Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.

Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.

[ How-To / FAQ ]

WsIRT -> Confirmed Attacks | Terminated Attacks

status: confirmed attack

HTTP Response 15 Jul, 2008 02:13:25	HTTP/1.1 502 Proxy Error
ID	1017 (termination link)
Title	MyShell
Entry	http://makebuy.50webs.com/admin.php
WsIRT Squad Reporter	downie
Timestamp	16 Dec, 2007 @ 21:59:19
Topic ID	210717 - Read/respond to WsIRT commentary.
Handler Note: 18 Dec, 2007 03:01:48	Paul: Criminals are attempting to inject this script into remote webservers which if successful gives them control and permits them to do nefarious things. Please remove it immediately.
Handler Note: 18 Dec, 2007 03:02:23	Paul: View CIDR AS19166 Report: http://www.cidr-report.org/cgi-bin/as-report?as=19166 "19166 \| US \| arin \| 2005-05-31 \| ALPHARED-HOUSTON - Alpha Red, INC"
Handler Note: 18 Dec, 2007 03:02:24	Paul: Extended information for AS19166: State/Province: tx Country: us Responsible Domain: alphared.com Abuse Email: james@alphared.com
Handler Note: 18 Dec, 2007 03:03:12	Paul: Generated and sent email attack alert to respective parties.
Fetched URLs	http://makebuy.50webs.com/admin.php

Report for at 16 Dec, 2007 @ 21:59:12

whois

at 16 Dec, 2007 @ 21:59:17

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.

Checking server [whois.crsnic.net]

Checking server [whois.enom.com]
Results:
=-=-=-=
Visit AboutUs.org for more information about 50webs.com
<a href="http://www.aboutus.org/50webs.com">AboutUs: 50webs.com</a>

Registration Service Provided By: Supreme Center
Contact: support@propersupport.com
Visit: http://www.propersupport.com/

Domain name: 50webs.com

Administrative Contact:
   Supreme Center
   LiquidNet Ltd. (support@propersupport.com)
   +1.2079932768
   Fax:
   28 Kersfield House
   London,  SW15 3HJ
   GB

Technical Contact:
   Supreme Center
   LiquidNet Ltd. (support@propersupport.com)
   +1.2079932768
   Fax:
   28 Kersfield House
   London,  SW15 3HJ
   GB

Registrant Contact:
   Supreme Center
   LiquidNet Ltd. (support@propersupport.com)
   +1.2079932768
   Fax:
   28 Kersfield House
   London,  SW15 3HJ
   GB

Status: Locked

Name Servers:
   dns1.50webs.com
   dns2.50webs.com

Creation date: 18 Oct 2004 13:43:54
Expiration date: 18 Oct 2008 13:43:54
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (CastleCops WsIRT) has visited 379 times today.

whois

at 18 Dec, 2007 @ 03:01:48

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.
Final results obtained from whois.arin.net.
Results:

OrgName:    Alpha Red, INC
OrgID:      ALPHA-14
Address:    1415 Louisiana
Address:    STE 2220
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

ReferralServer: rwhois://rwhois.alphared.com:4321/

NetRange:   64.72.112.0 - 64.72.127.255
CIDR:       64.72.112.0/20
NetName:    ALPHARED-HOUSTON-A
NetHandle:  NET-64-72-112-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.ALPHARED.COM
NameServer: DNS2.ALPHARED.COM
NameServer: DNS3.ALPHARED.COM
NameServer: DNS4.ALPHARED.COM
Comment:
RegDate:    2006-02-10
Updated:    2007-09-24

RAbuseHandle: ALPHA-ARIN
RAbuseName:   AlphaRed Abuse
RAbusePhone:  +1-713-739-0415
RAbuseEmail:  abuse@alphared.com

RTechHandle: ARS21-ARIN
RTechName:   Alpha Red Support
RTechPhone:  +1-713-739-0415
RTechEmail:  arin.support@alphared.com

OrgAbuseHandle: ALPHA-ARIN
OrgAbuseName:   AlphaRed Abuse
OrgAbusePhone:  +1-713-739-0415
OrgAbuseEmail:  abuse@alphared.com

OrgTechHandle: ARS21-ARIN
OrgTechName:   Alpha Red Support
OrgTechPhone:  +1-713-739-0415
OrgTechEmail:  arin.support@alphared.com

# ARIN WHOIS database, last updated 2007-12-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (CastleCops WsIRT) has visited 47 times today.

fetched page

at 16 Dec, 2007 @ 21:59:15
MD5 Fingerprint: df38c05eb2d3c16b8aed54efe57dfa5d
SHA1 Fingerprint: 37b57aeea23c995ad0769dd0b0600913f2c764ba

Version 1.0


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 129ppm 0.141s (0.018s) Making cybercriminals unhappy since 2002*

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

status: confirmed attack

Report for at 16 Dec, 2007 @ 21:59:12

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT(TM)

Webserver Incident Reporting and Termination(TM) Squad

status: confirmed attack

Report for at 16 Dec, 2007 @ 21:59:12

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad