[nsp-sec] DDoS target Capital One (Re: DDoS: Compromised web servers: 20121016)

[Thomas Hungenberg]

Yesterday, (some of) these servers attacked CapitalOne.

Attack command send to one of the servers seen at ~17.30 UTC:
208.80.48.53[#]443[#]1400[#]3750#

Stop command send ~00.30 UTC today.

NetRange:       208.80.48.0 - 208.80.51.255
CIDR:           208.80.48.0/22
OriginAS:       AS14392
NetName:        CAPITALONE


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team


On 16.10.2012 14:57, Nick Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> 163 new compromised web servers. ASN information below.
> 
> Nick
> 
> 
> -------- Original Message --------
> 
>> Latest list of compromised web servers. They are absolutely killing vulnerable Joomla hosts.
> 
>> Been busy updating some of their scripts.
> 
>> stp.hp stcurl.php stmdu.php
> 
>> They also modified indx.php a bit:
> 
>> if ($_GET['action']=="status") { print "That is good"; exit(); }
> 
> 
>> ****
> 
>> It should be noted that if you try and "GET" the indx.php without any parameters it will generate an error.
> 
>> Take a closer look at the 404 you are getting back, if you see the typo, the sites are still infected:
> 
>> "a 404 Not Foun derror was encountered'
> 
>> ****
> 
>> Nick
> 
>> -------- Original Message -------- Subject: DDoS: Compromised web servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
> 
>> For those that haven't seen, tomorrow will kick off the continuation of DDoS attacks targeting various financial organizations. Current schedule:
> 
>> Capital One 20121009 Suntrust 20121010 Regions 20121011
> 
>> Attached are 160 new compromised web servers the malicious actors have added in the past 24 hours.
> 
>> ****
> 
>> It should be noted that if you try and "GET" the indx.php without any parameters it will generate an error.
> 
>> Take a closer look at the 404 you are getting back, if you see the typo, the sites are still infected:
> 
>> "a 404 Not Foun derror was encountered'
> 
>> ****
> 
>> Prior to distribution please remove any list or personally identifiable information from it.
> 
> 
>> In addition to indx.php, the following files may exist in the same directory:
> 
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
> 
>> The following URL discusses some of the issues at play here, but I don't believe all are Joomla compromises:
> 
>> http://forum.joomla.org/viewtopic.php?t=737503
> 
>> In working with your constituency, if you were able to obtain the files listed above (and any other files in the same directory) as well as any web access logs specific to the files listed
>> above, I would be extremely interested and eternally grateful.
> 
>> Any questions, let me know.
> 
> 
>> Here is a list of ASNs (by count) of what's in the attached file:
> 
> 9 47583 9 36351 9 21844 7 24940 6 32392 5 26496 3 8560 3 21788 3 13768 2 9123 2 6939 2 45538 2 32613 2 32475 2 30496 2 29671 2 29073 2 23535 2 17660 2 16276 2 16265 2 131353 2 10297 1 9931 1
> 9583 1 8758 1 8612 1 8536 1 8342 1 8220 1 786 1 7303 1 6677 1 6648 1 58495 1 57010 1 55660 1 55449 1 5483 1 54641 1 5408 1 51559 1 51167 1 50109 1 4837 1 4812 1 4765 1 47544 1 4750 1 4739 1
> 46636 1 4538 1 45324 1 44553 1 44128 1 43773 1 42926 1 42807 1 41406 1 4134 1 40034 1 39729 1 38895 1 37963 1 35622 1 34788 1 34619 1 34011 1 33182 1 3292 1 3243 1 32244 1 31309 1 30475 1 30408 1
> 30058 1 29802 1 29278 1 27175 1 2716 1 26347 1 25532 1 2529 1 25074 1 24262 1 2200 1 21949 1 20857 1 20545 1 1930 1 18403 1 16509 1 15756 1 15685 1 15497 1 13618 1 13354 1 13335 1 13237 1 132241 
> 1 13193 1 12129 1 11388 1 11042
> 
> Nick
> 
> 
> 
> 
> 
> _______________________________________________ nsp-security mailing list nsp-security at puck.nether.net https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. 
> _______________________________________________
>