the indx.php without any
> parameters it will generate an error.
>
> Take a closer look at the 404 you are getting back, if you see the
> typo, the sites are still infected:
>
> "a 404 Not Foun derror was encountered'
>
> ****
>
> Prior to distribution please remove any list or personally identifiable
> information from it.
>
>
> In addition to indx.php, the following files may exist in the same
> directory:
>
> stcp.php
> stip.php
> stph.php
> classtyle.php
> classtyle2.php
>
> The following URL discusses some of the issues at play here, but I
> don't believe all are Joomla compromises:
>
> http://forum.joomla.org/viewtopic.php?t=737503
>
> In working with your constituency, if you were able to obtain the
> files listed above (and any other files in the same directory) as well
> as any web access logs specific to the files listed above, I would be
> extremely interested and eternally grateful.
>
> Any questions, let me know.
>
>
> Here is a list of ASNs (by count) of what's in the attached file:
>
>
> 8 8560
> 7 24940
> 4 46606
> 4 36351
> 3 6697
> 3 44112
> 3 43146
> 3 33182
> 3 32475
> 3 31727
> 3 25535
> 3 25532
> 3 21788
> 3 16276
> 3 14259
> 2 7162
> 2 6724
> 2 5606
> 2 5408
> 2 47583
> 2 36647
> 2 33070
> 2 31034
> 2 23352
> 2 19318
> 2 12824
> 2 12637
> 2 10474
> 1 9891
> 1 8972
> 1 8675
> 1 8358
> 1 8342
> 1 8315
> 1 7643
> 1 6471
> 1 6128
> 1 56740
> 1 56582
> 1 55298
> 1 51740
> 1 51468
> 1 50673
> 1 49699
> 1 49635
> 1 48707
> 1 4837
> 1 48287
> 1 45538
> 1 42244
> 1 41947
> 1 41550
> 1 4134
> 1 41186
> 1 40285
> 1 39756
> 1 38544
> 1 38197
> 1 37153
> 1 36024
> 1 3595
> 1 35908
> 1 34989
> 1 3447
> 1 34358
> 1 34087
> 1 34011
> 1 32613
> 1 32244
> 1 3215
> 1 31646
> 1 30943
> 1 29944
> 1 29802
> 1 29671
> 1 28753
> 1 28299
> 1 27823
> 1 25563
> 1 24994
> 1 23148
> 1 23136
> 1 21844
> 1 21155
> 1 20875
> 1 20718
> 1 20597
> 1 20545
> 1 19969
> 1 17393
> 1 16814
> 1 16626
> 1 16371
> 1 16265
> 1 15982
> 1 15083
> 1 13213
> 1 13147
> 1 12880
> 1 12301
> 1 12129
> 1 11388
> 1 11042
>
> Cheers,
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlBzkTQACgkQi10dJIBjZICZgwCbBsl5qk0WRGgXaKhNUMDrNfBa
> wKAAoMOvw9AVs5N/T+LKA3OT6fLAO4k8
> =s5ix
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Dave Woutersen
Security Specialist
+++++++++++++++++++++++++++++++++
National Cyber Security Centre
P-O- Box 117 | 2501 CC| The Hague | Netherlands| www.ncsc.nl
+++++++++++++++++++++++++++++++++
T +31 70 888 75 55 E dave.woutersen at ncsc-nl
PgP F52A F649 3EC9 CFC1 4F2D 95EC 22FF 43AD
+++++++++++++++++++++++++++++++++
As of 1 January 2012, GOVCERT-NL evolved into the National Cyber Security Centre
More information about the nsp-security
mailing list