[Unmask Parasites. Blog.] "Dynamic DNS and Botnet of Zombie Web Servers"

[Ron <ron () skullsecurity net>]

(Note: I've included both the blog author and the Nmap mailing list in 
this email)

This is in response to this blog post:
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

I wrote a script to detect this botnet behaviour. Unfortunately, I don't 
have time to test it properly. Right now I'm looking for any server that 
responds with a 302 to that particular file, but not other files. I 
tested it against a couple servers I found, and it seems to work nicely. 
I wrote it really quickly, though, since I'm running late.

I've attached the script. You'll have to:
a) Update to the latest Nmap SVN version
b) Put my script (attached) in the /scripts folder (where the other .nse 
files are)
c) run:
nmap --script=http-infected <host>

It should return the fact that the server's infected, and also where it 
is redirecting to.

I'm going to be away from my computer till later tonight (~5 hours or 
so). Please, if anybody can test this and let me know if it's working, 
that'd be great!

Sample run:
-
$ ./nmap --script=http-infected 174.143.25.37

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:35 CDT
NSE: Script Scanning completed.
Interesting ports on 174-143-25-37.slicehost.net (174.143.25.37):
Not shown: 987 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
|_ http-infected: Server appears to be clean
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
|_ http-infected: Server appears to be clean
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
8080/tcp open  http-proxy
|_ http-infected: Server appears to be infected (/ts/in.cgi?open2 
redirects to http://bllee.homelinux.org:8080/index.php)

$ ./nmap -p8080 --script=http-infected bllee.homelinux.org

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-09-12 17:37 CDT
NSE: Script Scanning completed.
Interesting ports on ttnetdc-200-227-107-89.ttnetdc.com (95.130.174.200):
PORT     STATE SERVICE
8080/tcp open  http-proxy
|_ http-infected: Server appears to be infected (/ts/in.cgi?open2 
redirects to http://krymskyilya.getmyip.com:8080/index.php)
-

And so on.

If I don't hear of any issues by the time I get home (11pm CDT, give or 
take), I'll commit this and write a blog of my own on how to use it.

Thanks!

Ron

On 09/12/2009 04:55 PM, Denis Sinegubko wrote:
> Hi Ron,
>
>    Thanks for your interest in my research.
>
>    Malicious web servers on port 8080 seem to be serving malicious
>    content only when they are sure that the client is vulnerable.
>    Otherwise they return a blank file.
>
>    Actually, when you query the URL in the iframe src you get a 302
>    redirect to another server.
>
> -------------------
> wget  -U Mozilla "http://174.143.25.37:8080/ts/in.cgi?open2"; -O "in.h"
> --03:53:08--  http://174.143.25.37:8080/ts/in.cgi?open2
>             =>  `in.h'
> Connecting to 174.143.25.37:8080... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: http://snejok131.servegame.org:8080/index.php [following]
> --03:53:14--  http://snejok131.servegame.org:8080/index.php
>             =>  `in.h'
> Resolving snejok131.servegame.org... done.
> Connecting to snejok131.servegame.org[72.3.139.94]:8080... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 0 [text/html]
> -------------------
>
>    Something like this. Hope this helps.

Attachment: http-infected.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org