Labels

vrijdag 10 augustus 2012

Complete details of the Dorifel servers, including its 'master' server in Austria


Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.

We have 2 server setups that are close to identical, their ip-adresses are:
184.22.103.202 (Domain: reslove-dns.com)
184.82.162.163 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788

From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.

Both have the following ports open:
PORT      STATE    SERVICE              VERSION
22/tcp    open     ssh                  OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp    open     http                 nginx 0.7.67
111/tcp   open     rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp   open     http                 Apache httpd 2.2.16
2407/tcp  open     http                 Apache httpd 2.2.3 ((CentOS))
2408/tcp  open     http                 Apache httpd 2.2.3
41666/tcp open     status (status V1)   1 (rpc #100024)

The SSH-keys are:
 | ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
 |_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 184.22.62.88 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.

Directory listing of 184.22.103.202 and 184.82.162.163 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
/index/
/icons/
 |_/small/
/www/
 |_/images/
 |_/secure/ (Fragus login)
       |_/files/ (virus binaries)
               |_23 (Virustotal)
               |_24 (Virustotal)
               |_25 (Virustotal)
               |_26 (Virustotal)
               |_27 (Virustotal)
               |_28 (Virustotal)
               |_29 (Virustotal)
               |_30 (Virustotal)
               |_31 (Virustotal)
               |_32 (Virustotal)
       |_/templates/
               |_/english/ (Fragus login)
/web/
 |_/mak/
/doc/
/cgi-bin/
/img/
/uk/
/jump/
/ssl/
 |_ /milk/ (phpMyAdmin)
 |_/billk/
/bl/
/gl/
/ppp/ (password login)
 |_/css/
      |_/css/
      |_/ajax/
 |_/img/
 |_/data/
 |_/install/
      |_/install/
 |_/temp/
      |_/stat/
      |_/options/
      |_/temp/
      |_/config/
 |_/script/
      |_/script/
 |_/ppp/
      |_/bd/
      |_/card/
      |_/bot/
      |_/priv/
      |_/del/
      |_/c2txt2c/
      |_/virustxt/
      |_/govtxt/
      |_/xls/
      |_/searchform/
      |_/convertxtodvd/
      |_/intellitxt/
      |_/1txt1/
      |_/search_txt/
      |_/pictlogotxt110x60/
      |_/1txt2/
      |_/1txt3/
      |_/login_txt/
      |_/customnews_txt/
      |_/password_txt/
      |_/robots-txt/
/ver/
/vox/
/mak/
/server-status/

3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:

phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:

And the last one is a login with only a password field, screenshot below:

A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.

I will keep updating this blog.

Update 0:18:
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.

Update 2:12
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 149.154.154.47
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 149.154.154.47

Here we have just one ip-adres 149.154.154.47 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress thefirstweek@yandex.ru.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 158.255.211.28.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf

If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.

The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.
Update:
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 158.255.211.28.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 158.255.211.28 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.


I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 188.187.144.152. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 188.187.144.152 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm

Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:

Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uur
Since the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.

Directory listing of https://bank-auth.org:

/
/index/
/cgi-bin/
/7/
/icons/
/www/
/p/
 |_dns.php
 |_ing.php
 |_ing2.php
 |_jys.php
/ca/
 |_/admin/
/javascript/
/inc/
/abc/
 |_inc.php
 |_sig1nl
 |_sig2nl
 |_sig3
 |_waitnl
/phpmyadmin/
 |_/themes/
/ing/
 |_inc.php
 |_tan1.txt
 |_wait
 |_wait.txt
/sns/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait
/abn/
 |_inc.php
 |_sig1
 |_sig2
 |_sig3
 |_wait

/rabo/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait

index.php
7.php
www.php
inc.php
sns.php
abn.php


ps.
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!


22 opmerkingen:

  1. Wauw. Knap werk zeg! Erg indrukwekkend voor een securityleek als mijzelf. Wel boeiend leesvoer, beetje een detective. :-) Groet!

    BeantwoordenVerwijderen
    Reacties
    1. Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee

      * iOS/windows/Android Phone Hacking
      * All kind of loans
      *University Grades
      *Iclouds breaching
      *Criminal Records
      *Hacking ATM Cards
      *Binary Recoveries
      *BTC Mining
      * Cyber Scam recovery
      etc...!!!

      All you need do just Email:- *pointekhack@gmail.com
      *hyperhackerone@gmail.com *cyberhackertap@gmail.com
      *phdatabasesolution@gmail.com

      Verwijderen
    2. Hi Everyone!

      We have USA fresh & Verified SSN Leads with best connectivity score
      All info checked & genuine

      Info in LEADS
      First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
      ->$5 PER EACH

      LIMITED DATA AVAILABLE
      ->Hope for the long term deal
      ->Interested buyers contact me fast

      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Verwijderen
  2. Deze reactie is verwijderd door de auteur.

    BeantwoordenVerwijderen
  3. Very nice work Rickey !
    here myspace account of Ozgur Morkan:
    http://www.myspace.com/ozgurmorkan
    is this the BAD guy ?
    greetz

    BeantwoordenVerwijderen
    Reacties
    1. Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee

      * iOS/windows/Android Phone Hacking
      * All kind of loans
      *University Grades
      *Iclouds breaching
      *Criminal Records
      *Hacking ATM Cards
      *Binary Recoveries
      *BTC Mining
      * Cyber Scam recovery
      etc...!!!

      All you need do just Email:- *pointekhack@gmail.com
      *hyperhackerone@gmail.com *cyberhackertap@gmail.com
      *phdatabasesolution@gmail.com

      Verwijderen
  4. Hi Rickey,

    Ik heb ook maar een stukje geschreven op fred-de-vries.blogspot.com om besmette mensen iets op weg te helpen om zichzelf te beschermen. Als er nog meer IPs en sites bijkomen, zou een tooltje wel handig zijn.

    Fred

    BeantwoordenVerwijderen
    Reacties
    1. Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee

      * iOS/windows/Android Phone Hacking
      * All kind of loans
      *University Grades
      *Iclouds breaching
      *Criminal Records
      *Hacking ATM Cards
      *Binary Recoveries
      *BTC Mining
      * Cyber Scam recovery
      etc...!!!

      All you need do just Email:- *pointekhack@gmail.com
      *hyperhackerone@gmail.com *cyberhackertap@gmail.com
      *phdatabasesolution@gmail.com

      Verwijderen
  5. how to scan dir and file on server, you use tools?

    BeantwoordenVerwijderen
  6. i felt i was being cheated on by my husband and talked to some friends about it and i was referred to Binary H. who helped me hack my husbands mobile phone giving me unrestricted access to the phone.i caught him cheating with a co worker from text messages i saw and also followed up on their conversation and on their next meeting i caught them on the act. All thanks to Binary H. if you are ever in need of a hacker you can contact him and tell him i referred you for swift response.

    Contact : Binaryhacker016@gmail.com

    BeantwoordenVerwijderen
    Reacties
    1. Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee

      * iOS/windows/Android Phone Hacking
      * All kind of loans
      *University Grades
      *Iclouds breaching
      *Criminal Records
      *Hacking ATM Cards
      *Binary Recoveries
      *BTC Mining
      * Cyber Scam recovery
      etc...!!!

      All you need do just Email:- *pointekhack@gmail.com
      *hyperhackerone@gmail.com *cyberhackertap@gmail.com
      *phdatabasesolution@gmail.com

      Verwijderen
  7. TESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.

    BeantwoordenVerwijderen
  8. TESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.

    BeantwoordenVerwijderen
  9. Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whats app, Facebook, Instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : onlineghosthacker247@gmail.com

    BeantwoordenVerwijderen
  10. My life was falling apart, I was being cheated and abused, I had to know the truth and needed proof. I contacted a private investigator that linked me with onlineghost who took care of the hack job. He hacked his iPhone,Facebook,Instagram, Whats app, twitter and email account. I got all I wanted as proof . I”m glad i had a proven truth he was cheating . Contact him for any hack job. Tell him i referred you to him, he will surely meet your hack need. Contact: onlineghosthacker247@ gmail .com

    BeantwoordenVerwijderen
  11. Hi Everyone!

    We have USA fresh & Verified SSN Leads with best connectivity score
    All info checked & genuine

    Info in LEADS
    First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
    ->$5 PER EACH

    LIMITED DATA AVAILABLE
    ->Hope for the long term deal
    ->Interested buyers contact me fast

    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    BeantwoordenVerwijderen
  12. I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
    mail: premiumhackservices@gmail.com
    text or call +1 4016006790

    BeantwoordenVerwijderen
  13. TESTIMONY ON HOW I GOT MY LOAN FROM A GENUINE FINANCE COMPANY LAST WEEK. Email for immediate response: drbenjaminfinance@gmail.com

    I am Mrs,Leores J Miguel by name, I live in United State Of America, who have been a scam victim to so many fake lenders online between November last year till July this year but i thank my creator so much that he has finally smiled on me by directing me to this new lender who put a smile on my face this year 2020 and he did not scam me and also by not deceiving or lying to me and my friends but however this lending firm is BENJAMIN LOAN INVESTMENTS FINANCE (drbenjaminfinance@gmail.com) gave me 2% loan which amount is $900,000.00 united states dollars after my agreement to their company terms and conditions and one significant thing i love about this loan company is that they are fast and unique. {Dr.Benjamin Scarlet Owen} can also help you with a legit loan offer. He Has also helped some other colleagues of mine. If you need a genuine loan without cost/stress he his the right loan lender to wipe away your financial problems and crisis today. BENJAMIN LOAN INVESTMENTS FINANCE holds all of the information about how to obtain money quickly and painlessly via Call/Text: +1(415)630-7138 Email: drbenjaminfinance@gmail.com

    When it comes to financial crisis and loan then BENJAMIN LOAN INVESTMENTS FINANCE is the place to go please just tell him I Mrs. Leores Miguel direct you Good Luck....

    BeantwoordenVerwijderen
  14. Cool way to have financial freedom!!! Are you tired of living a poor life, here is the opportunity you have been waiting for. Get the new ATM BLANK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction can’t be traced .You can use it anywhere in the world. With this card,you can withdraw nothing less than $4,500 a day. So to get the card,reach the hackers via email address : besthackersworld58@gmail.com or whatsapp him on +1(323)-723-2568

    BeantwoordenVerwijderen
  15. Hello everyone I want to introduce you guys to a group a private investigators who can help you with information you need in any situation in life and they are ready to follow you step by step until your case is cleared just contact +17078685071 and you will happily ever after
    Premiumhackservices@gmail.com

    BeantwoordenVerwijderen
  16. **SELLING SSN+DOB FULLZ**

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    >>1$ each without DL/ID number
    >>2$ each with DL
    >>5$ each for premium (also included relative info)

    *Will reduce price if buying in bulk
    *Hope for a long term business

    FORMAT OF LEADS/FULLZ/PROS

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->COMPLETE ADDRESS
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYMENT DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    >Fresh Leads for tax returns & w-2 form filling
    >Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY

    ''OTHER GADGETS PROVIDING''

    >SSN+DOB Fullz
    >CC with CVV
    >Photo ID's
    >Dead Fullz
    >Spamming Tutorials
    >Carding Tutorials
    >Hacking Tutorials
    >SMTP Linux Root
    >DUMPS with pins track 1 and 2
    >Sock Tools
    >Server I.P's
    >HQ Emails with passwords

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    THANK YOU

    BeantwoordenVerwijderen