[nsp-sec] Adobe Cold Fusion Source code leaked due to data breach
Lawrence Baldwin
baldwinl at mynetwatchman.com
Thu Oct 3 17:13:41 EDT 2013
> Hey...I have posted here in a while...was waiting for a good one.
have -> "haven't"
For anyone with flow visibility could use some help on this:
All these hacks were done by two Russian individuals (surprise, suprise):
Subject 1: Nizhny Novgorod, RU
95.37.230.139 - Suspected ADSL IP of his home
Subject 2: Novosibirsk, RU
85.26.231.0 - Suspected ADSL IP of his home
Subject2 also made use of the following servers (believed to be VPS
boxes used as a private VPN and/or proxy):
193.169.188.82 - Ukraine
92.53.106.25 - Moscow, Ru
All of the IPs above are believed to be related to these subjects from
the Jan 2013 to Sep 2013 timeframe.
Subjects operate the criminal SSNDOB service which is/was hosted on
cloud flare...the hidden IPs being this service are:
91.226.11.172 - backend mysql db
91.226.11.173 - web frontend (ssndob.ms, privateapi.ms)
Ping me privately if you have hits.
lb.
On 10/03/2013 04:59 PM, Lawrence Baldwin wrote:
> ----------- nsp-security Confidential --------
>
>
> Hey...I have posted here in a while...was waiting for a good one.
>
>
> https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
>
> One of subject's CF exploit servers:
> 195.3.146.59
>
> Server doubles as exfil/backconnect server with outgoing flows from
> victims as follows:
> 195.3.146.59:443
>
>
> C2 involved shortly have initial compromise (via ColdFusion exploits):
> kartmanscript.com
> 103.8.24.167
> SKSA Malaysia
>
>
> Enjoy.
>
--
Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924
More information about the nsp-security
mailing list