lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 28 Jun 2004 11:53:25 -0700
From: "Hubbard, Dan" <dhubbard@...sense.com>
To: <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	<incidents@...urityfocus.com>, <bugtraq@...urityfocus.com>
Subject: Scob infection statistics, etc..


If anyone is interested we have some information on the Scob Trojan
"released" last week.

* we saw customers visiting the Russian URL's starting June 22. All the
sites are down but here is a list of the sites visited with frequency
counters.

	http://217.107.218.147:80/redir.php	2
	http://217.107.218.147/sht/shellscript.js	1
	http://217.107.218.147/thom.html	4
	http://217.107.218.147/smack.html?	1
	http://217.107.218.147/new.html	866
	http://217.107.218.147/fed.html	97
	http://217.107.218.147/msits.exe	208
	http://217.107.218.147/index.php	1193
	http://217.107.218.147/md.htm	169
	http://217.107.218.147/index1.htm	47
	http://217.107.218.147/dot.php	2665
	http://217.107.218.147/sht/its.html	4
	http://217.107.218.147/sht/msits.exe	9
	http://217.107.218.147/stat.php	205
	http://217.107.218.147/its.html	65
	http://217.107.218.147/shellscript_loader.js	1
	http://217.107.218.147:80/index.php	1
	http://217.107.218.147/sht/new.html	25
	http://217.107.218.147/sht/shellscript_loader.js	2
	http://217.107.218.147/redir.php	177
	http://217.107.218.147/shellscript.js	1
	http://217.107.218.147/sht/redir.php	24
	http://217.107.218.147:80/dot.php	34
	http://217.107.218.147:80/msits.exe	7
	http://217.107.218.147//main.chm	15
	http://217.107.218.147/sht/md.htm	11
	http://217.107.218.147/sht/md.html	13

* as of Sunday we have identified more than 130 unique domains that are
still infected.
* all sites infected are running IIS 5.0 and SSL 
* all sites are infected on both HTTP and HTTPS URL's
* sites IP addresses are located in USA (mostly web hosting ISP's),
Australia, New Zealand, Canada, Japan, Spain, UK, and Norway). At least
that is what arin, apnic, and ripe are reporting.
* appears as though no sites certificates have been tampered
* none of the sites still infected would be consider "top rated"
websites
* we have seen no unusual/increase in traffic in any of our honeypots

Due to the number of sites infected, this leads me to believe that there
is either a poorly written worm or that the source of the webserver
exploit is out there. Does anyone have information on the exploit ? It
would be interesting to see and then report on the number of webservers
that are vulnerable to this type of attack. Also, has anyone seen any
new versions yet ?

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ