Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malicious PHP site(s)?

From: "Andy Peters" <andrewpeters2000 () googlemail com>
Date: Thu, 9 Jun 2011 21:45:13 +0100

The IP address 91.223.70.168 is online (ping)

Whois information for that IP Shows:
   inetnum:              91.223.70.0 - 91.223.70.255
   netname:            APM-DATORS
   descr:                  SIA "APM Dators"
   country:               LV
   organisation:      ORG-SD26-RIPE
   org-name:           APMSIA LLC
   org-type:             other
   address:             Balozhu str. 1/1, Riga

Reverse Lookup shows no results.
http://91.223.70.168/ok1/ has no index file and so the directory contents are shown. There are two files. cur_link (09-Jun-2011 15:20) and in.php (31-may-2011 07:43) 
Box seems to be running Apache/2.2.16 (Debian) on port 80.

cur_link just contains the text "defender-eklpp.in/936778ea093f2a51/"

in.php seems to redirect (when using wget):
C:\Infected>wget http://91.223.70.168/ok1/in.php
--2011-06-09 21:28:33--  http://91.223.70.168/ok1/in.php
Connecting to 91.223.70.168:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://defender-eklpp.in/936778ea093f2a51/sa1/16 [following]
--2011-06-09 21:28:33--  http://defender-eklpp.in/936778ea093f2a51/sa1/16
Resolving defender-eklpp.in... 78.41.203.12
Connecting to defender-eklpp.in|78.41.203.12|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
Saving to: `16'
http://defender-eklpp.in/936778ea093f2a51/sa1/ has an index.html file, but wget brings back a 0 Byte file. 

Wget brings back a 0 byte file for /1 to /20 as well
the index.php page for othodontic-clinic.gr (64.71.164.66) seems to be throwing up errors: 

<br />
<b>Parse error</b>: syntax error, unexpected T_STRING, expecting ',' or ';' in <b>/home/orthodon/public_html/index.php</b> on line <b>6</b><br />
Lots of redirecting, looks quite dodgy, but doesn't look like there is anything active, so got bored and stopped at this point. 

Andy
-----Original Message----- From: Sacks, Cailan C 
Sent: Thursday, June 09, 2011 8:47 AM
To: Sean G ; security-basics () securityfocus com
Subject: RE: Malicious PHP site(s)?
The fact that it ends in .php doesn't mean it's a php attack. It just means the server is running php, and it can be hosting a javascript, applet, or browser attack.
Anyway, this link gets a resource from http://91.223.70.168/ok1/in.php (which hosts the actual exploit and payload). As this URL is not longer active I assume the guy is no longer active on the network. The IP address space is registered to an ISP in Latvia, so it could also be safe to assume its hosted on a personal dsl type line. I am not saying this is the attacker, just that this is the attacking IP. IP != Person
The email below originates from Taiwan. Look at the X-Originating-IP header below (112.105.145.118). 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sean G 
Sent: Wednesday, June 08, 2011 9:23 AM
To: security-basics () securityfocus com
Subject: Malicious PHP site(s)?

OK, for sometime now, I have been receiving odd emails from someone
whom I do not know at all.. "Seth Spangler" his email address changing
on an irregular basis. Basic it's just an email with a link that ends
with .php. I don't have a testing machine at my disposal as of
current.. I was wondering if some who knows php rather well, would be
able to inform me of what happens when the link is clicked? (I have
never clicked out to test it) or if you have heard of this person. If
not, I do understand this is a busy list. Feel free to contact me
directly as I would like to learn as much as possible about this --
well I assume it is an attack of some sort -- and what the
consequences are. From what I have observed thus far is that this
person has a long list of email address and is probably phising in one
manner or another.
Any help would be greatly appreciated.
***************************************
The following is one of the emails with headers and all:
__________________________START________________________________________

Delivered-To: vitamindster () gmail com
Received: by 10.220.193.135 with SMTP id du7cs67631vcb;
       Tue, 7 Jun 2011 20:05:01 -0700 (PDT)
Received: by 10.52.91.84 with SMTP id cc20mr173867vdb.306.1307502300568;
       Tue, 07 Jun 2011 20:05:00 -0700 (PDT)
Return-Path: <sethspangler4 () aol com>
Received: from imr-da06.mx.aol.com (imr-da06.mx.aol.com [205.188.169.203])
       by mx.google.com with ESMTP id n6si58107vdf.155.2011.06.07.20.05.00;
       Tue, 07 Jun 2011 20:05:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of sethspangler4 () aol com
designates 205.188.169.203 as permitted sender)
client-ip=205.188.169.203;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
sethspangler4 () aol com designates 205.188.169.203 as permitted sender)
smtp.mail=sethspangler4 () aol com; dkim=pass header.i=@mx.aol.com
Received: from mtaomg-mb03.r1000.mx.aol.com
(mtaomg-mb03.r1000.mx.aol.com [172.29.41.74])
by imr-da06.mx.aol.com (8.14.1/8.14.1) with ESMTP id p5834pQm029213
for <vitamindster () gmail com>; Tue, 7 Jun 2011 23:04:51 -0400
Received: from core-mde003a.r1000.mail.aol.com
(core-mde003.r1000.mail.aol.com [172.29.46.9])
by mtaomg-mb03.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id
8EF57E000089
for <vitamindster () gmail com>; Tue,  7 Jun 2011 23:04:51 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20110426; t=1307502291;
bh=7XxGUUe9lFyI9UIeYcEEa+tewyLGqKEK+3u/cr6J4U0=;
h=To:Subject:MIME-Version:From:Content-Type:Message-Id:Date;
b=yEYXHTEzdiEp6+UvI05vZgUpgvQ4JnnF9XpjOHvoMdHCspyP5kpqulDvXbBgYTaOr
W65rDRxjrt2gxiJPiT9pA6c9C1BuWYZ5n4ksTAo7nmMAF0+H8YNzHAs1bTRleb5ISA
C3PTOS1KFAJrZ2xBlehoFXv7FWgbRpgCbv1En6uA=
To: vitamindster () gmail com
Content-Transfer-Encoding: quoted-printable
Subject: Re:..
X-MB-Message-Source: WebUI
X-AOL-IP: 112.105.145.118
X-MB-Message-Type: User
MIME-Version: 1.0
From: sethspangler4 () aol com
Content-Type: text/plain; charset="us-ascii"
X-Mailer: AOL Webmail 33790-MOBILE
Received: from 112.105.145.118 by webmail-m160.sysops.aol.com
(64.12.183.155) with HTTP (WebMailUI); Tue, 07 Jun 2011 23:04:51 -0400
Message-Id: <8CDF39FF7ED24D9-7D4-61DFA () webmail-m160 sysops aol com>
X-Originating-IP: [112.105.145.118]
Date: Tue, 7 Jun 2011 23:04:51 -0400 (EDT)
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:159035312:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d294a4deee6d328dd

http://orthodontic-clinic.gr/indexz45X.php



___________________________END________________________________________
--
If web address does not post please contact me and I either make a
plain text file and post on my site or I can forward you what I have
been receiving whichever is to your liking.
Thank you,
----
Sean Golash
University of District of Columbia
Student/Researcher/Consultant
Senior, BSIT Major* {**Emphasis on Security**}*
GeoLocation: Washington, DC
Web: http://seangolash.net

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. 

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer () standardbank co za (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you. 

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. 

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: