[nsp-sec] DDoS: Compromised web servers -- Round 2
Taka Mizuguchi
taka at nttv6.jp
Thu Oct 11 10:44:41 EDT 2012
ACK for belwo japanese ASN.
9371
Nick Ianelli wrote,on 12/09/26 5:58:
> ----------- nsp-security Confidential --------
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Round two!
>
> I was able to identify 335 new hosts that they might be utilizing for
> their DDoS attacks. This is the first time I've seen these hosts, so I
> haven't notified anyone.
>
> The below request still exists, logs and files would be awesome, best
> effort though.
>
> ASN count is below original message (I removed the old one).
>
> Nick
>
>
>> Attached is a list being tracked by the malicious actors of 6206
>> compromised web servers. Some of these have already been notified
>> and cleaned up, for the others please distribute as you see fit.
>> Prior to distribution please remove any list or personally
>> identifiable information from it.
>>
>>
>> In addition to indx.php, the following files may exist in the same
>> directory:
>>
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>>
>> The following URL discusses some of the issues at play here, but I
>> don't believe all are Joomla compromises:
>>
>> http://forum.joomla.org/viewtopic.php?t=737503
>>
>> In working with your constituency, if you were able to obtain the
>> files listed above (and any other files in the same directory) as
>> well as any web access logs specific to the files listed above, I
>> would be extremely interested and eternally grateful.
>
>
> Count | ASN
>
>
> 13 24940
> 12 8560
> 10 51468
> 10 46606
> 9 36351
> 9 12637
> 6 5606
> 6 47583
> 6 32244
> 6 21844
> 6 15967
> 5 31727
> 5 16276
> 4 7162
> 4 4847
> 4 44112
> 4 4134
> 4 32613
> 4 29278
> 4 28753
> 4 28299
> 4 19318
> 4 16265
> 4 13768
> 3 4837
> 3 4808
> 3 41079
> 3 40034
> 3 32392
> 3 21788
> 3 15083
> 2 9931
> 2 9123
> 2 6830
> 2 5769
> 2 5483
> 2 51559
> 2 45544
> 2 42755
> 2 41126
> 2 38544
> 2 3786
> 2 34233
> 2 32475
> 2 31122
> 2 29873
> 2 29802
> 2 29017
> 2 27715
> 2 26496
> 2 25761
> 2 25653
> 2 25184
> 2 20738
> 2 12322
> 1 9811
> 1 9371
> 1 9198
> 1 9121
> 1 8972
> 1 8896
> 1 8893
> 1 8708
> 1 8536
> 1 8426
> 1 8358
> 1 8342
> 1 7784
> 1 7654
> 1 7643
> 1 7258
> 1 6713
> 1 58621
> 1 56485
> 1 5602
> 1 558
> 1 53589
> 1 52148
> 1 51949
> 1 51506
> 1 51013
> 1 50474
> 1 49457
> 1 48635
> 1 48232
> 1 4788
> 1 47692
> 1 46475
> 1 46015
> 1 45899
> 1 45731
> 1 45287
> 1 44497
> 1 43391
> 1 42926
> 1 42628
> 1 41665
> 1 41186
> 1 39792
> 1 39790
> 1 39743
> 1 39629
> 1 39392
> 1 39122
> 1 38661
> 1 38197
> 1 36127
> 1 36024
> 1 3595
> 1 35916
> 1 35732
> 1 35206
> 1 34788
> 1 34655
> 1 34104
> 1 34087
> 1 34011
> 1 33668
> 1 33182
> 1 33070
> 1 3301
> 1 3248
> 1 3215
> 1 32016
> 1 31283
> 1 30475
> 1 30374
> 1 30083
> 1 29650
> 1 29550
> 1 29422
> 1 29405
> 1 29182
> 1 27823
> 1 26277
> 1 26101
> 1 2609
> 1 2607
> 1 25563
> 1 25459
> 1 25137
> 1 24994
> 1 24557
> 1 24446
> 1 23352
> 1 2200
> 1 21219
> 1 21069
> 1 20893
> 1 20773
> 1 20473
> 1 20207
> 1 197902
> 1 18450
> 1 18403
> 1 1836
> 1 18020
> 1 17621
> 1 174
> 1 16322
> 1 15966
> 1 15830
> 1 15547
> 1 15244
> 1 14618
> 1 14259
> 1 13147
> 1 1267
> 1 12519
> 1 1241
> 1 12301
> 1 12296
> 1 12258
> 1 11845
> 1 10481
> 1 10474
>
> Nick
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlBiGv4ACgkQi10dJIBjZICZ0gCeNhU5+bs9YQqE+Ntxd4fGHSjs
> O+oAoLyKpNy5xWOXoy2aOFw6TtUFGaqc
> =iAeA
> -----END PGP SIGNATURE-----
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
--
Taka Mizuguchi
More information about the nsp-security
mailing list