Full Disclosure mailing list archives
Intergenia hosting malware
From: "lsi" <stuart () cyberdelix net>
Date: Thu, 14 Dec 2006 12:36:07 -0000
This is a cracked Linux server being used to host exploits for Windows machines, which are spamvertised (presumably via a botnet) in socially engineered emails. Kinda cute, ugly too. - mail received from x42071c2e.ip.e-nt.net [66.7.28.46] - e-nt.net is owned by ISP Eureka Networks http://www.eurekanetworks.net/ (66.7.28.46 is apparently one of their customers' boxes) - received in an HTML-only email (abbreviated): You have received a postcard from a family member! You can pick up your postcard at the following web address: http://www2.postcards.org/?a91-valets-cloud-31337 - link actually leads to http://62.75.249.235/~UWE/postcards.gif.exe - postcards.gif.exe contains: nicks txt 45,985 24/11/06 14:18 nicks.txt aliases ini 11 15/02/04 2:28 aliases.ini control ini 68 10/12/06 0:43 control.ini mirc ini 4,015 10/12/06 0:43 mirc.ini remote ini 463 10/12/06 0:41 remote.ini script ini 7,539 28/11/06 5:08 script.ini servers ini 392 24/11/06 14:29 servers.ini users ini 126 24/11/06 14:07 users.ini sup bat 28 05/12/04 11:14 sup.bat svchost exe 1,790,464 23/02/04 23:26 svchost.exe mirc ico 5,694 07/11/04 2:28 mirc.ico sup reg 139 04/03/05 23:50 sup.reg - reverse 62.75.249.235: static-ip-62-75-249-235.inaddr.intergenia.de - Intergenia is a hosting company in Germany (who were notified Dec 13 at 18:40 GMT) .. http://www.intergenia.de/ - 62.75.249.235 runs Apache/2.0.53 (Linux/SUSE) - http://62.75.249.235/~UWE/ contains: file.php 13-Oct-2006 14:55 37K postcards.gif.exe 13-Dec-2006 15:58 690K usa 13-Oct-2006 14:56 11K - from the file dates, the server was cracked 2 months ago, while postcards was modified yesterday - file.php is PHPShell by Macker - Version 2.6.6dev - August 28th 2003 - usa is a Linux binary, apparently a compiled version of the "backdoor that creates a remote connection for tty's and allows attackers to login into the system without a need for a real user and password" described here: http://www.securiteam.com/exploits/5FP0T20GAK.html Also mentioned here: http://www.kiesler.at/thread699.html Stu --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Intergenia hosting malware lsi (Dec 14)