[nsp-sec] DDoS: Compromised web servers: 20121016 - Round #2
Nick Ianelli
ni at allyourinfoarebelongto.us
Tue Oct 16 15:02:42 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry, forgot the ASN summary information for this last list:
7 24940
6 26496
6 26347
5 39729
5 36351
5 21844
3 4837
3 47583
3 37943
3 31727
2 9931
2 8972
2 8560
2 56067
2 55684
2 36024
2 32244
2 29873
2 29550
2 24961
2 21788
2 20738
2 198414
2 16265
2 13768
1 9371
1 8622
1 8426
1 8342
1 8315
1 8262
1 7643
1 7470
1 7393
1 6730
1 6245
1 5602
1 5408
1 51468
1 50482
1 49699
1 4812
1 4788
1 47385
1 47242
1 46015
1 45538
1 4538
1 42910
1 42807
1 4250
1 42005
1 4134
1 41079
1 39391
1 39234
1 34788
1 33790
1 33668
1 3320
1 33139
1 33070
1 32613
1 32475
1 31815
1 31034
1 30058
1 29944
1 29141
1 2914
1 25780
1 25767
1 25535
1 23352
1 21069
1 20495
1 20202
1 197902
1 197155
1 18866
1 18403
1 17971
1 17139
1 16276
1 14280
1 13826
1 13618
1 13041
1 12322
1 12310
1 11664
1 11042
Nick
On 10/16/2012 06:50 PM, Nick Ianelli wrote:
> ----------- nsp-security Confidential --------
>
>
>
> 143 new compromised web servers for today.
>
> Nick
>
> On 10/16/2012 12:57 PM, Nick Ianelli wrote:
>> ----------- nsp-security Confidential -------- 163 new
>> compromised web servers. ASN information below.
>
>> Nick
>
>
>> -------- Original Message --------
>
>>> Latest list of compromised web servers. They are absolutely
>>> killing vulnerable Joomla hosts.
>
>>> Been busy updating some of their scripts.
>
>>> stp.hp stcurl.php stmdu.php
>
>>> They also modified indx.php a bit:
>
>>> if ($_GET['action']=="status") { print "That is good"; exit();
>>> }
>
>
>>> ****
>
>>> It should be noted that if you try and "GET" the indx.php
>>> without any parameters it will generate an error.
>
>>> Take a closer look at the 404 you are getting back, if you see
>>> the typo, the sites are still infected:
>
>>> "a 404 Not Foun derror was encountered'
>
>>> ****
>
>>> Nick
>
>>> -------- Original Message -------- Subject: DDoS: Compromised
>>> web servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
>
>>> For those that haven't seen, tomorrow will kick off the
>>> continuation of DDoS attacks targeting various financial
>>> organizations. Current schedule:
>
>>> Capital One 20121009 Suntrust 20121010 Regions 20121011
>
>>> Attached are 160 new compromised web servers the malicious
>>> actors have added in the past 24 hours.
>
>>> ****
>
>>> It should be noted that if you try and "GET" the indx.php
>>> without any parameters it will generate an error.
>
>>> Take a closer look at the 404 you are getting back, if you see
>>> the typo, the sites are still infected:
>
>>> "a 404 Not Foun derror was encountered'
>
>>> ****
>
>>> Prior to distribution please remove any list or personally
>>> identifiable information from it.
>
>
>>> In addition to indx.php, the following files may exist in the
>>> same directory:
>
>>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>
>>> The following URL discusses some of the issues at play here,
>>> but I don't believe all are Joomla compromises:
>
>>> http://forum.joomla.org/viewtopic.php?t=737503
>
>>> In working with your constituency, if you were able to obtain
>>> the files listed above (and any other files in the same
>>> directory) as well as any web access logs specific to the files
>>> listed above, I would be extremely interested and eternally
>>> grateful.
>
>>> Any questions, let me know.
>
>
>>> Here is a list of ASNs (by count) of what's in the attached
>>> file:
>
>
>
>
>
>
>
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlB9r1IACgkQi10dJIBjZIC4nQCfajNMRJBEtiSF+KQqcLYOXLzJ
hAUAnj4yFAW4od02s0Rcq1YkzANDjOAD
=4i0g
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list