Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.

Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.

[ How-To / FAQ ]

WsIRT -> Confirmed Attacks | Terminated Attacks

status: confirmed attack

HTTP Response 15 Jul, 2008 02:13:27	HTTP/1.1 404 Not Found
ID	1101 (termination link)
Title	r57shell
Entry	http://www.netpressz.hu/wap/a.txt
WsIRT Squad Reporter	downie
Timestamp	18 Dec, 2007 @ 04:03:28
Topic ID	211102 - Read/respond to WsIRT commentary.
Handler Note: 22 Dec, 2007 16:43:04	Paul: Please remove this script, it is being used by criminals to take over remote web servers by injection. It gives them shell access.
Handler Note: 22 Dec, 2007 16:43:47	Paul: View CIDR AS3340 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3340 "3340 \| EU \| ripencc \| 1995-03-31 \| DataNet Telecommunication Ltd."
Handler Note: 22 Dec, 2007 16:43:48	Paul: Extended information for AS3340: State/Province: Country: hu Responsible Domain: datanet.hu Abuse Email: abuse@datanet.hu
Handler Note: 22 Dec, 2007 16:45:25	Paul: Generated and sent email attack alert to respective parties.
Fetched URLs	http://www.netpressz.hu/wap/a.txt

Report for at 18 Dec, 2007 @ 04:03:22

whois

at 18 Dec, 2007 @ 04:03:28

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.

Checking server [whois.nic.hu]
Results:
% Whois server 1.99B

Rights restricted by copyright. Szerz�i jog fenntartva.
-Legal usage of this service requires that you agree to
abide by the rules and conditions set forth at
http://www.domain.hu/domain/English/domainsearch/feltetelek.html
-A szolgaltatas csak a
http://www.domain.hu/domain/domainsearch/feltetelek.html c�men
el�rhet� felt�telek elfogad�sa �s betart�sa mellett
haszn�lhat� leg�lisan.

domain:         netpressz.hu
org:            Private person
org:            org_name_hun: Lezs�n Csaba
hun-id:         0991234255
admin-c:        2000288632
tech-c:         2000251555
zone-c:         2000413401
domain_pri_ns:  ns.vietnamfree.com[195.56.146.224]
registered:     2006.03.28 11:01:43
changed:        2006.03.28 11:01:43
registrar:      1000308097

person:         Lezs�n Csaba
address:        M�ria u.
address:        1161 Budapest
address:        HU
phone:          +36209423410
fax-no:
hun-id:         2000288632

person:         Ha Tuan Nguyen
address:        Torn�c utca 8.
address:        1141 Budapest
address:        HU
phone:          +36 70 318 1847
fax-no:
e-mail:         dexi1@tvn.hu
hun-id:         2000251555

person:         TVN.HU Hostmaster
address:        Tatai utca 106
address:        1131 Budapest
address:        HU
phone:          0620-960-3321
fax-no:         220-9780
hun-id:         2000413401

org:            org_name_eng: TVN.HU Ltd.
org:            org_name_hun: TVN.HU Kft. (Registrar)
address:        Tatai u. 106. I. 4.
address:        1131 Budapest
address:        HU
phone:          +36 70 201 3278
fax-no:         +36 220 9780
hun-id:         1000308097

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (CastleCops WsIRT) has visited 566 times today.

whois

at 22 Dec, 2007 @ 16:43:02

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.56.146.224 - 195.56.146.239'

inetnum:        195.56.146.224 - 195.56.146.239
netname:        TVN-HU-COLOCATION
descr:          TVN.HU Ltd.
descr:          Budapest
country:        HU
admin-c:        HTN2-RIPE
tech-c:         HTN2-RIPE
tech-c:         ZR1-RIPE
rev-srv:        ns.datanet.hu
rev-srv:        ns3.datanet.hu
status:         ASSIGNED PA
mnt-by:         AS3340-MNT
source:         RIPE # Filtered

person:         Ha Tuan Nguyen
address:        TVN.HU Ltd.
address:        Tatai utca 106.
address:        H-1131 Budapest
address:        Hungary
phone:          +36 70 3181847
fax-no:         +36 1 2209780
nic-hdl:        HTN2-RIPE
source:         RIPE # Filtered

person:         Zsolt Raksanyi
address:        GTS-DataNet Telecommunications Ltd.
address:        Ipartelep u. 13-15.
address:        H-2040 Budaors
address:        Hungary
phone:          +36 1 8144351
fax-no:         +36 1 8144499
abuse-mailbox:  abuse@datanet.hu
nic-hdl:        ZR1-RIPE
source:         RIPE # Filtered

% Information related to '195.56.0.0/16AS3340'

route:        195.56.0.0/16
descr:        DataNet Telecommunications Ltd.
descr:        Public Internet Access Provider
descr:        Hungary
origin:       AS3340
mnt-by:       AS3340-MNT
source:       RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (CastleCops WsIRT) has visited 1 times today.

fetched page

at 18 Dec, 2007 @ 04:03:25
MD5 Fingerprint: 07b4494e75af3ccf0cc157728488e84e
SHA1 Fingerprint: 5ce9544b6f1c6820675d27d09d0fc33b2acdfef6

Version 1.0


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 145ppm 0.294s (0.03s) Making cybercriminals unhappy since 2002*

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

status: confirmed attack

Report for at 18 Dec, 2007 @ 04:03:22

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT(TM)

Webserver Incident Reporting and Termination(TM) Squad

status: confirmed attack

Report for at 18 Dec, 2007 @ 04:03:22

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad