[nsp-sec] DDoS: Compromised web servers: 20121011

Serge Droz serge.droz at switch.ch
Fri Oct 12 02:12:25 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ACK ASNs 29097, 1836, 15600

Cheers
Serge


On 10/11/2012 11:20 PM, Nick Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> 377 new additions to the list.
> 
> Nick
> 
> 
>> Latest list of compromised web servers. They are absolutely 
>> killing vulnerable Joomla hosts.
> 
>> Been busy updating some of their scripts.
> 
>> stp.hp stcurl.php stmdu.php
> 
>> They also modified indx.php a bit:
> 
>> if ($_GET['action']=="status") { print "That is good"; exit(); }
> 
> 
>> ****
> 
>> It should be noted that if you try and "GET" the indx.php without
>> any parameters it will generate an error.
> 
>> Take a closer look at the 404 you are getting back, if you see 
>> the typo, the sites are still infected:
> 
>> "a 404 Not Foun derror was encountered'
> 
>> ****
> 
>> Nick
> 
>> -------- Original Message -------- Subject: DDoS: Compromised web
>> servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
> 
>> For those that haven't seen, tomorrow will kick off the 
>> continuation of DDoS attacks targeting various financial 
>> organizations. Current schedule:
> 
>> Capital One 20121009 Suntrust 20121010 Regions 20121011
> 
>> Attached are 160 new compromised web servers the malicious actors
>> have added in the past 24 hours.
> 
>> ****
> 
>> It should be noted that if you try and "GET" the indx.php without
>> any parameters it will generate an error.
> 
>> Take a closer look at the 404 you are getting back, if you see 
>> the typo, the sites are still infected:
> 
>> "a 404 Not Foun derror was encountered'
> 
>> ****
> 
>> Prior to distribution please remove any list or personally 
>> identifiable information from it.
> 
> 
>> In addition to indx.php, the following files may exist in the 
>> same directory:
> 
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
> 
>> The following URL discusses some of the issues at play here, but 
>> I don't believe all are Joomla compromises:
> 
>> http://forum.joomla.org/viewtopic.php?t=737503
> 
>> In working with your constituency, if you were able to obtain
>> the files listed above (and any other files in the same
>> directory) as well as any web access logs specific to the files
>> listed above, I would be extremely interested and eternally
>> grateful.
> 
>> Any questions, let me know.
> 
> 
>> Here is a list of ASNs (by count) of what's in the attached 
>> file:
> 
> 23 8560 16 46606 13 24940 11 16276 9 32475 9 31034 9 21844 8 3741
> 8 26347 7 51468 7 36351 7 31727 7 15685 6 29873 5 29550 5 21788 4 
> 32613 4 32244 4 31283 4 20738 4 16097 3 8426 3 57497 3 54456 3 
> 39392 3 33182 3 3313 3 3215 3 29134 3 21155 3 12824 2 9123 2 7162
> 2 51167 2 49352 2 43541 2 37943 2 30496 2 29671 2 29208 2 28299 2 
> 28209 2 27823 2 27715 2 25653 2 25459 2 24971 2 23352 2 21069 2 
> 16265 2 15418 2 12637 2 12322 1 9318 1 9125 1 8972 1 8881 1 8708 1 
> 8495 1 8473 1 8342 1 786 1 7819 1 7643 1 6830 1 6724 1 58621 1 
> 57077 1 56670 1 56465 1 56234 1 56106 1 5606 1 558 1 5432 1 5408 1 
> 53055 1 51949 1 51847 1 51696 1 51088 1 50939 1 50938 1 49367 1 
> 48960 1 48926 1 48635 1 4837 1 48172 1 4795 1 46873 1 46636 1 46475
> 1 45538 1 45454 1 44497 1 44233 1 44112 1 43507 1 43006 1 42807 1
> 42612 1 4230 1 42237 1 41852 1 40676 1 39912 1 39790 1 39779 1
> 39756 1 39743 1 39458 1 38719 1 38566 1 3816 1 37153 1 36352 1
> 35818 1 3561 1 35206 1 35017 1 35000 1 34762 1 34233 1 34222 1
> 34011 1 3352 1 33055 1 33028 1 32748 1 3269 1 3265 1 31731 1 31122
> 1 30902 1 30764 1 29863 1 29854 1 29245 1 29182 1 2914 1 29097 1
> 29017 1 28753 1 28598 1 2852 1 2715 1 26496 1 262672 1 25535 1
> 25500 1 25151 1 25074 1 24961 1 24806 1 24587 1 24557 1 22653 1
> 20597 1 20454 1 20214 1 20207 1 197902 1 197712 1 197021 1 196763 1
> 18479 1 1836 1 17746 1 16724 1 16637 1 15694 1 15600 1 15189 1
> 15085 1 15083 1 15003 1 13768 1 13649 1 13335 1 12874 1 12843 1
> 1241 1 11830 1 10464 1 10297
> 
> 
> 
> 
> 
> 
> _______________________________________________ nsp-security 
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective 
> Internet security counter-measures. 
> _______________________________________________
> 

- -- 
SWITCH
Serving Swiss Universities
- --------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB3tMkACgkQBvXr67kr0SfrBwCffDm2Rh7W5GmKPOQHJmbIYL79
/4QAoKFYaSH2Itl50Qzz8QA4IxWJjlyb
=Lqrs
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list