Security Basics mailing list archives

RE: Does anyone know which Malware owns this?

From: Steven Scheffler <stevens () forwardslash com>
Date: Fri, 11 Dec 2009 12:53:04 +0200

That place is full of Trojan distros: http://www.laguna.evolink.ro/server/ 

and an IRC log from #MafiaBOT channel: http://www.laguna.evolink.ro/server/roate.txt 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Halliday
Sent: 07 December 2009 07:00 PM
To: Securityfocus
Subject: Does anyone know which Malware owns this?

There was a lot of ssh activity prior to this:

NICK Mafiotul
USER putini . . :Dar buni

NOTICE AUTH :*** Checking Ident
:Tampa.FL.US.Undernet.org 433 * Mafiotul :Nickname is already in use.
NICK Mafiotul_
NICK _afiotul_
....
WHOIS Mafio5945
MODE Mafio5945 +i-ws
JOIN #MafiaBOT #
NICK Mafiotul

The box also fetched this:

http://www.laguna.evolink.ro/server/6969.pl

I also see ICMP 6666 "skillz"; stacheldraht? on a new install of centOS?

Domains appear to be US, Japan and Macedonia (for the IRC part).

I don't have access to the box I am trying to reconstruct from pcaps
only. Tips/pointers welcome.

Thanks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

################################################################################################################
This e-mail message is confidential and intended solely for the person to whom or the entity to which it is addressed. 
All the contents and any attachments remain the property of VR Services (Pty) Ltd unless so stated by contract.
If you are not the intended recipient, you are prohibited from reading, copying, using or disclosing this message to 
others. 
If you received this message in error, please notify the sender immediately by replying to this e-mail or by 
telephoning +27 21 528 9300 and thereafter delete the message. VR Services (Pty) Ltd does not accept liability for any 
personal views expressed in this message.
################################################################################################################

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Does anyone know which Malware owns this? Paul Halliday (Dec 10)
- RE: Does anyone know which Malware owns this? Steven Scheffler (Dec 11)
- <Possible follow-ups>
- Re: Does anyone know which Malware owns this? infolookup (Dec 11)