Security Basics mailing list archives
Re: Malicious PHP site(s)?
From: "Andy Peters" <andrewpeters2000 () googlemail com>
Date: Thu, 9 Jun 2011 21:45:13 +0100
The IP address 91.223.70.168 is online (ping) Whois information for that IP Shows: inetnum: 91.223.70.0 - 91.223.70.255 netname: APM-DATORS descr: SIA "APM Dators" country: LV organisation: ORG-SD26-RIPE org-name: APMSIA LLC org-type: other address: Balozhu str. 1/1, Riga Reverse Lookup shows no results.http://91.223.70.168/ok1/ has no index file and so the directory contents are shown. There are two files. cur_link (09-Jun-2011 15:20) and in.php (31-may-2011 07:43)
Box seems to be running Apache/2.2.16 (Debian) on port 80. cur_link just contains the text "defender-eklpp.in/936778ea093f2a51/" in.php seems to redirect (when using wget): C:\Infected>wget http://91.223.70.168/ok1/in.php --2011-06-09 21:28:33-- http://91.223.70.168/ok1/in.php Connecting to 91.223.70.168:80... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: http://defender-eklpp.in/936778ea093f2a51/sa1/16 [following] --2011-06-09 21:28:33-- http://defender-eklpp.in/936778ea093f2a51/sa1/16 Resolving defender-eklpp.in... 78.41.203.12 Connecting to defender-eklpp.in|78.41.203.12|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] Saving to: `16'http://defender-eklpp.in/936778ea093f2a51/sa1/ has an index.html file, but wget brings back a 0 Byte file.
Wget brings back a 0 byte file for /1 to /20 as wellthe index.php page for othodontic-clinic.gr (64.71.164.66) seems to be throwing up errors:
<br /><b>Parse error</b>: syntax error, unexpected T_STRING, expecting ',' or ';' in <b>/home/orthodon/public_html/index.php</b> on line <b>6</b><br />
Lots of redirecting, looks quite dodgy, but doesn't look like there is anything active, so got bored and stopped at this point.
Andy-----Original Message----- From: Sacks, Cailan C
Sent: Thursday, June 09, 2011 8:47 AM To: Sean G ; security-basics () securityfocus com Subject: RE: Malicious PHP site(s)?The fact that it ends in .php doesn't mean it's a php attack. It just means the server is running php, and it can be hosting a javascript, applet, or browser attack.
Anyway, this link gets a resource from http://91.223.70.168/ok1/in.php (which hosts the actual exploit and payload). As this URL is not longer active I assume the guy is no longer active on the network. The IP address space is registered to an ISP in Latvia, so it could also be safe to assume its hosted on a personal dsl type line. I am not saying this is the attacker, just that this is the attacking IP. IP != Person
The email below originates from Taiwan. Look at the X-Originating-IP header below (112.105.145.118).
-----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sean G
Sent: Wednesday, June 08, 2011 9:23 AM To: security-basics () securityfocus com Subject: Malicious PHP site(s)? OK, for sometime now, I have been receiving odd emails from someone whom I do not know at all.. "Seth Spangler" his email address changing on an irregular basis. Basic it's just an email with a link that ends with .php. I don't have a testing machine at my disposal as of current.. I was wondering if some who knows php rather well, would be able to inform me of what happens when the link is clicked? (I have never clicked out to test it) or if you have heard of this person. If not, I do understand this is a busy list. Feel free to contact me directly as I would like to learn as much as possible about this -- well I assume it is an attack of some sort -- and what the consequences are. From what I have observed thus far is that this person has a long list of email address and is probably phising in one manner or another. Any help would be greatly appreciated. *************************************** The following is one of the emails with headers and all: __________________________START________________________________________ Delivered-To: vitamindster () gmail com Received: by 10.220.193.135 with SMTP id du7cs67631vcb; Tue, 7 Jun 2011 20:05:01 -0700 (PDT) Received: by 10.52.91.84 with SMTP id cc20mr173867vdb.306.1307502300568; Tue, 07 Jun 2011 20:05:00 -0700 (PDT) Return-Path: <sethspangler4 () aol com> Received: from imr-da06.mx.aol.com (imr-da06.mx.aol.com [205.188.169.203]) by mx.google.com with ESMTP id n6si58107vdf.155.2011.06.07.20.05.00; Tue, 07 Jun 2011 20:05:00 -0700 (PDT) Received-SPF: pass (google.com: domain of sethspangler4 () aol com designates 205.188.169.203 as permitted sender) client-ip=205.188.169.203; Authentication-Results: mx.google.com; spf=pass (google.com: domain of sethspangler4 () aol com designates 205.188.169.203 as permitted sender) smtp.mail=sethspangler4 () aol com; dkim=pass header.i=@mx.aol.com Received: from mtaomg-mb03.r1000.mx.aol.com (mtaomg-mb03.r1000.mx.aol.com [172.29.41.74]) by imr-da06.mx.aol.com (8.14.1/8.14.1) with ESMTP id p5834pQm029213 for <vitamindster () gmail com>; Tue, 7 Jun 2011 23:04:51 -0400 Received: from core-mde003a.r1000.mail.aol.com (core-mde003.r1000.mail.aol.com [172.29.46.9]) by mtaomg-mb03.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 8EF57E000089 for <vitamindster () gmail com>; Tue, 7 Jun 2011 23:04:51 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20110426; t=1307502291; bh=7XxGUUe9lFyI9UIeYcEEa+tewyLGqKEK+3u/cr6J4U0=; h=To:Subject:MIME-Version:From:Content-Type:Message-Id:Date; b=yEYXHTEzdiEp6+UvI05vZgUpgvQ4JnnF9XpjOHvoMdHCspyP5kpqulDvXbBgYTaOr W65rDRxjrt2gxiJPiT9pA6c9C1BuWYZ5n4ksTAo7nmMAF0+H8YNzHAs1bTRleb5ISA C3PTOS1KFAJrZ2xBlehoFXv7FWgbRpgCbv1En6uA= To: vitamindster () gmail com Content-Transfer-Encoding: quoted-printable Subject: Re:.. X-MB-Message-Source: WebUI X-AOL-IP: 112.105.145.118 X-MB-Message-Type: User MIME-Version: 1.0 From: sethspangler4 () aol com Content-Type: text/plain; charset="us-ascii" X-Mailer: AOL Webmail 33790-MOBILE Received: from 112.105.145.118 by webmail-m160.sysops.aol.com (64.12.183.155) with HTTP (WebMailUI); Tue, 07 Jun 2011 23:04:51 -0400 Message-Id: <8CDF39FF7ED24D9-7D4-61DFA () webmail-m160 sysops aol com> X-Originating-IP: [112.105.145.118] Date: Tue, 7 Jun 2011 23:04:51 -0400 (EDT) x-aol-global-disposition: G X-AOL-SCOLL-SCORE: 0:2:159035312:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d294a4deee6d328dd http://orthodontic-clinic.gr/indexz45X.php ___________________________END________________________________________ -- If web address does not post please contact me and I either make a plain text file and post on my site or I can forward you what I have been receiving whichever is to your liking. Thank you, ---- Sean Golash University of District of Columbia Student/Researcher/Consultant Senior, BSIT Major* {**Emphasis on Security**}* GeoLocation: Washington, DC Web: http://seangolash.net ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital CertificateIn this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ Standard Bank email disclaimer and confidentiality notePlease go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer () standardbank co za (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you.
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital CertificateIn this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Malicious PHP site(s)? Sean G (Jun 08)
- Message not available
- Malicious PHP site(s)? Attila Sukosd (Jun 09)
- Message not available
- RE: Malicious PHP site(s)? Sacks, Cailan C (Jun 09)
- Re: Malicious PHP site(s)? Andy Peters (Jun 10)
- Re: Malicious PHP site(s)? gold flake (Jun 12)
- Security requirments michele.maturo (Jun 13)
- Re: Security requirments Todd Haverkos (Jun 13)