[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Intergenia hosting malware

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Intergenia hosting malware
From: "lsi" <stuart@xxxxxxxxxxxxxx>
Date: Thu, 14 Dec 2006 12:36:07 -0000

This is a cracked Linux server being used to host exploits for 
Windows machines, which are spamvertised (presumably via a botnet) in 
socially engineered emails.  Kinda cute, ugly too.


- mail received from x42071c2e.ip.e-nt.net [66.7.28.46]
- e-nt.net is owned by ISP Eureka Networks 
http://www.eurekanetworks.net/
(66.7.28.46 is apparently one of their customers' boxes)

- received in an HTML-only email (abbreviated):

You have received a postcard from a family member!
You can pick up your postcard at the following web address:
http://www2.postcards.org/?a91-valets-cloud-31337

- link actually leads to http://62.75.249.235/~UWE/postcards.gif.exe
- postcards.gif.exe contains:

nicks    txt        45,985  24/11/06  14:18 nicks.txt
aliases  ini            11  15/02/04   2:28 aliases.ini
control  ini            68  10/12/06   0:43 control.ini
mirc     ini         4,015  10/12/06   0:43 mirc.ini
remote   ini           463  10/12/06   0:41 remote.ini
script   ini         7,539  28/11/06   5:08 script.ini
servers  ini           392  24/11/06  14:29 servers.ini
users    ini           126  24/11/06  14:07 users.ini
sup      bat            28  05/12/04  11:14 sup.bat
svchost  exe     1,790,464  23/02/04  23:26 svchost.exe
mirc     ico         5,694  07/11/04   2:28 mirc.ico
sup      reg           139  04/03/05  23:50 sup.reg

- reverse 62.75.249.235:
static-ip-62-75-249-235.inaddr.intergenia.de

- Intergenia is a hosting company in Germany (who were notified Dec 
13 at 18:40 GMT) .. http://www.intergenia.de/
- 62.75.249.235 runs Apache/2.0.53 (Linux/SUSE)
- http://62.75.249.235/~UWE/ contains:

 file.php                13-Oct-2006 14:55   37K  
 postcards.gif.exe       13-Dec-2006 15:58  690K  
 usa                     13-Oct-2006 14:56   11K  

- from the file dates, the server was cracked 2 months ago, while 
postcards was modified yesterday
- file.php is PHPShell by Macker - Version 2.6.6dev - August 28th 
2003
- usa is a Linux binary, apparently a compiled version of the 
"backdoor that creates a remote connection for tty's and allows 
attackers to login into the system without a need for a real user and 
password" described here:

http://www.securiteam.com/exploits/5FP0T20GAK.html

Also mentioned here:

http://www.kiesler.at/thread699.html


Stu

---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] mailing list submissions
Next by Date: [Full-disclosure] NOT a 0day! Re: [fuzzing] OWASP Fuzzing page
Previous by thread: [Full-disclosure] mailing list submissions
Next by thread: [Full-disclosure] [ GLSA 200612-16 ] Links: Arbitrary Samba command execution
Index(es):
- Date
- Thread