[nsp-sec] DDoS: Compromised web servers: 20121018
Nick Ianelli
ni at allyourinfoarebelongto.us
Thu Oct 18 11:57:35 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
115 new compromised web servers attached.
- -------- Original Message --------
>> Latest list of compromised web servers. They are absolutely
>> killing vulnerable Joomla hosts.
>
>> Been busy updating some of their scripts.
>
>> stp.hp stcurl.php stmdu.php
>
>> They also modified indx.php a bit:
>
>> if ($_GET['action']=="status") { print "That is good"; exit(); }
>
>
>> ****
>
>> It should be noted that if you try and "GET" the indx.php without
>> any parameters it will generate an error.
>
>> Take a closer look at the 404 you are getting back, if you see
>> the typo, the sites are still infected:
>
>> "a 404 Not Foun derror was encountered'
>
>> ****
>
>> Nick
>
>> -------- Original Message -------- Subject: DDoS: Compromised web
>> servers (part 1) Date: Tue, 09 Oct 2012 02:51:33 +0000
>
>> For those that haven't seen, tomorrow will kick off the
>> continuation of DDoS attacks targeting various financial
>> organizations. Current schedule:
>
>> Capital One 20121009 Suntrust 20121010 Regions 20121011
>
>> Attached are 160 new compromised web servers the malicious actors
>> have added in the past 24 hours.
>
>> ****
>
>> It should be noted that if you try and "GET" the indx.php without
>> any parameters it will generate an error.
>
>> Take a closer look at the 404 you are getting back, if you see
>> the typo, the sites are still infected:
>
>> "a 404 Not Foun derror was encountered'
>
>> ****
>
>> Prior to distribution please remove any list or personally
>> identifiable information from it.
>
>
>> In addition to indx.php, the following files may exist in the
>> same directory:
>
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>
>> The following URL discusses some of the issues at play here, but
>> I don't believe all are Joomla compromises:
>
>> http://forum.joomla.org/viewtopic.php?t=737503
>
>> In working with your constituency, if you were able to obtain the
>> files listed above (and any other files in the same directory) as
>> well as any web access logs specific to the files listed above, I
>> would be extremely interested and eternally grateful.
>
>> Any questions, let me know.
>
>
>> Here is a list of ASNs (by count) of what's in the attached
>> file:
6 47583
6 26496
6 24940
6 21844
5 45538
4 36351
4 32392
3 30496
3 26347
3 10297
2 4134
2 40034
2 33070
2 29550
2 21788
2 21069
2 1853
1 9123
1 8495
1 8422
1 8248
1 59441
1 57497
1 56067
1 55688
1 5408
1 51559
1 51468
1 51430
1 51088
1 50482
1 49792
1 4837
1 4812
1 4645
1 45544
1 4538
1 44286
1 39729
1 38895
1 37963
1 37943
1 34011
1 33668
1 3320
1 33182
1 32475
1 29873
1 29619
1 29182
1 24961
1 23871
1 22923
1 22878
1 21003
1 20773
1 20473
1 20454
1 1945
1 19262
1 18450
1 16637
1 16097
1 15244
1 15083
1 14259
1 13768
1 12824
1 12322
1 12306
1 12260
1 11042
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlCAJu8ACgkQi10dJIBjZIDDAgCfUX1/UW343nXULuWV/XMlz4On
vCgAn1b9PBctrfTbOc/xwIE+4oEpAkcc
=/Wls
-----END PGP SIGNATURE-----
-------------- next part --------------
21844 | 74.55.97.180 | US | http://74.55.97.180/calvinc3/calendar//includes/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
5408 | 195.251.123.232 | GR | http://aetos.it.teithe.gr/antcha/joomla/administrator/templates/bluestork/indx.php | GR-NET Greek Research & Technology Network, http://www.grnet.gr
21788 | 184.82.244.150 | US | http://blackpanther.co.in/installation/indx.php | NOC - Network Operations Center Inc.
4812 | 114.80.209.195 | CN | http://hztaoche.com/10-20/indx.php | CHINANET-SH-AP China Telecom (Group)
15083 | 65.111.174.48 | US | http://maximilian-jewellery.com/setup/indx.php | INFOLINK-MIA-US - Infolink
30496 | 199.26.84.154 | US | http://news.dl8.org/indx.php | COLO4 - Colo4, LLC
30496 | 199.26.84.154 | US | http://news.today-download.com/indx.php | COLO4 - Colo4, LLC
12260 | 68.65.197.124 | US | http://nikkilowbag.com/administrator/indx.php | COLOSTORE - Colostore.com
11042 | 209.140.23.83 | US | http://nikou.edu.gr/libraries/indx.php | LANDIS-HOLDINGS-INC - Landis Holdings Inc
34011 | 80.67.28.70 | DE | http://ninaundwalter.de//indx.php | DOMAINFACTORY domainfactory GmbH
33668 | 173.162.37.67 | US | http://oaklandhillsestate.com/clientportal/indx.php | CMCS - Comcast Cable Communications, Inc.
12322 | 212.27.63.129 | FR | http://ofrederic.free.fr/templates/beez/indx.php | PROXAD Free SAS
24940 | 176.9.92.88 | DE | http://old.ghalekash.com/templates/beez/indx.php | HETZNER-AS Hetzner Online AG RZ
26496 | 184.168.58.1 | US | http://oldschoolboxingandfitnesscenter.com/templates/beez/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
10297 | 209.190.85.35 | US | http://omiss.zobyhost.com/templates/beez/indx.php | ENET-2 - eNET Inc.
15244 | 67.210.98.135 | US | http://over-eazy.com/atlasproshop/templates/beez/indx.php | ADDD2NET-COM-INC-DBA-LUNARPAGES - Lunar Pages
24940 | 5.9.22.233 | DE | http://ozdensapka.net/wp-content/themes/twentyten/indx.php | HETZNER-AS Hetzner Online AG RZ
26347 | 69.163.174.197 | US | http://pa.karmy.com//includes/indx.php | DREAMHOST-AS - New Dream Network, LLC
51430 | 79.142.76.3 | NL | http://paradisew.net/indx.php | ALTUSHOST-NET ALTUSHOST INC.
29550 | 31.193.138.152 | GB | http://patchwaytowncouncil.gov.uk/wordpress/wp-content/plugins/akismet/indx.php | SIMPLYTRANSIT Simply Transit Ltd
1945 | 140.77.167.31 | FR | http://perso.ens-lyon.fr/bogdan.pasca/webcalendar//includes/indx.php | FR-LYRES Lyon Recherche et Enseignement Supérieur (LyRES)
36351 | 184.173.29.33 | US | http://pokerpressbox.com/indx.php | SOFTLAYER - SoftLayer Technologies Inc.
21069 | 80.74.135.111 | CH | http://politano.ch/webcalendar//includes/indx.php | ASN-METANET METANET AG, Switzerland
40034 | 208.91.197.101 | VG | http://pooshakmaryam.com/templates/beez/indx.php | CONFLUENCE-NETWORK-INC - Confluence Networks Inc
10297 | 209.190.121.40 | US | http://pooshakmilano.com/templates/beez/indx.php | ENET-2 - eNET Inc.
40034 | 208.91.197.101 | VG | http://pooshasb.com/images/indx.php | CONFLUENCE-NETWORK-INC - Confluence Networks Inc
26347 | 69.163.237.220 | US | http://prathimaeducation.org/plugins/system/indx.php | DREAMHOST-AS - New Dream Network, LLC
36351 | 184.172.225.65 | US | http://praticoescritorios.com.br/sala_b//includes/indx.php | SOFTLAYER - SoftLayer Technologies Inc.
32392 | 173.83.194.216 | US | http://promarklat.com/calendario//includes/indx.php | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
4645 | 203.169.229.53 | HK | http://protrek.com.hk/plugins/system/indx.php | ASN-HKNET-AP HKNet Co. Ltd
21844 | 174.120.70.143 | US | http://pta-gorontalo.go.id/administrator/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
39729 | 81.88.48.97 | IT | http://publinorte.pt/pt/indx.php | REGISTER-AS Register.IT S.p.A.
47583 | 31.170.161.136 | US | http://pueba1235.site11.com//components/com_oziogallery2/imagin/indx.php | HOSTING-MEDIA Hostinger International Limited
45538 | 112.78.2.132 | VN | http://quangphat.vn/plugins/system/indx.php | ODS-AS-VN Online data services
38895 | 122.248.251.230 | SG | http://qultima.deekshasystems.com/www//content/editor_templates/indx.php | AMAZON-AS-AP Amazon.com Tech Telecom
47583 | 31.170.161.36 | US | http://radiogalileo.hostzi.com//addons/lightbox/indx.php | HOSTING-MEDIA Hostinger International Limited
36351 | 74.86.74.96 | US | http://reachfoundationonline.org/administrator/indx.php | SOFTLAYER - SoftLayer Technologies Inc.
59441 | 5.144.130.33 | IR | http://resalat.sch.ir/templates/beez/indx.php | HOSTIRANNETWORKS TELECOM FEED IRANIAN Co.
47583 | 31.170.161.76 | US | http://richloes.webatu.com//addons/lightbox/indx.php | HOSTING-MEDIA Hostinger International Limited
16097 | 109.237.138.38 | DE | http://roenpage.de//components/com_oziogallery2/imagin/indx.php | HLKOMM HL komm Telekommunikations GmbH
24940 | 78.46.45.86 | DE | http://rosminianshouse.altervista.org//components/com_oziogallery2/imagin/indx.php | HETZNER-AS Hetzner Online AG RZ
26496 | 50.63.214.1 | US | http://rsc.registrosocialcubano.net//components/com_oziogallery2/imagin/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
20473 | 209.222.13.206 | US | http://sahibzaman.com/templates/beez/indx.php | AS-CHOOPA - Choopa, LLC
33182 | 67.23.226.169 | US | http://salvadorfamily.net//indx.php | DIMENOC - HostDime.com, Inc.
3320 | 80.150.6.143 | DE | http://schnelle-germany.de/WebCalendar//includes/indx.php | DTAG Deutsche Telekom AG
22923 | 198.144.159.102 | CA | http://s-dad-p.com/templates/beez/indx.php | YESUP-389 - Yesup Ecommerce Solutions Inc.
13768 | 72.51.41.86 | US | http://seniorsolutionsexpertonlineeducation.skillspark.net//content/editor_templates/indx.php | PEER1 - Peer 1 Network Inc.
51559 | 95.173.167.150 | TR | http://sevgiplatformu.info/indx.php | NETINTERNET Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti.
29550 | 115.124.117.240 | IN | http://shakeithull.co.uk/wp-admin/indx.php | SIMPLYTRANSIT Simply Transit Ltd
29619 | 194.150.164.15 | RU | http://shell.orient-sp.ru/products_files/indx.php | LMS-TELECOM-AS Lenmontazhstroy-Telecom CJSC
57497 | 158.58.185.158 | IR | http://shopping.sabakarbar.com/templates/beez/indx.php | FARASOSAMANEHPASARGAD Faraso Samaneh Pasargad Ltd.
29182 | 92.63.103.110 | RU | http://shortwave.ru/products_files/indx.php | ISPSYSTEM-AS ISPsystem Autonomous System
24940 | 78.46.92.147 | DE | http://simpatikecanagli.altervista.org/templates/beez/indx.php | HETZNER-AS Hetzner Online AG RZ
32392 | 66.116.194.37 | US | http://singletakemovies.com/administrator/indx.php | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
36351 | 96.125.165.191 | US | http://sitetalkzone.com/indx.php | SOFTLAYER - SoftLayer Technologies Inc.
55688 | 101.50.1.27 | ID | http://smkkesehatansurabaya.sch.id/administrator/templates/bluestork/indx.php | BEON-AS-ID PT. Beon Intermedia
1853 | 193.170.246.169 | AT | http://sok-web.salzburg.at/faq/admin/editor/plugins/ajaxfilemanager/inc/indx.php | ACONET ACOnet Backbone
1853 | 193.170.246.169 | AT | http://sok-web.salzburg.at/faq/indx.php | ACONET ACOnet Backbone
24961 | 46.20.36.234 | DE | http://space.iconnection.gr/components/com_smartformer/files/indx.php | FIBREONE-AS myLoc managed IT AG
44286 | 89.207.145.22 | AT | http://sprachschulelive.net/www//content/editor_templates/indx.php | XIP-AS crossip communications gmbh
26496 | 184.168.53.1 | US | http://stampedconcretedesigns.net/templates/beez/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
9123 | 92.53.113.71 | RU | http://stockoptom.com/engine/indx.php | TIMEWEB-AS OOO TimeWeb
49792 | 80.82.16.10 | PL | http://stomart.one.pl//wp-content/plugins/P_music_player/indx.php | IONIC-PL-AS PAWEL JOZEF NAJDEK
51468 | 46.30.211.60 | DK | http://store.lightzone.dk/templates/beez/indx.php | ONECOM One.com A/S
30496 | 204.197.250.25 | US | http://stxaviers.net/webcal//includes/indx.php | COLO4 - Colo4, LLC
4134 | 122.224.9.154 | CN | http://tao.homejz.com/indx.php | CHINANET-BACKBONE No.31,Jin-rong Street
21844 | 74.53.93.21 | US | http://tautrust.com//components/com_oziogallery2/imagin/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
26496 | 97.74.144.177 | US | http://teapartymaui.com/data/templates/beez/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
50482 | 212.154.192.43 | KZ | http://techcentr.kz/templates/beez/indx.php | KAZAKHTELECOM-AS JSC Kazakhtelecom
14259 | 190.98.219.14 | CL | http://tenisdemesaosorno.cl/cal//includes/indx.php | Gtd Internet S.A.
45544 | 112.213.87.28 | VN | http://th9702.com/templates/beez/indx.php | PAVIETNAM-AS-VN PAVIETNAM Co.,Ltd
21844 | 174.120.190.2 | US | http://thecomputernutz.com/Schedule//includes/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
32475 | 184.154.68.250 | US | http://thedamgeek.com/calendar//includes/indx.php | SINGLEHOP-INC - SingleHop
26496 | 182.50.135.128 | SG | http://thefrs.net/lms/www//content/editor_templates/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
29873 | 65.254.248.202 | US | http://thehaqs.com//indx.php | BIZLAND-SD - The Endurance International Group, Inc.
47583 | 31.170.163.110 | US | http://thelunchtable.comyr.com/FCMS_2.3//indx.php | HOSTING-MEDIA Hostinger International Limited
45538 | 112.78.2.92 | VN | http://thuanhungads.com/templates/beez/indx.php | ODS-AS-VN Online data services
4538 | 125.223.156.9 | CN | http://tirl.ccut.edu.cn/jpkk/templates/beez/indx.php | ERX-CERNET-BKB China Education and Research Network Center
20773 | 46.163.124.82 | DE | http://tiyawethiopiatours.com/site/templates/beez/indx.php | HOSTEUROPE-AS Host Europe GmbH
16637 | 41.203.16.18 | ZA | http://toptronic.com/classes/indx.php | MTNNS-AS
12306 | 213.83.63.58 | DE | http://tourismus-oldenswort.de/Termine//includes/indx.php | PLUSLINE Plus.Line AG
18450 | 50.115.44.142 | US | http://tpaco.ir/co/templates/beez/indx.php | WEBNX - WebNX
33070 | 173.203.203.244 | US | http://train.hightopco.com/HighTop/www//content/editor_templates/indx.php | RMH-14 - Rackspace Hosting
33070 | 173.203.203.244 | US | http://train.hightopco.com/monarch/www//content/editor_templates/indx.php | RMH-14 - Rackspace Hosting
21069 | 80.74.153.84 | CH | http://trainsquad.net/www//content/editor_templates/indx.php | ASN-METANET METANET AG, Switzerland
45538 | 112.78.8.133 | VN | http://traitimthienthan.com/trangchu/templates/beez/indx.php | ODS-AS-VN Online data services
8495 | 194.117.254.44 | DE | http://transfair.lu/WebCalendar//includes/indx.php | INTERNET_AG INTERNET AG Global Network
21003 | 41.208.68.109 | LY | http://tripolicg.com/templates/beez/indx.php | GPTC-AS
23871 | 125.62.79.94 | AU | http://tropicaldesigns.com.au/administrator/templates/bluestork/indx.php | AINS-AS-AP Australia Internet Solutions
32392 | 50.118.16.2 | US | http://tsormusicworld.com/administrator/indx.php | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
32392 | 50.118.16.2 | US | http://tsormusicworld.com/administrator/templates/khepri/indx.php | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation
45538 | 125.253.117.10 | VN | http://tuandecal.net/libraries/phpmailer/language/indx.php | ODS-AS-VN Online data services
47583 | 31.170.160.229 | US | http://two4gear.host56.com//addons/lightbox/indx.php | HOSTING-MEDIA Hostinger International Limited
4134 | 122.224.9.154 | CN | http://uc.homejz.com/indx.php | CHINANET-BACKBONE No.31,Jin-rong Street
24940 | 78.46.89.66 | DE | http://umbanda.altervista.org/templates/beez/indx.php | HETZNER-AS Hetzner Online AG RZ
37963 | 223.6.96.174 | CN | http://uniquelh.com//components/com_oziogallery2/imagin/indx.php | CNNIC-ALIBABA-CN-NET-AP Alibaba (China) Technology Co., Ltd.
8422 | 87.79.237.252 | DE | http://unterricht.sportbootschule.tv/www//content/editor_templates/indx.php | NETCOLOGNE NETCOLOGNE AS
22878 | 207.45.187.90 | US | http://usblocks.com//indx.php | ASACENET1 - ACENET, INC.
8248 | 194.63.235.155 | GR | http://users.sch.gr/mitsman1970//components/com_oziogallery2/imagin/indx.php | GR-EDUNET Greek High-School Internet Network
24940 | 46.4.105.172 | DE | http://ustron.enoclegi-campingi.pl/administrator/templates/bluestork/indx.php | HETZNER-AS Hetzner Online AG RZ
47583 | 31.170.162.163 | US | http://visionshop.net76.net//addons/lightbox/indx.php | HOSTING-MEDIA Hostinger International Limited
45538 | 112.78.2.163 | VN | http://vitinhkimlong.com/includes/Archive/indx.php | ODS-AS-VN Online data services
20454 | 174.138.160.171 | US | http://vpl-bd.com/templates/beez/indx.php | SSASN2 - SECURED SERVERS LLC
56067 | 119.59.120.2 | TH | http://watnonglee.com//components/com_oziogallery2/imagin/indx.php | METRABYTE-TH 453 Ladplacout Jorakhaebua
21844 | 74.52.23.152 | US | http://website2backup.com/forum/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
21788 | 96.9.162.3 | US | http://wigos.com.ar/indx.php | NOC - Network Operations Center Inc.
21844 | 174.132.104.98 | US | http://wild.org.za/calendar//includes/indx.php | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
10297 | 209.190.85.6 | US | http://winwinalite.biz/templates/beez/indx.php | ENET-2 - eNET Inc.
26347 | 69.163.213.11 | US | http://work.saamin.com/templates/beez/indx.php | DREAMHOST-AS - New Dream Network, LLC
26496 | 97.74.215.186 | US | http://worldmentoringacademy.com//content/editor_templates/indx.php | AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC
19262 | 71.251.90.227 | US | http://ww2.websitetampa.com/healthys/templates/beez/indx.php | VZGNI-TRANSIT - Verizon Online LLC
51088 | 84.243.195.130 | NL | http://www.2comm.nl/uploads/indx.php | A2B A2B Internet B.V.
12824 | 89.161.190.12 | PL | http://www.2liceum.eu/templates/beez/indx.php | HOMEPL-AS home.pl sp. z o.o.
4837 | 116.255.155.106 | CN | http://www.hbgyzz.cn/xxzt//5/52/521//indx.php | CHINA169-BACKBONE CNCGROUP China169 Backbone
37943 | 116.255.155.106 | CN | http://www.hbgyzz.cn/xxzt//5/52/521//indx.php | CNNIC-GIANT ZhengZhou GIANT Computer Network Technology Co., Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20121018_1444UTC_new_tier1_asn.txt.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20121018/0d8cabd4/attachment-0001.sig>
More information about the nsp-security
mailing list