Comments on: Dynamic DNS and Botnet of Zombie Web Servers

By: c

Wed, 28 Jul 2010 21:23:27 +0000

Most of them have /ts/in.cgi?(affiliateId) or just /in.cgi?(number) in the request url, most are connected with “Obodovsky Ivan Sergeevich”, who is listed as registrator not only for most of the proxy install sites, but also for the primary url “admin-click.com”, that can be accessed by overflowing the GET parameter of in.cgi
Also it seems that many high-profile russian sites were infected by it, including www .pravda.ru

By: Jasen

Jasen — Thu, 17 Dec 2009 11:26:02 +0000

Absolutely nginx doesn’t depend on anything that’s not extremely likely to be present on a server that runs apache,

It may even be possible to install and run it with only a webserver exploit (dodgy PHP page?), and no privilege escalation at all.

By: Malware Lab — Russian Malware Bundle

Malware Lab — Russian Malware Bundle — Fri, 06 Nov 2009 15:42:06 +0000

[...] http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ and http://news.cnet.com/8301-10789_3-10040669-57.html and [...]

By: typedeaF

typedeaF — Tue, 06 Oct 2009 20:42:37 +0000

One more update. We have positively identified malicious content being uploaded via FTP with the Russian nginx:8080 iframes. So this would support the theory that possibly PC based malware is harvesting FTP credentials similar to the original Ibiza/Download.ject malware.

-Chad Wilson (typedeaF)

By: typedeaF

typedeaF — Mon, 21 Sep 2009 21:32:48 +0000

I have more specifics on a victim host.

It was a root level compromise (not speculating on weather it was simply ftp credentials or a priv escalation) . The nginx process was running as root

root 8299 0.0 0.0 12932 1104 ? Ss 12:28 0:00 nginx: master process /usr/local/nginx/sbin/nginx root 18708 0.0 0.1 16016 3860 ? S 16:00 0:00 \_ nginx: worker process root 18712 0.0 0.1 16016 4020 ? S 16:00 0:00 \_ nginx: worker process

Platform:
root@xxx [~]# uname -a Linux xxxxxxxxxxxxxx 2.6.24-23-xen #1 SMP Mon Jan 26 03:09:12 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux

root@xxx [~]# cat /etc/redhat-release CentOS release 5.3 (Final)

Here is the most significant information I obtained:

http://pastebin.com/m49d3f0c5

proxy_pass http:// mdvhost . com:4480;

Looks like the compromised servers are only proxies. In effect, the network is just a global load balancer?

>nc mdvhost . com 4480 GET /ts/in.cgi?open4 HTTP/1.1 Referer: http://xxxxxx:8080/ts/in.cgi?open4 Accept-Language: zh-cn,zh-hk,zh-tw,en-us User-Agent: Sosospider+(+http://help.soso.com/webspider.htm) Accept: */* Host: xxxxxxx Connection: Keep-Alive Accept-Encoding: gzip


HTTP/1.1 200 OK

Server: nginx

Date: Mon, 21 Sep 2009 19:26:19 GMT

Content-Type: text/plain

Connection: close

Content-Length: 166

Error: can't open redirects.log file (open4) Possible reasons: 1) cron is not working (read FAQ) 2) there is no urls in this scheme 3) there is no such scheme or user

Not sure what is going on there. But here is what we are used to seeing:

nc mdvhost . com 4480 GET /cache/readme.pdf HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: xxxxxxx Accept: */*


HTTP/1.1 200 OK

Server: nginx

Date: Mon, 21 Sep 2009 19:33:59 GMT

Content-Type: text/html

Connection: close

X-Powered-By: PHP/5.1.6

Expires: 0

Pragma: no-cache

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Cache-Control: private

Content-Length: 123

0000000000000000000000000000000000000000 0000000000000000000000000000000000000000 0000000000000000000000000000000000000000

Interesting. I will continue to dig around and provide what I find.

typedeaF

By: Benjamin

Benjamin — Mon, 21 Sep 2009 13:14:31 +0000

When you encounter new malware that’s undetectable on a Windows machine, you should be submitting it to MAPP

Just a tip.

By: typedeaF

typedeaF — Fri, 18 Sep 2009 04:23:17 +0000

Hey Denis, Thanks for letting us know about the suspected IP addresses. Here is what I can share about what I have found so far. Contrary to what I have been hearing, these rogue web servers do seem to be sending out malicious content. I have seen some requests with 0 content-len responses, but some requests for /index.php have been sending back the typical obfuscated payloads. Also, there have been requests for pdf documents that were also served back. I can only guess that they are playing with various attack vectors and the recent adobe vulns was the vector here. Unfortunately, I was not capturing enough of the packet to reassemble the entire malicious payload, but here is a snippit of what is returned snippit Here is a list of the top requests that we saw coming across. gets I will get back to you probably this weekend after I get a chance to analyze everything. -Chad

By: i'm a server admin

i'm a server admin — Thu, 17 Sep 2009 01:54:44 +0000

i’m also a web developer and not only were my clients sites hacked, but also my own personal homepage which is on a shared hosting plan from the same russian shared linux company. all started about a week ago. email me if you need any more info.

By: Ron

Ron — Wed, 16 Sep 2009 14:40:46 +0000

Hi Denis,

I completed my Nmap script that I had talked about previously. It seems to work against the servers I found, and hasn’t generated any false positives (I don’t really expect it to). You can find my writeup here:

http://www.skullsecurity.org/blog/?p=340

I naturally linked your post from my blog, the Nmap CHANGELOG, the script documentation, etc. :)

Ron

By: vas

vas — Tue, 15 Sep 2009 20:51:46 +0000

… and they even can download complied binary of nginx and run it.