Sunday, January 24, 2010

Infected sites and Google Alerts

Not as much on OS fingerprinting, but due to alerts I have setup from google alerts on fingerprinting I've been getting a look at a couple hundred sites that have been taken over in some form or another since just before Christmas. I'm getting google to notify me of compromised sites and I don't want it anymore, I want to go back to useful alerts for new info on fingerprinting out there!

Sites end up being:
http://somewhere.wherever/5-6 character junk/

The first 2 I saw I actually dropped notes to those compromised and was happy to see them clean them up, patched I have no idea, but cleaned up.

Everything was Apache from what I could tell doing Banner Grabbing with Satori. It wasn't something I was too worried about, but .....

Could be an apache hole, openssl, php, etc. Hard to say.

Looking at one that has been compromised since Christmas the following layout is there:
1g
1r.txt
1t
2.js
2r.txt
academia.php
accenture.php
....
fingeprinting.php
...
passive.php


1g -
file seems to list a ton of other sites, possibly ones compromised or possibly ones to dump you off to. I played around a bit with it back at Christmas, assumed the problem would go away and forgot about it for the most part. But since it is a month later and I'm still getting new ones each day I figured I'd at least post something on it.

1t -
possibly usernames it is trying

2r -
php files it is going to create

Simple search to find pages with google to get an idea:
"fingerprinting the dead with rigor morits"

Based on file times I assume there is some type of automated scan they are doing and dumping their first .php file on it. Then someone is going through those lists 12-24 hours later and uploading the rest. Just looking at timestamps on the files there is typically one file created on day 0, then all the others get created the next day, but not all at the same time, one here, one there.

Anyway, if anyone is going to go poking around, make sure you just the subdir (directory listing is turned on in all the ones I looked at), such as:
http://xxxxxxxx.com/z1jyed/fingerprinting.php
only go to:
http://xxxxxxxx.com/z1jyed/

Oh yeah, I was going to go poke around on some of my Apache boxes and make sure they weren't compromised. Maybe tomorrow.

No comments: