RE: Scob infection statistics, etc..
From: David Gillett (gillettdavid_at_fhda.edu)
To: "'Hubbard, Dan'" <email@example.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <firstname.lastname@example.org>, <email@example.com> Date: Mon, 28 Jun 2004 13:36:01 -0700
This is the *first* message about Scob I've seen that included any
of the kind of details that would have allowed me to try to protect
our network users.
Apparently, if there was online discussion about this as the
incident was unfolding, it wasn't on bugtraq or incidents. Was it
> -----Original Message-----
> From: Hubbard, Dan [mailto:firstname.lastname@example.org]
> Sent: Monday, June 28, 2004 11:53 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; email@example.com;
> Subject: Scob infection statistics, etc..
> If anyone is interested we have some information on the Scob Trojan
> "released" last week.
> * we saw customers visiting the Russian URL's starting June
> 22. All the
> sites are down but here is a list of the sites visited with frequency
> http://184.108.40.206:80/redir.php 2
> http://220.127.116.11/sht/shellscript.js 1
> http://18.104.22.168/thom.html 4
> http://22.214.171.124/smack.html? 1
> http://126.96.36.199/new.html 866
> http://188.8.131.52/fed.html 97
> http://184.108.40.206/msits.exe 208
> http://220.127.116.11/index.php 1193
> http://18.104.22.168/md.htm 169
> http://22.214.171.124/index1.htm 47
> http://126.96.36.199/dot.php 2665
> http://188.8.131.52/sht/its.html 4
> http://184.108.40.206/sht/msits.exe 9
> http://220.127.116.11/stat.php 205
> http://18.104.22.168/its.html 65
> http://22.214.171.124/shellscript_loader.js 1
> http://126.96.36.199:80/index.php 1
> http://188.8.131.52/sht/new.html 25
> http://184.108.40.206/sht/shellscript_loader.js 2
> http://220.127.116.11/redir.php 177
> http://18.104.22.168/shellscript.js 1
> http://22.214.171.124/sht/redir.php 24
> http://126.96.36.199:80/dot.php 34
> http://188.8.131.52:80/msits.exe 7
> http://184.108.40.206//main.chm 15
> http://220.127.116.11/sht/md.htm 11
> http://18.104.22.168/sht/md.html 13
> * as of Sunday we have identified more than 130 unique
> domains that are
> still infected.
> * all sites infected are running IIS 5.0 and SSL
> * all sites are infected on both HTTP and HTTPS URL's
> * sites IP addresses are located in USA (mostly web hosting ISP's),
> Australia, New Zealand, Canada, Japan, Spain, UK, and
> Norway). At least
> that is what arin, apnic, and ripe are reporting.
> * appears as though no sites certificates have been tampered
> * none of the sites still infected would be consider "top rated"
> * we have seen no unusual/increase in traffic in any of our honeypots
> Due to the number of sites infected, this leads me to believe
> that there
> is either a poorly written worm or that the source of the webserver
> exploit is out there. Does anyone have information on the exploit ? It
> would be interesting to see and then report on the number of
> that are vulnerable to this type of attack. Also, has anyone seen any
> new versions yet ?
- application/ms-tnef attachment: winmail.dat