[nsp-sec] DDoS: Compromised web servers -- Round 4
Nick Ianelli
ni at allyourinfoarebelongto.us
Thu Sep 27 22:26:05 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Man this is getting old.
935 new compromised web servers added to this botnet.
I've notified a number of national CSIRTS and some ISPs.
Please do what you can to crush these.
Nick
> I was able to identify 304 new hosts that they might be utilizing
> for their DDoS attacks. This is the first time I've seen these
> hosts, so I haven't notified anyone.
>
> The below request still exists, logs and files would be awesome,
> best effort though.
>
> ASN count is below original message (I removed the old one).
>
> These guys aren't stopping and continue to build their botnet.
>
> It should be noted that if you try and "GET" the indx.php without
> any parameters it will generate an error.
>
> Take a closer look at the 404 you are getting back, if you see the
> typo, the sites are still infected:
>
> "a 404 Not Foun derror was encountered'
>
>
>
>>> Attached is a list being tracked by the malicious actors of
>>> 6206 compromised web servers. Some of these have already been
>>> notified and cleaned up, for the others please distribute as
>>> you see fit. Prior to distribution please remove any list or
>>> personally identifiable information from it.
>
>
>>> In addition to indx.php, the following files may exist in the
>>> same directory:
>
>>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>
>>> The following URL discusses some of the issues at play here,
>>> but I don't believe all are Joomla compromises:
>
>>> http://forum.joomla.org/viewtopic.php?t=737503
>
>>> In working with your constituency, if you were able to obtain
>>> the files listed above (and any other files in the same
>>> directory) as well as any web access logs specific to the files
>>> listed above, I would be extremely interested and eternally
>>> grateful.
373 31034
30 46606
22 24940
18 12637
17 21844
16 36351
15 8560
12 32244
12 16276
10 51468
10 15967
9 4134
8 32475
7 4808
7 47583
6 33182
6 21788
5 40034
5 32613
5 26496
5 20773
5 13768
4 8342
4 4847
4 4837
4 4766
4 4538
4 29550
4 2914
4 28753
4 25532
4 21069
4 19318
4 16265
4 12824
3 8972
3 4812
3 47242
3 42926
3 38955
3 38197
3 37943
3 34119
3 33070
3 31122
3 29650
3 29208
3 23352
3 15244
2 9931
2 9891
2 9811
2 8622
2 7162
2 6939
2 6697
2 52148
2 51013
2 4589
2 45544
2 45538
2 45287
2 44112
2 41186
2 40244
2 39122
2 36024
2 33260
2 3313
2 32392
2 31727
2 30902
2 29873
2 25535
2 25137
2 22878
2 21217
2 17429
2 16626
2 15418
2 14259
2 13213
2 12258
2 10929
2 10297
1 9929
1 9785
1 9686
1 9543
1 9329
1 9121
1 9120
1 9050
1 8767
1 8708
1 8536
1 8447
1 8437
1 8358
1 8315
1 8220
1 7819
1 7725
1 7643
1 7552
1 7015
1 6893
1 6830
1 6724
1 6713
1 57807
1 56740
1 56564
1 5645
1 5618
1 5617
1 56143
1 56067
1 5606
1 5483
1 5408
1 5404
1 51559
1 51405
1 49981
1 49820
1 49544
1 49152
1 48931
1 48635
1 48614
1 48232
1 4802
1 47161
1 46433
1 46015
1 45903
1 45638
1 43362
1 43333
1 4323
1 42910
1 41671
1 41079
1 41075
1 40975
1 40896
1 39704
1 38544
1 38211
1 37992
1 36666
1 36647
1 35818
1 35732
1 35366
1 34655
1 34233
1 34222
1 34011
1 33651
1 3356
1 33363
1 3303
1 3292
1 31463
1 31424
1 30900
1 30496
1 30447
1 30217
1 29883
1 29422
1 29278
1 28707
1 27883
1 27715
1 27257
1 26347
1 262672
1 262345
1 2611
1 25956
1 25847
1 25767
1 25761
1 25653
1 25563
1 25459
1 25429
1 25351
1 25234
1 25229
1 25184
1 24989
1 24731
1 24557
1 24446
1 23974
1 23724
1 22923
1 21229
1 2116
1 2108
1 20959
1 20860
1 2044
1 198599
1 198047
1 197252
1 196763
1 196713
1 19429
1 19066
1 18779
1 18747
1 1853
1 18479
1 17974
1 17547
1 17444
1 17139
1 16791
1 16509
1 16371
1 16347
1 16257
1 16246
1 16171
1 16097
1 15982
1 15830
1 15756
1 15699
1 15685
1 15626
1 15467
1 15083
1 13335
1 132241
1 13193
1 1299
1 12714
1 12676
1 12350
1 12301
1 12129
1 11388
1 11069
1 10970
1 10439
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlBlCr0ACgkQi10dJIBjZIAGZACeOfr0DgDYDyUuSRe0lWDQPYj9
9OoAoIFHtm6Wp9Dz4ZgAKAIw2PAPopzJ
=1Fp+
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list