More Webserver / IE Exploits

• Previous message: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Next in thread: Benjamin Franz: "Re: More Webserver / IE Exploits"
• Reply: Benjamin Franz: "Re: More Webserver / IE Exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Jul 2004 14:10:06 -0700
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <bugtraq@securityfocus.com>, <incidents@securityfocus.com>

We have discovered more than 300 websites that include malicious code
that will attempt to run a program on your machine without end-user
intervention. Similar to the recent Scob attack, a dual-pronged approach
of exploiting vulnerable servers and clients is being used.

There is no commonality on the web server side with the exception of 164
sites that are all hosted by the same hosting facility in Florida.

Details on the hosting facility in Florida:

The site that includes the exploit code is:

http://www.karl-marx.ru/
And the counter is located at:
http://www.karl-marx.ru/counter.php

We were not able to download and research the code as it was unavailable
at the time of this report.

Detailed infected URLS:
http://www.karl-marx.ru//main.chm
http://www.karl-marx.ru/counter.php
http://www.karl-marx.ru/script.php?
http://www.karl-marx.ru/wcmd.htm
IP: 207.36.201.106

The IP address is owned by an ISP in Florida who has been notified.

All of the sites we are also hosted by the same ISP in Florida but
appear to be on a different machine with the IP address. All sites are
Vhosted.

IP: 207.150.192.12

The exploits are utilizing IE vulnerabilities like the following: (a
variety of uses with .CHM).

http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx

Server-side Vulnerability exploited:

It is not clear how the server(s) were compromised, but the hosting
facility has been contacted and we are waiting to hear from them to get
details.

The webserver that was infected most was running, Apache/1.3.26 (Unix)
mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp.

The other 140 servers that are using the CHM exploit are a variety of
Web Servers including Apache and IIS. Also, many are running PHP.
Although evidence shows that most have been exploited, some also appear
to be knowingly using this vulnerability to install spyware and other
tools on your machine without your knowledge (10 sites using
exploit.chm)

Details on WebServers:

Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4
mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
Apache/1.3.22 (Unix) PHP/4.1.1 mod_perl/1.26 rus/PL30.9
Apache/1.3.26 (Unix)
Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0
mod_status_mhp
Apache/1.3.26 (Unix) PHP/4.1.2
Apache/1.3.26 (Unix) PHP/4.3.4 FrontPage/5.0.2.2510
Apache/1.3.27 OpenSSL/0.9.6 (Unix) FrontPage/5.0.2.2634 PHP/4.3.4
Apache/1.3.27 (Unix) FrontPage/5.0.2.2634
Apache/1.3.27 (Unix) PHP/3.0.18
Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.7-beta3
Apache/1.3.27 (Unix) PHP/4.3.2
Apache/1.3.27 (Unix) PHP/4.3.4
Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623
mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3
PHP/
4.3.6 mod_perl/1.26 mod_webapp/1.2.0-dev
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_perl/1.26 PHP/4.3.3
FrontPage/5.0.2 mod_ssl/2.8.12 OpenSSL/0.9.6b
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b
DAV/1.0.2 PHP/4.3.3 mod_perl/1.26
Apache/1.3.28 (Unix)
Apache/1.3.28 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.2 FrontPage/5.0.2.2634 mod_ssl/2.8.15 Open
SSL/0.9.6b
Apache/1.3.28 (Unix) PHP/4.3.3
Apache1.3.29 - ProXad [Jun 9 2004 15:20:12]
Apache/1.3.29 (Unix) FrontPage/5.0.2.2623
Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 Open
SSL/0.9.6b
Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a PHP/4.3.8
Apache/1.3.29 (Unix) mod_layout/3.2.1 PHP/4.3.4
Apache/1.3.29 (Unix) mod_watch/2.3
Apache/1.3.29 (Unix) PHP/4.3.2-RC
Apache/1.3.29 (Unix) PHP/4.3.4
Apache/1.3.29 (Unix) PHP/4.3.5
Apache/1.3.29 (Unix) PHP/4.3.8
Apache/1.3.29 (Unix) (Red-Hat/Linux) PHP/4.3.8
Apache/1.3.31 (Unix)
Apache/1.3.31 (Unix) FrontPage/5.0.2.2635 PHP/4.3.7
Apache/1.3.31 (Unix) mod_accounting/0.5l mod_ssl/2.8.18 OpenSSL/0.9.7d
mod_deflate/1.0.21
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope
nSSL/0.9.7a
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope
nSSL/0.9.6b
Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_tsunami/2.0
mod_bwprotect/0.2 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.4 FrontP
age/5.0.2.2634a mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev
mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2.
2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
Apache/2.0.39 (Unix) mod_perl/1.99_07-dev Perl/v5.6.1 Apache/2.0.40 (Red
Hat Linux)
Apache/2.0.47
Apache/2.0.47 (Unix) PHP/4.3.3
Apache/2.0.47 (Unix) PHP/4.3.4
Apache/2.0.49 (Fedora)
Apache/2.0.49 (Unix) PHP/4.3.5
Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6mdk) PHP/4.2.3
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g Microsoft-IIS/5.0
Microsoft-IIS/6.0 SHS
Squeegit/1.2.5 (3_sir)
.V15 Apache/1.3.26 (Unix) mod_fs 6.005
Zeus/3.4
Zeus/4.2

_______________________________
Dan Hubbard
Security & Technology Research
Websense, Inc.

• Previous message: Sebastien Millet: "Re: Strange log in Apache after webdav-like exploit"
• Next in thread: Benjamin Franz: "Re: More Webserver / IE Exploits"
• Reply: Benjamin Franz: "Re: More Webserver / IE Exploits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]