[nsp-sec] DDoS: Compromised web servers -- Round 3

Darren Grabowski drg at us.ntt.net
Wed Sep 26 13:44:22 EDT 2012 

ack 2914.

On Sep 26, 2012, at 9:36 AM, Nick Ianelli <ni at allyourinfoarebelongto.us> wrote:

> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Round three!
> 
> I was able to identify 304 new hosts that they might be utilizing for
> their DDoS attacks. This is the first time I've seen these hosts, so I
> haven't notified anyone.
> 
> The below request still exists, logs and files would be awesome, best
> effort though.
> 
> ASN count is below original message (I removed the old one).
> 
> These guys aren't stopping and continue to build their botnet.
> 
> It should be noted that if you try and "GET" the indx.php without any
> parameters it will generate an error.
> 
> Take a closer look at the 404 you are getting back, if you see the
> typo, the sites are still infected:
> 
> "a 404 Not Foun derror was encountered'
> 
> 
> 
>>> Attached is a list being tracked by the malicious actors of 6206
>>> compromised web servers. Some of these have already been
>>> notified and cleaned up, for the others please distribute as you
>>> see fit. Prior to distribution please remove any list or
>>> personally identifiable information from it.
>> 
>> 
>>> In addition to indx.php, the following files may exist in the
>>> same directory:
>> 
>>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>> 
>>> The following URL discusses some of the issues at play here, but
>>> I don't believe all are Joomla compromises:
>> 
>>> http://forum.joomla.org/viewtopic.php?t=737503
>> 
>>> In working with your constituency, if you were able to obtain the
>>> files listed above (and any other files in the same directory)
>>> as well as any web access logs specific to the files listed
>>> above, I would be extremely interested and eternally grateful.
>> 
>> 
> 
> Count   | ASN
> 
> 
>     21 46606
>     10 21844
>      9 8560
>      8 21788
>      7 51468
>      6 47583
>      6 32392
>      6 32244
>      6 24940
>      6 16276
>      5 4808
>      4 44112
>      4 36351
>      4 29873
>      4 28753
>      4 20773
>      4 15967
>      3 8358
>      3 5606
>      3 4847
>      3 32613
>      3 21069
>      3 1853
>      3 16626
>      3 16265
>      3 12824
>      3 12637
>      3 10297
>      2 9929
>      2 51696
>      2 51557
>      2 48539
>      2 46475
>      2 46433
>      2 43362
>      2 42289
>      2 4134
>      2 40975
>      2 33182
>      2 33070
>      2 32475
>      2 30968
>      2 30496
>      2 29802
>      2 2914
>      2 26496
>      2 25653
>      2 23724
>      2 23352
>      2 21155
>      2 20738
>      2 19066
>      2 15418
>      2 15244
>      2 13335
>      1 9931
>      1 9371
>      1 9370
>      1 9249
>      1 9143
>      1 9050
>      1 8972
>      1 8685
>      1 8536
>      1 852
>      1 8447
>      1 8342
>      1 8315
>      1 8262
>      1 7725
>      1 7595
>      1 7506
>      1 7162
>      1 6939
>      1 6830
>      1 6648
>      1 58477
>      1 57497
>      1 5618
>      1 55830
>      1 5503
>      1 51905
>      1 51562
>      1 51559
>      1 50833
>      1 50819
>      1 4837
>      1 48287
>      1 47894
>      1 46506
>      1 46015
>      1 45538
>      1 45287
>      1 42926
>      1 42331
>      1 41772
>      1 38197
>      1 36444
>      1 3596
>      1 35818
>      1 35662
>      1 3464
>      1 33660
>      1 3303
>      1 3292
>      1 31815
>      1 31727
>      1 31477
>      1 31178
>      1 30902
>      1 29944
>      1 29695
>      1 29650
>      1 29550
>      1 29405
>      1 29017
>      1 28747
>      1 27823
>      1 2614
>      1 25563
>      1 25535
>      1 25234
>      1 25137
>      1 24994
>      1 24971
>      1 24731
>      1 24207
>      1 24176
>      1 23974
>      1 23702
>      1 23367
>      1 23127
>      1 22878
>      1 22356
>      1 2119
>      1 20860
>      1 20141
>      1 19318
>      1 19237
>      1 18403
>      1 17971
>      1 174
>      1 16243
>      1 16010
>      1 15756
>      1 15659
>      1 15083
>      1 14259
>      1 13768
>      1 13354
>      1 13213
>      1 132085
>      1 131353
>      1 12695
>      1 12552
>      1 12350
>      1 11042
>      1 10474
> 
> 
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEARECAAYFAlBjEuEACgkQi10dJIBjZIAMmwCcCdSuwAPEU559k6whfkH5wtxv
> xrUAn26+uYaVSoOcu3nFzD7lKL2x4w3c
> =Qu32
> -----END PGP SIGNATURE-----
> <20120925_v2_new_tier1_asn.txt><20120925_v2_new_tier1_asn.txt.sig>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list