Security Incidents mailing list archives

RE: Scob infection statistics, etc..

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 28 Jun 2004 13:36:01 -0700

  This is the *first* message about Scob I've seen that included any
of the kind of details that would have allowed me to try to protect
our network users.
  Apparently, if there was online discussion about this as the
incident was unfolding, it wasn't on bugtraq or incidents.  Was it
on NTBugtraq?

Dave Gillett

-----Original Message-----
From: Hubbard, Dan [mailto:dhubbard () websense com]
Sent: Monday, June 28, 2004 11:53 AM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; incidents () securityfocus com;
bugtraq () securityfocus com
Subject: Scob infection statistics, etc..

If anyone is interested we have some information on the Scob Trojan
"released" last week.

* we saw customers visiting the Russian URL's starting June 
22. All the
sites are down but here is a list of the sites visited with frequency
counters.

      http://217.107.218.147:80/redir.php     2
      http://217.107.218.147/sht/shellscript.js       1
      http://217.107.218.147/thom.html        4
      http://217.107.218.147/smack.html?      1
      http://217.107.218.147/new.html 866
      http://217.107.218.147/fed.html 97
      http://217.107.218.147/msits.exe        208
      http://217.107.218.147/index.php        1193
      http://217.107.218.147/md.htm   169
      http://217.107.218.147/index1.htm       47
      http://217.107.218.147/dot.php  2665
      http://217.107.218.147/sht/its.html     4
      http://217.107.218.147/sht/msits.exe    9
      http://217.107.218.147/stat.php 205
      http://217.107.218.147/its.html 65
      http://217.107.218.147/shellscript_loader.js    1
      http://217.107.218.147:80/index.php     1
      http://217.107.218.147/sht/new.html     25
      http://217.107.218.147/sht/shellscript_loader.js        2
      http://217.107.218.147/redir.php        177
      http://217.107.218.147/shellscript.js   1
      http://217.107.218.147/sht/redir.php    24
      http://217.107.218.147:80/dot.php       34
      http://217.107.218.147:80/msits.exe     7
      http://217.107.218.147//main.chm        15
      http://217.107.218.147/sht/md.htm       11
      http://217.107.218.147/sht/md.html      13

* as of Sunday we have identified more than 130 unique 
domains that are
still infected.
* all sites infected are running IIS 5.0 and SSL 
* all sites are infected on both HTTP and HTTPS URL's
* sites IP addresses are located in USA (mostly web hosting ISP's),
Australia, New Zealand, Canada, Japan, Spain, UK, and 
Norway). At least
that is what arin, apnic, and ripe are reporting.
* appears as though no sites certificates have been tampered
* none of the sites still infected would be consider "top rated"
websites
* we have seen no unusual/increase in traffic in any of our honeypots

Due to the number of sites infected, this leads me to believe 
that there
is either a poorly written worm or that the source of the webserver
exploit is out there. Does anyone have information on the exploit ? It
would be interesting to see and then report on the number of 
webservers
that are vulnerable to this type of attack. Also, has anyone seen any
new versions yet ?

Thanks

<<attachment: winmail.dat>>

Current thread:

Scob infection statistics, etc.. Hubbard, Dan (Jun 28)
- RE: Scob infection statistics, etc.. David Gillett (Jun 29)
- <Possible follow-ups>
- RE: Scob infection statistics, etc.. Chinnery, Paul (Jun 29)