lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <EB6D35AE1E5D3E40B4536F55B540A5D8013DE139@ssdexch1.websense.com>
Date: Mon, 19 Jul 2004 14:10:06 -0700
From: "Hubbard, Dan" <dhubbard@...sense.com>
To: <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>, <bugtraq@...urityfocus.com>,
  <incidents@...urityfocus.com>
Subject: More Webserver / IE Exploits


We have discovered more than 300 websites that include malicious code
that will attempt to run a program on your machine without end-user
intervention. Similar to the recent Scob attack, a dual-pronged approach
of exploiting vulnerable servers and clients is being used. 

There is no commonality on the web server side with the exception of 164
sites that are all hosted by the same hosting facility in Florida.

Details on the hosting facility in Florida:

The site that includes the exploit code is:

http://www.karl-marx.ru/
And the counter is located at:
http://www.karl-marx.ru/counter.php

We were not able to download and research the code as it was unavailable
at the time of this report.

Detailed infected URLS: 
http://www.karl-marx.ru//main.chm
http://www.karl-marx.ru/counter.php
http://www.karl-marx.ru/script.php? 
http://www.karl-marx.ru/wcmd.htm
IP: 207.36.201.106

The IP address is owned by an ISP in Florida who has been notified.

All of the sites we are also hosted by the same ISP in Florida but
appear to be on a different machine with the IP address. All sites are
Vhosted. 

IP: 207.150.192.12

The exploits are utilizing IE vulnerabilities like the following: (a
variety of uses with .CHM).

http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx

Server-side Vulnerability exploited:

It is not clear how the server(s) were compromised, but the hosting
facility has been contacted and we are waiting to hear from them to get
details.

The webserver that was infected most was running, Apache/1.3.26 (Unix)
mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp.

The other 140 servers that are using the CHM exploit are a variety of
Web Servers including Apache and IIS. Also, many are running PHP.
Although evidence shows that most have been exploited, some also appear
to be knowingly using this vulnerability to install spyware and other
tools on your machine without your knowledge (10 sites using
exploit.chm)

Details on WebServers:

Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4
mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
Apache/1.3.22 (Unix) PHP/4.1.1 mod_perl/1.26 rus/PL30.9
Apache/1.3.26 (Unix)
Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0
mod_status_mhp
Apache/1.3.26 (Unix) PHP/4.1.2
Apache/1.3.26 (Unix) PHP/4.3.4 FrontPage/5.0.2.2510
Apache/1.3.27 OpenSSL/0.9.6 (Unix) FrontPage/5.0.2.2634 PHP/4.3.4
Apache/1.3.27 (Unix) FrontPage/5.0.2.2634
Apache/1.3.27 (Unix) PHP/3.0.18
Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Apache/1.3.27 (Unix) PHP/4.3.2
Apache/1.3.27 (Unix) PHP/4.3.4
Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623
mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3
PHP/
4.3.6 mod_perl/1.26 mod_webapp/1.2.0-dev
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_perl/1.26 PHP/4.3.3
FrontPage/5.0.2 mod_ssl/2.8.12 OpenSSL/0.9.6b
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b
DAV/1.0.2 PHP/4.3.3 mod_perl/1.26
Apache/1.3.28 (Unix)
Apache/1.3.28 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.2 FrontPage/5.0.2.2634 mod_ssl/2.8.15 Open
SSL/0.9.6b
Apache/1.3.28 (Unix) PHP/4.3.3
Apache1.3.29 - ProXad [Jun 9 2004 15:20:12]
Apache/1.3.29 (Unix) FrontPage/5.0.2.2623
Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 Open
SSL/0.9.6b
Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a PHP/4.3.8
Apache/1.3.29 (Unix) mod_layout/3.2.1 PHP/4.3.4
Apache/1.3.29 (Unix) mod_watch/2.3
Apache/1.3.29 (Unix) PHP/4.3.2-RC
Apache/1.3.29 (Unix) PHP/4.3.4
Apache/1.3.29 (Unix) PHP/4.3.5
Apache/1.3.29 (Unix) PHP/4.3.8
Apache/1.3.29 (Unix) (Red-Hat/Linux) PHP/4.3.8
Apache/1.3.31 (Unix)
Apache/1.3.31 (Unix) FrontPage/5.0.2.2635 PHP/4.3.7
Apache/1.3.31 (Unix) mod_accounting/0.5l mod_ssl/2.8.18 OpenSSL/0.9.7d
mod_deflate/1.0.21
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope
nSSL/0.9.7a
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope
nSSL/0.9.6b
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_tsunami/2.0
mod_bwprotect/0.2 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.4 FrontP
age/5.0.2.2634a mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev
mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2.
2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/2.0.39 (Unix) mod_perl/1.99_07-dev Perl/v5.6.1 Apache/2.0.40 (Red
Hat Linux)
Apache/2.0.47
Apache/2.0.47 (Unix) PHP/4.3.3
Apache/2.0.47 (Unix) PHP/4.3.4
Apache/2.0.49 (Fedora)
Apache/2.0.49 (Unix) PHP/4.3.5
Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6mdk) PHP/4.2.3
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g Microsoft-IIS/5.0
Microsoft-IIS/6.0 SHS
Squeegit/1.2.5 (3_sir)
.V15 Apache/1.3.26 (Unix) mod_fs 6.005
Zeus/3.4
Zeus/4.2

_______________________________
Dan Hubbard
Security & Technology Research
Websense, Inc.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ