[nsp-sec] DDoS: Compromised web servers: 20121010

Thu Oct 11 04:13:47 EDT 2012

Hi Nick,

thanks for the updated list!

So instead of checking for the typo in the 404 message, you could check
</indx.php?action=status> for a "That is good" response.

Cheers,
Thomas

CERT-Bund Incident Response & Anti-Malware Team

On 11.10.2012 02:15, Nick Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> Latest list of compromised web servers. They are absolutely killing vulnerable Joomla hosts.
> 
> Been busy updating some of their scripts.
> 
> stp.hp stcurl.php stmdu.php
> 
> They also modified indx.php a bit:
> 
> if ($_GET['action']=="status") { print "That is good"; exit(); }
> 
> 
> ****
> 
> It should be noted that if you try and "GET" the indx.php without any parameters it will generate an error.
> 
> Take a closer look at the 404 you are getting back, if you see the typo, the sites are still infected:
> 
> "a 404 Not Foun derror was encountered'
> 
> ****
> 
> Nick
> 
> -------- Original Message -------- Subject: DDoS: Compromised web servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
> 
> For those that haven't seen, tomorrow will kick off the continuation of DDoS attacks targeting various financial organizations. Current schedule:
> 
> Capital One 20121009 Suntrust 20121010 Regions 20121011
> 
> Attached are 160 new compromised web servers the malicious actors have added in the past 24 hours.
> 
> ****
> 
> It should be noted that if you try and "GET" the indx.php without any parameters it will generate an error.
> 
> Take a closer look at the 404 you are getting back, if you see the typo, the sites are still infected:
> 
> "a 404 Not Foun derror was encountered'
> 
> ****
> 
> Prior to distribution please remove any list or personally identifiable information from it.
> 
> 
> In addition to indx.php, the following files may exist in the same directory:
> 
> stcp.php stip.php stph.php classtyle.php classtyle2.php
> 
> The following URL discusses some of the issues at play here, but I don't believe all are Joomla compromises:
> 
> http://forum.joomla.org/viewtopic.php?t=737503
> 
> In working with your constituency, if you were able to obtain the files listed above (and any other files in the same directory) as well as any web access logs specific to the files listed above,
> I would be extremely interested and eternally grateful.
> 
> Any questions, let me know.
> 
> 
> Here is a list of ASNs (by count) of what's in the attached file: 20 8560 15 559 14 46606 13 36351 11 24940 8 3741 8 26496 7 26347 6 31727 6 27715 6 24971 5 51468 5 15685 4 43541 4 39392 4 35592 
> 4 32613 4 29208 4 21844 4 20773 4 16276 3 8972 3 8201 3 6697 3 5606 3 47302 3 39790 3 36024 3 34222 3 29550 3 29017 3 132241 3 13213 2 5610 2 50939 2 43513 2 38719 2 34358 2 34119 2 31283 2
> 29522 2 21788 2 21155 2 20860 2 20738 2 197019 2 17139 2 16097 2 15244 2 12996 2 10297 1 9785 1 9652 1 9198 1 9125 1 8553 1 8551 1 8542 1 8358 1 786 1 7162 1 6908 1 5408 1 52148 1 51013 1 50938 1
> 48172 1 46475 1 4589 1 43711 1 43333 1 42949 1 42549 1 41046 1 40961 1 40034 1 39792 1 39783 1 38955 1 37159 1 3595 1 34762 1 34011 1 33885 1 33883 1 32748 1 32475 1 31244 1 31219 1 27823 1
> 25575 1 25535 1 25234 1 2519 1 25151 1 24806 1 24446 1 22878 1 22653 1 21244 1 21069 1 20721 1 20718 1 19994 1 197021 1 19271 1 18245 1 17772 1 16265 1 15982 1 15817 1 15418 1 14618 1 14567 1
> 1241 1 11042 1 10436
> 
> 
> Cheers, Nick
> 
> 
> 
> 
> 
> _______________________________________________ nsp-security mailing list nsp-security at puck.nether.net https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. 
> _______________________________________________
> 