[nsp-sec] DDoS: Compromised web servers

Darren Grabowski drg at us.ntt.net
Fri Sep 28 10:03:32 EDT 2012 

ACK 2914.

On Sep 27, 2012, at 5:45 AM, Thomas Hungenberg <th.lab at hungenberg.net> wrote:

> ----------- nsp-security Confidential --------
> 
> Nick,
> 
> thanks for the three lists of compromised webservers.
> We'll notify the responsible German ISPs (who are not represented on this list themselves).
> 
> 
>     - Thomas
> 
> CERT-Bund Incident Response & Anti-Malware Team
> 
> 
> On 25.09.2012 19:46, Nick Ianelli wrote:
>> ----------- nsp-security Confidential --------
>> 
>> 
>> 
>> Attached is a list being tracked by the malicious actors of 6206 compromised web servers. Some of these have already been notified and cleaned up, for the others please distribute as you see fit.
>> Prior to distribution please remove any list or personally identifiable information from it.
>> 
>> 
>> In addition to indx.php, the following files may exist in the same directory:
>> 
>> stcp.php stip.php stph.php classtyle.php classtyle2.php
>> 
>> The following URL discusses some of the issues at play here, but I don't believe all are Joomla compromises:
>> 
>> http://forum.joomla.org/viewtopic.php?t=737503
>> 
>> In working with your constituency, if you were able to obtain the files listed above (and any other files in the same directory) as well as any web access logs specific to the files listed above,
>> I would be extremely interested and eternally grateful.
>> 
>> Any questions, let me know.
>> 
>> 
>> Here is a list of ASNs (by count) of what's in the attached file:
>> 
>> 229 26496 222 46606 207 8560 186 36351 163 21844 141 24940 139 12637 130 26347 109 32475 91 51468 86 4134 77 16276 72 33182 70 29873 68 47583 66 32392 58 33070 57 31034 54 16265 49 44112 49
>> 31815 45 9931 45 4808 43 7643 39 21788 38 8358 38 6724 37 32613 37 28753 34 30496 33 6697 33 4847 32 40034 32 25532 31 45538 31 21155 30 19066 29 8342 29 29097 29 12824 28 38719 28 34788 27 9929 
>> 27 13768 26 4837 26 27823 25 34011 25 23352 24 20773 22 2914 22 21069 22 15418 21 5483 21 4812 21 31727 20 54288 20 29550 20 25535 19 4766 19 46015 19 28907 19 25653 19 16626 19 13213 18 32244 18
>> 19318 17 17054 16 3786 16 10297 15 9123 15 8972 15 7162 15 5606 15 20860 15 15967 15 13335 15 12301 14 51559 14 45544 14 42612 14 11388 13 9318 13 3595 13 18403 13 15685 13 12129 12 9120 12
>> 41079 12 36024 12 34233 12 29944 12 25761 12 23724 12 2116 12 19994 12 17971 12 15244 12 11042 11 9891 11 48635 11 42695 11 32181 11 20718 11 16637 11 14259 10 7303 10 6939 10 6830 10 39392 10
>> 3340 10 29854 10 24557 10 17974 9 9121 9 42926 9 42910 9 34619 9 31122 9 30475 9 25847 9 25184 9 25137 9 11343 8 5602 8 52148 8 51167 8 48232 8 47781 8 43711 8 42331 8 41126 8 39792 8 32748 8
>> 29802 8 29182 8 27715 8 21219 8 18450 7 9394 7 8870 7 8495 7 8220 7 7859 7 54641 7 51557 7 51013 7 49604 7 41342 7 33668 7 29671 7 29522 7 25459 7 24971 7 22878 7 20738 7 197019 6 6128 6 5618 6
>> 54020 6 50482 6 45287 6 43773 6 43362 6 43146 6 42807 6 42655 6 4250 6 40975 6 38955 6 38661 6 3741 6 34989 6 3352 6 3301 6 30083 6 29278 6 29076 6 27257 6 25229 6 25074 6 20597 6 18747 6 17746 6
>> 17139 6 13618 6 13354 6 10929 6 10474 5 9371 5 8771 5 786 5 51734 5 49635 5 48809 5 47880 5 47846 5 4765 5 46475 5 39756 5 39122 5 38544 5 38001 5 37992 5 37963 5 36666 5 36114 5 35569 5 34087 5
>> 33626 5 3265 5 30058 5 29686 5 29017 5 28209 5 24961 5 23033 5 22576 5 21949 5 21217 5 20857 5 20454 5 197712 5 196763 5 17444 5 16095 5 15395 5 131353 5 12695 4 9892 4 9811 4 9785 4 9198 4 8542 
>> 4 7693 4 7595 4 7497 4 7296 4 7018 4 6799 4 55660 4 55455 4 53628 4 5033 4 49693 4 48854 4 48505 4 47242 4 46433 4 45839 4 45731 4 45223 4 45012 4 4323 4 42244 4 41550 4 41186 4 41075 4 37153 4
>> 35415 4 34358 4 34104 4 33970 4 3292 4 31698 4 29208 4 25234 4 24989 4 24446 4 2108 4 2044 4 20207 4 197902 4 17547 4 17511 4 16814 4 16791 4 16371 4 16347 4 16010 4 15830 4 14211 4 14116 4
>> 131447 4 12874 3 9930 3 9737 3 9381 3 9269 3 9143 3 9050 3 8315 3 8151 3 81 3 7819 3 7393 3 6429 3 6367 3 6147 3 58487 3 57367 3 56465 3 558 3 55688 3 55451 3 5464 3 51905 3 51461 3 49792 3
>> 49699 3 49352 3 48931 3 48881 3 48172 3 4802 3 4788 3 47692 3 46699 3 46562 3 46549 3 45638 3 45634 3 45454 3 44497 3 43513 3 43391 3 41881 3 39582 3 37943 3 36444 3 36127 3 35818 3 35206 3
>> 34594 3 34432 3 34119 3 3356 3 33480 3 3327 3 33055 3 3303 3 33028 3 32097 3 31240 3 30943 3 30217 3 30176 3 29650 3 29422 3 29405 3 29222 3 29014 3 27887 3 262672 3 2614 3 24875 3 21840 3 21740 
>> 3 20495 3 198030 3 197540 3 197155 3 196713 3 18479 3 17964 3 17660 3 17429 3 1680 3 16245 3 16178 3 15467 3 14415 3 13301 3 132241 3 13147 3 12994 3 1257 3 12406 3 12312 3 12143 3 11830 3 11305 
>> 2 9729 2 9562 2 9543 2 9304 2 9280 2 8980 2 8893 2 8737 2 8708 2 8511 2 8473 2 8308 2 8262 2 8256 2 8222 2 7796 2 7784 2 7604 2 760 2 7132 2 6983 2 6977 2 6849 2 6711 2 6648 2 6407 2 58377 2
>> 56740 2 5645 2 56330 2 55830 2 5578 2 53889 2 52368 2 52335 2 52174 2 51405 2 49964 2 49467 2 49367 2 4935 2 48964 2 48961 2 48825 2 4851 2 48287 2 47531 2 47521 2 4739 2 46696 2 46664 2 4618 2
>> 45899 2 45815 2 45753 2 45705 2 45671 2 45353 2 45324 2 45045 2 43939 2 43541 2 43260 2 43006 2 42949 2 42864 2 42549 2 42289 2 41528 2 40728 2 4058 2 40561 2 39887 2 39197 2 39134 2 38895 2
>> 38331 2 38197 2 3816 2 36874 2 36752 2 36167 2 36057 2 35732 2 3561 2 3549 2 35470 2 35000 2 34714 2 34655 2 3462 2 34282 2 34235 2 33876 2 33494 2 3320 2 3313 2 3308 2 32875 2 32780 2 32751 2
>> 3248 2 3242 2 31731 2 31593 2 31477 2 31400 2 31365 2 31283 2 30968 2 30447 2 30408 2 29761 2 29134 2 29083 2 28747 2 28299 2 27467 2 27413 2 26101 2 25767 2 25563 2 25549 2 2554 2 25429 2 24482 
>> 2 24422 2 24176 2 24173 2 24085 2 23974 2 23650 2 23342 2 21980 2 2119 2 20847 2 20655 2 20401 2 20218 2 20015 2 198414 2 197252 2 18779 2 18229 2 18059 2 17623 2 17451 2 174 2 16737 2 16125 2
>> 16097 2 15982 2 15966 2 15699 2 15598 2 15525 2 15083 2 15022 2 15003 2 14992 2 14988 2 14166 2 137 2 13237 2 12978 2 12946 2 12552 2 12322 2 12296 2 12260 2 12258 2 11845 2 11556 2 11486 2
>> 11069 2 11022 2 10620 2 10481 2 10318 2 10316 2 10029 1 NA 1 9808 1 9658 1 9512 1 9498 1 9411 1 9370 1 9293 1 9245 1 9228 1 9211 1 9125 1 9112 1 9085 1 9044 1 9003 1 8997 1 8982 1 8970 1 8897 1
>> 8896 1 8881 1 8820 1 8767 1 8764 1 8685 1 8624 1 8612 1 8594 1 8536 1 8517 1 8447 1 8426 1 8386 1 8248 1 8218 1 8201 1 8194 1 8075 1 7725 1 7654 1 7616 1 7552 1 7539 1 7506 1 7418 1 7321 1 703 1
>> 7015 1 701 1 6903 1 6871 1 6821 1 6802 1 6772 1 6752 1 6730 1 6719 1 6656 1 6568 1 6539 1 6503 1 6315 1 59441 1 58621 1 58619 1 58529 1 58397 1 577 1 5713 1 56964 1 56867 1 56582 1 56485 1 56363 
>> 1 5617 1 559 1 55897 1 55824 1 5577 1 55711 1 55545 1 55533 1 55470 1 55449 1 5495 1 54456 1 5408 1 5404 1 5382 1 53665 1 53589 1 53486 1 53435 1 53340 1 53243 1 53093 1 53055 1 52023 1 51949 1
>> 51852 1 51783 1 51740 1 51696 1 50938 1 50819 1 5078 1 5071 1 50694 1 50673 1 5056 1 5048 1 50474 1 50448 1 50304 1 49981 1 49879 1 49834 1 49715 1 49505 1 49457 1 49364 1 49189 1 49063 1 48971 1
>> 48923 1 48894 1 48791 1 48539 1 48452 1 48401 1 48347 1 48185 1 4809 1 48031 1 47986 1 47950 1 47894 1 47869 1 4780 1 4755 1 47544 1 47506 1 47447 1 47385 1 47253 1 4713 1 46785 1 4670 1 46636 1
>> 4657 1 46506 1 4645 1 45459 1 45458 1 45425 1 4538 1 45352 1 45313 1 45292 1 45289 1 45037 1 44898 1 44565 1 44376 1 44302 1 44038 1 43612 1 43557 1 43470 1 43333 1 43022 1 42927 1 42755 1 42713 
>> 1 42648 1 42585 1 4230 1 42237 1 42160 1 41943 1 41887 1 41828 1 41801 1 41770 1 41635 1 41541 1 41535 1 41499 1 41445 1 41352 1 41046 1 40935 1 40028 1 39866 1 39812 1 39790 1 39786 1 39779 1
>> 39743 1 39451 1 39309 1 39234 1 39074 1 38805 1 38733 1 38732 1 38510 1 38496 1 38363 1 38328 1 38142 1 37932 1 37159 1 37053 1 36937 1 36843 1 36646 1 3633 1 36218 1 35916 1 35914 1 35908 1
>> 35718 1 35662 1 35612 1 35592 1 35581 1 35311 1 35228 1 35219 1 35191 1 35132 1 35017 1 34762 1 34758 1 34639 1 34347 1 34222 1 34221 1 34173 1 34 1 33984 1 33828 1 33662 1 33363 1 33260 1 33065 
>> 1 3269 1 3254 1 3249 1 3226 1 3215 1 31863 1 31856 1 31715 1 31708 1 31463 1 31252 1 31244 1 31242 1 31239 1 31083 1 30902 1 30633 1 30568 1 30500 1 30350 1 30295 1 29863 1 29695 1 29619 1 29590 
>> 1 29553 1 29339 1 29319 1 29314 1 29119 1 29081 1 29028 1 28968 1 28788 1 28751 1 28677 1 28660 1 28649 1 28598 1 27473 1 27357 1 2715 1 2706 1 26617 1 26277 1 262471 1 2611 1 25956 1 25577 1
>> 25542 1 25525 1 25401 1 25291 1 2529 1 25036 1 24994 1 24973 1 2497 1 24931 1 24827 1 24822 1 24768 1 24706 1 24592 1 24560 1 24521 1 24466 1 24444 1 24262 1 24238 1 23884 1 23679 1 23671 1
>> 23237 1 23201 1 23127 1 22925 1 22923 1 22898 1 22773 1 22653 1 22307 1 22241 1 2200 1 21694 1 21280 1 21236 1 2118 1 2107 1 20882 1 20853 1 20766 1 20569 1 20547 1 20485 1 20473 1 20367 1 20214 
>> 1 2018 1 20141 1 2012 1 198921 1 19875 1 198610 1 19844 1 198171 1 197395 1 197377 1 19675 1 19624 1 1955 1 19528 1 19262 1 19237 1 19089 1 18931 1 18881 1 18866 1 18566 1 18530 1 1853 1 1836 1
>> 18202 1 18051 1 18042 1 17996 1 17911 1 17828 1 17672 1 1764 1 17625 1 17621 1 1759 1 17222 1 17183 1 16735 1 1659 1 16257 1 16243 1 16237 1 16215 1 15879 1 15874 1 15772 1 15756 1 15703 1 15694 
>> 1 15611 1 15510 1 15497 1 15321 1 15318 1 15278 1 14778 1 14744 1 14618 1 14383 1 14361 1 14280 1 13999 1 13767 1 13649 1 13438 1 13392 1 13285 1 13193 1 131472 1 13127 1 13101 1 13041 1 13022 1
>> 12968 1 12880 1 12769 1 12741 1 12703 1 12630 1 12586 1 12578 1 12574 1 12573 1 12564 1 12423 1 1241 1 12389 1 12315 1 12310 1 12252 1 12140 1 12025 1 11955 1 11664 1 11492 1 11426 1 10819 1
>> 10464 1 10207 1 10201 1 10094
>> 
>> 
>> 
>> Cheers, Nick
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________ nsp-security mailing list nsp-security at puck.nether.net https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures. 
>> _______________________________________________
>> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list