[nsp-sec] DDoS: Compromised web servers: 20121010
Smith, Donald
Donald.Smith at CenturyLink.com
Thu Oct 11 11:35:49 EDT 2012
Yea one of the ones I checked earlier this week (monday) still came back with that string.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] on behalf of Nick Ianelli [ni at allyourinfoarebelongto.us]
Sent: Thursday, October 11, 2012 9:14 AM
To: Thomas Hungenberg
Cc: 'nsp-security NSP'
Subject: Re: [nsp-sec] DDoS: Compromised web servers: 20121010
----------- nsp-security Confidential --------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, that would work. I don't know if all compromised web servers go
updated, so if you see "itsoknoproblembro" returned, that's also a
sign of active infection.
Nick
On 10/11/2012 08:13 AM, Thomas Hungenberg wrote:
> Hi Nick,
>
> thanks for the updated list!
>
> So instead of checking for the typo in the 404 message, you could
> check </indx.php?action=status> for a "That is good" response.
>
> Cheers, Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
> On 11.10.2012 02:15, Nick Ianelli wrote:
>> ----------- nsp-security Confidential --------
>>
>>
>>
>> Latest list of compromised web servers. They are absolutely
>> killing vulnerable Joomla hosts.
>>
>> Been busy updating some of their scripts.
>>
>> stp.hp stcurl.php stmdu.php
>>
>> They also modified indx.php a bit:
>>
>> if ($_GET['action']=="status") { print "That is good"; exit(); }
>>
>>
>> ****
>>
>> It should be noted that if you try and "GET" the indx.php
>> without any parameters it will generate an error.
>>
>> Take a closer look at the 404 you are getting back, if you see
>> the typo, the sites are still infected:
>>
>> "a 404 Not Foun derror was encountered'
>>
>> ****
>>
>> Nick
>>
>> -------- Original Message -------- Subject: DDoS: Compromised
>> web servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
>>
>> For those that haven't seen, tomorrow will kick off the
>> continuation of DDoS attacks targeting various financial
>> organizations. Current schedule:
>>
>> Capital One 20121009 Suntrust 20121010 Regions 20121011
>>
>> Attached are 160 new compromised web servers the malicious
>> actors have added in the past 24 hours.
>>
>> ****
>>
>> It should be noted that if you try and "GET" the indx.php
>> without any parameters it will generate an error.
>>
>> Take a closer look at the 404 you are getting back, if you see
>> the typo, the sites are still infected:
>>
>> "a 404 Not Foun derror was encountered'
>>
>> ****
>>
>> Prior to distribution please remove any list or personally
>> identifiable information from it.
>>
>>
>> In addition to indx.php, the following files may exist in the
>> same directory:
>>
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>>
>> The following URL discusses some of the issues at play here, but
>> I don't believe all are Joomla compromises:
>>
>> http://forum.joomla.org/viewtopic.php?t=737503
>>
>> In working with your constituency, if you were able to obtain
>> the files listed above (and any other files in the same
>> directory) as well as any web access logs specific to the files
>> listed above, I would be extremely interested and eternally
>> grateful.
>>
>> Any questions, let me know.
>>
>>
>> Here is a list of ASNs (by count) of what's in the attached
>> file: 20 8560 15 559 14 46606 13 36351 11 24940 8 3741 8 26496 7
>> 26347 6 31727 6 27715 6 24971 5 51468 5 15685 4 43541 4 39392 4
>> 35592 4 32613 4 29208 4 21844 4 20773 4 16276 3 8972 3 8201 3
>> 6697 3 5606 3 47302 3 39790 3 36024 3 34222 3 29550 3 29017 3
>> 132241 3 13213 2 5610 2 50939 2 43513 2 38719 2 34358 2 34119 2
>> 31283 2 29522 2 21788 2 21155 2 20860 2 20738 2 197019 2 17139 2
>> 16097 2 15244 2 12996 2 10297 1 9785 1 9652 1 9198 1 9125 1 8553
>> 1 8551 1 8542 1 8358 1 786 1 7162 1 6908 1 5408 1 52148 1 51013 1
>> 50938 1 48172 1 46475 1 4589 1 43711 1 43333 1 42949 1 42549 1
>> 41046 1 40961 1 40034 1 39792 1 39783 1 38955 1 37159 1 3595 1
>> 34762 1 34011 1 33885 1 33883 1 32748 1 32475 1 31244 1 31219 1
>> 27823 1 25575 1 25535 1 25234 1 2519 1 25151 1 24806 1 24446 1
>> 22878 1 22653 1 21244 1 21069 1 20721 1 20718 1 19994 1 197021 1
>> 19271 1 18245 1 17772 1 16265 1 15982 1 15817 1 15418 1 14618 1
>> 14567 1 1241 1 11042 1 10436
>>
>>
>> Cheers, Nick
>>
>>
>>
>>
>>
>> _______________________________________________ nsp-security
>> mailing list nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security community. Confidentiality is essential for
>> effective Internet security counter-measures.
>> _______________________________________________
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlB24msACgkQi10dJIBjZIDdjwCgwTfgn6TxFwSEiIgH8Gn3arXi
KW8An1vVrAC3OrUyQ2/5OVPTadOfBCUq
=WtTq
-----END PGP SIGNATURE-----
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list