CastleCops® [WsIRT#1186] OS Disclosure, RFI Scanner Public, Simple PHP I

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

[WsIRT#1186] OS Disclosure, RFI Scanner Public, Simple PHP I

All -> FavForums -> WsIRT Reports

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Paul

CastleCops Founder

Joined: Feb 22, 2002
Posts: 27351

Posted: Mon Dec 24, 2007 5:24 am Post subject: [WsIRT#1186] OS Disclosure, RFI Scanner Public, Simple PHP I

Attack Alert

Full Report: CastleCops Link /OS_Disclosure_RFI_Scanner_Public_Simple_PHP_Injection_id_Disclosure_attack1186.html

mic.txt, if successfully injected into a susceptible web server, will attempt to download an RFI Scanner:

############################################################################
# RFI Scanner
# Public Version Pitbull Smile
#
# This one contains the following engines :
# Google, UOL, Libero, MSN, AllTheWeb, ASK, AOL, UOL, Lycos, FireBall, Yahoo
#
# Yahoo is Fixxed Wink
#
############################################################################

Found at http://www.pcr.ac.id/~rina/includes/file/x.txt

If x.txt is successfully downloaded and executed, there are a couple variables pointing to:

http://www.lasiestamadrid.com//portal/images/zoom/PEASCH/sample.jpg?
http://trimedia-online.net/ihmank/id.txt?

There is also a server connection to lelakibiasa.indoirc.net on port 6667 using the nick "PcrX- followed by a random number.

channel and hacked by karawanghack (karawanghackerlink)

Simple PHP Injection - *nix & *BSD OnLy

http://www.pcr.ac.id/~rina/includes/file/37.txt?? attempts to download http://www.pcr.ac.id/~rina/includes/file/xx.txt which is the rfi scanner. In it is a URL: http://www.pcr.ac.id/~rina/includes/file/37.txt?

http://www.pcr.ac.id/~rina/includes/db/mc2.txt?? calls http://www.pcr.ac.id/~rina/includes/db/x.txt

http://www.pcr.ac.id/~rina/includes/file/all.txt?? calls http://www.pcr.ac.id/~rina/includes/file/x.txt

http://www.pcr.ac.id/~rina/includes/db/gab.txt? calls http://www.pcr.ac.id/~rina/includes/db/z.txt

Changed status to confirmed attack.

All these files found in this report are setup to permit attackers compromise of remote webservers by injecting them. Please remove them immediately.

IP Converted: 89.248.100.178

dword = 1509450930
hex1 = 0x59f864b2
hex2 = 0x59.0xf8.0x64.0xb2
oct = 0131.0370.0144.0262

IP Converted: 71.18.186.181

dword = 1192409781
hex1 = 0x4712bab5
hex2 = 0x47.0x12.0xba.0xb5
oct = 0107.022.0272.0265

View CIDR AS42237 Report: http://www.cidr-report.org/cgi-bin/as-report?as=42237

"42237 | ES | ripencc | 2007-01-23 | INTERDOMINIOS Grupo Interdominios S.A."<br />

Extended information for AS42237:
State/Province:
Country:
Responsible Domain: interdominios.com
Abuse Email: admin@interdominios.com

IP Converted: 124.81.214.3

dword = 2085737987
hex1 = 0x7c51d603
hex2 = 0x7c.0x51.0xd6.0x3
oct = 0174.0121.0326.03

View CIDR AS32392 Report: http://www.cidr-report.org/cgi-bin/as-report?as=32392

"32392 | US | arin | 2004-04-26 | OPENTRANSFER-ECOMMERCE - Ecommerce Corporation"<br />

Extended information for AS32392:
State/Province: ky
Country: us
Responsible Domain: ecommerce.com
Abuse Email: abuse@ecommerce.com

View CIDR AS4795 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4795

"4795 | ID | apnic | 1996-10-30 | INDOSAT2-ID INDOSATM2 ASN"<br />

Extended information for AS4795:
State/Province:
Country: id
Responsible Domain: indosat.net.id
Abuse Email: abuse@indosat.net.id

Quote:

http://www.pcr.ac.id/~rina/includes/file/mic.txt?

	All -> FavForums -> WsIRT Reports	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 183ppm 0.424s (0.097s) Making cybercriminals unhappy since 2002*