[nsp-sec] ACK. Re: DDoS: Compromised web servers -- Round 3

Taka Mizuguchi taka at nttv6.jp
Thu Oct 11 10:45:33 EDT 2012 

Ack for below japanese ASN.

7506
9370
9371

Regards,


Nick Ianelli wrote,on 12/09/26 23:36:
> ----------- nsp-security Confidential --------
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Round three!
> 
> I was able to identify 304 new hosts that they might be utilizing for
> their DDoS attacks. This is the first time I've seen these hosts, so I
> haven't notified anyone.
> 
> The below request still exists, logs and files would be awesome, best
> effort though.
> 
> ASN count is below original message (I removed the old one).
> 
> These guys aren't stopping and continue to build their botnet.
> 
> It should be noted that if you try and "GET" the indx.php without any
> parameters it will generate an error.
> 
> Take a closer look at the 404 you are getting back, if you see the
> typo, the sites are still infected:
> 
> "a 404 Not Foun derror was encountered'
> 
> 
> 
>>> Attached is a list being tracked by the malicious actors of 6206
>>>   compromised web servers. Some of these have already been
>>> notified and cleaned up, for the others please distribute as you
>>> see fit. Prior to distribution please remove any list or
>>> personally identifiable information from it.
>>
>>
>>> In addition to indx.php, the following files may exist in the
>>> same directory:
>>
>>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>>
>>> The following URL discusses some of the issues at play here, but
>>> I don't believe all are Joomla compromises:
>>
>>> http://forum.joomla.org/viewtopic.php?t=737503
>>
>>> In working with your constituency, if you were able to obtain the
>>>   files listed above (and any other files in the same directory)
>>> as well as any web access logs specific to the files listed
>>> above, I would be extremely interested and eternally grateful.
>>
>>
> 
> Count   | ASN
> 
> 
>       21 46606
>       10 21844
>        9 8560
>        8 21788
>        7 51468
>        6 47583
>        6 32392
>        6 32244
>        6 24940
>        6 16276
>        5 4808
>        4 44112
>        4 36351
>        4 29873
>        4 28753
>        4 20773
>        4 15967
>        3 8358
>        3 5606
>        3 4847
>        3 32613
>        3 21069
>        3 1853
>        3 16626
>        3 16265
>        3 12824
>        3 12637
>        3 10297
>        2 9929
>        2 51696
>        2 51557
>        2 48539
>        2 46475
>        2 46433
>        2 43362
>        2 42289
>        2 4134
>        2 40975
>        2 33182
>        2 33070
>        2 32475
>        2 30968
>        2 30496
>        2 29802
>        2 2914
>        2 26496
>        2 25653
>        2 23724
>        2 23352
>        2 21155
>        2 20738
>        2 19066
>        2 15418
>        2 15244
>        2 13335
>        1 9931
>        1 9371
>        1 9370
>        1 9249
>        1 9143
>        1 9050
>        1 8972
>        1 8685
>        1 8536
>        1 852
>        1 8447
>        1 8342
>        1 8315
>        1 8262
>        1 7725
>        1 7595
>        1 7506
>        1 7162
>        1 6939
>        1 6830
>        1 6648
>        1 58477
>        1 57497
>        1 5618
>        1 55830
>        1 5503
>        1 51905
>        1 51562
>        1 51559
>        1 50833
>        1 50819
>        1 4837
>        1 48287
>        1 47894
>        1 46506
>        1 46015
>        1 45538
>        1 45287
>        1 42926
>        1 42331
>        1 41772
>        1 38197
>        1 36444
>        1 3596
>        1 35818
>        1 35662
>        1 3464
>        1 33660
>        1 3303
>        1 3292
>        1 31815
>        1 31727
>        1 31477
>        1 31178
>        1 30902
>        1 29944
>        1 29695
>        1 29650
>        1 29550
>        1 29405
>        1 29017
>        1 28747
>        1 27823
>        1 2614
>        1 25563
>        1 25535
>        1 25234
>        1 25137
>        1 24994
>        1 24971
>        1 24731
>        1 24207
>        1 24176
>        1 23974
>        1 23702
>        1 23367
>        1 23127
>        1 22878
>        1 22356
>        1 2119
>        1 20860
>        1 20141
>        1 19318
>        1 19237
>        1 18403
>        1 17971
>        1 174
>        1 16243
>        1 16010
>        1 15756
>        1 15659
>        1 15083
>        1 14259
>        1 13768
>        1 13354
>        1 13213
>        1 132085
>        1 131353
>        1 12695
>        1 12552
>        1 12350
>        1 11042
>        1 10474
> 
> 
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEARECAAYFAlBjEuEACgkQi10dJIBjZIAMmwCcCdSuwAPEU559k6whfkH5wtxv
> xrUAn26+uYaVSoOcu3nFzD7lKL2x4w3c
> =Qu32
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 


-- 
Taka Mizuguchi

More information about the nsp-security mailing list