Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.
We have 2 server setups that are close to identical, their ip-adresses are:
184.22.103.202 (Domain: reslove-dns.com)
184.82.162.163 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788
From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.
Both have the following ports open:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp open http nginx 0.7.67
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp open http Apache httpd 2.2.16
2407/tcp open http Apache httpd 2.2.3 ((CentOS))
2408/tcp open http Apache httpd 2.2.3
41666/tcp open status (status V1) 1 (rpc #100024)
| ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
|_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 184.22.62.88 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.
Directory listing of 184.22.103.202 and 184.82.162.163 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
/index/
/icons/
|_/small/
/www/
|_/images/
|_/secure/ (Fragus login)
|_/files/ (virus binaries)
|_23 (Virustotal)
|_24 (Virustotal)
|_25 (Virustotal)
|_26 (Virustotal)
|_27 (Virustotal)
|_28 (Virustotal)
|_29 (Virustotal)
|_30 (Virustotal)
|_31 (Virustotal)
|_32 (Virustotal)
|_/templates/
|_/english/ (Fragus login)
/web/
|_/mak/
/doc/
/cgi-bin/
/img/
/uk/
/jump/
/ssl/
|_ /milk/ (phpMyAdmin)
|_/billk/
/bl/
/gl/
/ppp/ (password login)
|_/css/
|_/css/
|_/ajax/
|_/img/
|_/data/
|_/install/
|_/install/
|_/temp/
|_/stat/
|_/options/
|_/temp/
|_/config/
|_/script/
|_/script/
|_/ppp/
|_/bd/
|_/card/
|_/bot/
|_/priv/
|_/del/
|_/c2txt2c/
|_/virustxt/
|_/govtxt/
|_/xls/
|_/searchform/
|_/convertxtodvd/
|_/intellitxt/
|_/1txt1/
|_/search_txt/
|_/pictlogotxt110x60/
|_/1txt2/
|_/1txt3/
|_/login_txt/
|_/customnews_txt/
|_/password_txt/
|_/robots-txt/
/ver/
/vox/
/mak/
/server-status/
3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:
phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:
And the last one is a login with only a password field, screenshot below:
A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.
I will keep updating this blog.
Update 0:18:
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.
Update 2:12
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 149.154.154.47
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 149.154.154.47
Here we have just one ip-adres 149.154.154.47 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress thefirstweek@yandex.ru.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 158.255.211.28.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf
If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.
The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.
Update:
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 158.255.211.28.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 158.255.211.28 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.
I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 188.187.144.152. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 188.187.144.152 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm
Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:
Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uurSince the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.
Directory listing of https://bank-auth.org:
/
/index/
/cgi-bin/
/7/
/icons/
/www/
/p/
|_dns.php
|_ing.php
|_ing2.php
|_jys.php
/ca/
|_/admin/
/javascript/
/inc/
/abc/
|_inc.php
|_sig1nl
|_sig2nl
|_sig3
|_waitnl
/phpmyadmin/
|_/themes/
/ing/
|_inc.php
|_tan1.txt
|_wait
|_wait.txt
/sns/
|_WARNING.txt
|_inc.php
|_sig1
|_sig1.txt.crypt
|_sig2
|_sig2.txt.crypt
|_sig3
|_sig3.txt.crypt
|_wait
/abn/
|_inc.php
|_sig1
|_sig2
|_sig3
|_wait
/rabo/
|_WARNING.txt
|_inc.php
|_sig1
|_sig1.txt.crypt
|_sig2
|_sig2.txt.crypt
|_sig3
|_sig3.txt.crypt
|_wait
index.php
7.php
www.php
inc.php
sns.php
abn.php
ps.
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!
Wauw. Knap werk zeg! Erg indrukwekkend voor een securityleek als mijzelf. Wel boeiend leesvoer, beetje een detective. :-) Groet!
BeantwoordenVerwijderenDo not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee
Verwijderen* iOS/windows/Android Phone Hacking
* All kind of loans
*University Grades
*Iclouds breaching
*Criminal Records
*Hacking ATM Cards
*Binary Recoveries
*BTC Mining
* Cyber Scam recovery
etc...!!!
All you need do just Email:- *pointekhack@gmail.com
*hyperhackerone@gmail.com *cyberhackertap@gmail.com
*phdatabasesolution@gmail.com
Hi Everyone!
VerwijderenWe have USA fresh & Verified SSN Leads with best connectivity score
All info checked & genuine
Info in LEADS
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
LIMITED DATA AVAILABLE
->Hope for the long term deal
->Interested buyers contact me fast
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Deze reactie is verwijderd door de auteur.
BeantwoordenVerwijderenLekker bezig Rickey!! :D
VerwijderenGroet,
Joshua
EDIT: Typo's hehe
Very nice work Rickey !
BeantwoordenVerwijderenhere myspace account of Ozgur Morkan:
http://www.myspace.com/ozgurmorkan
is this the BAD guy ?
greetz
Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee
Verwijderen* iOS/windows/Android Phone Hacking
* All kind of loans
*University Grades
*Iclouds breaching
*Criminal Records
*Hacking ATM Cards
*Binary Recoveries
*BTC Mining
* Cyber Scam recovery
etc...!!!
All you need do just Email:- *pointekhack@gmail.com
*hyperhackerone@gmail.com *cyberhackertap@gmail.com
*phdatabasesolution@gmail.com
Hi Rickey,
BeantwoordenVerwijderenIk heb ook maar een stukje geschreven op fred-de-vries.blogspot.com om besmette mensen iets op weg te helpen om zichzelf te beschermen. Als er nog meer IPs en sites bijkomen, zou een tooltje wel handig zijn.
Fred
Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee
Verwijderen* iOS/windows/Android Phone Hacking
* All kind of loans
*University Grades
*Iclouds breaching
*Criminal Records
*Hacking ATM Cards
*Binary Recoveries
*BTC Mining
* Cyber Scam recovery
etc...!!!
All you need do just Email:- *pointekhack@gmail.com
*hyperhackerone@gmail.com *cyberhackertap@gmail.com
*phdatabasesolution@gmail.com
how to scan dir and file on server, you use tools?
BeantwoordenVerwijdereni felt i was being cheated on by my husband and talked to some friends about it and i was referred to Binary H. who helped me hack my husbands mobile phone giving me unrestricted access to the phone.i caught him cheating with a co worker from text messages i saw and also followed up on their conversation and on their next meeting i caught them on the act. All thanks to Binary H. if you are ever in need of a hacker you can contact him and tell him i referred you for swift response.
BeantwoordenVerwijderenContact : Binaryhacker016@gmail.com
Do not be left out as the World is facing global health challenge COVID 19, Banks are shoot down etc. Take the Advantage of HACKING ATM CARD/ BANK TRANSFER/ CREDIT CARD RELOAD. The situation has giving us hands to Hack successful 100%✓guarrantee
Verwijderen* iOS/windows/Android Phone Hacking
* All kind of loans
*University Grades
*Iclouds breaching
*Criminal Records
*Hacking ATM Cards
*Binary Recoveries
*BTC Mining
* Cyber Scam recovery
etc...!!!
All you need do just Email:- *pointekhack@gmail.com
*hyperhackerone@gmail.com *cyberhackertap@gmail.com
*phdatabasesolution@gmail.com
TESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.
BeantwoordenVerwijderenTESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.
BeantwoordenVerwijderenDo you need to increase your credit score?
BeantwoordenVerwijderenDo you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whats app, Facebook, Instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : onlineghosthacker247@gmail.com
My life was falling apart, I was being cheated and abused, I had to know the truth and needed proof. I contacted a private investigator that linked me with onlineghost who took care of the hack job. He hacked his iPhone,Facebook,Instagram, Whats app, twitter and email account. I got all I wanted as proof . I”m glad i had a proven truth he was cheating . Contact him for any hack job. Tell him i referred you to him, he will surely meet your hack need. Contact: onlineghosthacker247@ gmail .com
BeantwoordenVerwijderenHi Everyone!
BeantwoordenVerwijderenWe have USA fresh & Verified SSN Leads with best connectivity score
All info checked & genuine
Info in LEADS
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
LIMITED DATA AVAILABLE
->Hope for the long term deal
->Interested buyers contact me fast
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
BeantwoordenVerwijderenmail: premiumhackservices@gmail.com
text or call +1 4016006790
TESTIMONY ON HOW I GOT MY LOAN FROM A GENUINE FINANCE COMPANY LAST WEEK. Email for immediate response: drbenjaminfinance@gmail.com
BeantwoordenVerwijderenI am Mrs,Leores J Miguel by name, I live in United State Of America, who have been a scam victim to so many fake lenders online between November last year till July this year but i thank my creator so much that he has finally smiled on me by directing me to this new lender who put a smile on my face this year 2020 and he did not scam me and also by not deceiving or lying to me and my friends but however this lending firm is BENJAMIN LOAN INVESTMENTS FINANCE (drbenjaminfinance@gmail.com) gave me 2% loan which amount is $900,000.00 united states dollars after my agreement to their company terms and conditions and one significant thing i love about this loan company is that they are fast and unique. {Dr.Benjamin Scarlet Owen} can also help you with a legit loan offer. He Has also helped some other colleagues of mine. If you need a genuine loan without cost/stress he his the right loan lender to wipe away your financial problems and crisis today. BENJAMIN LOAN INVESTMENTS FINANCE holds all of the information about how to obtain money quickly and painlessly via Call/Text: +1(415)630-7138 Email: drbenjaminfinance@gmail.com
When it comes to financial crisis and loan then BENJAMIN LOAN INVESTMENTS FINANCE is the place to go please just tell him I Mrs. Leores Miguel direct you Good Luck....
Cool way to have financial freedom!!! Are you tired of living a poor life, here is the opportunity you have been waiting for. Get the new ATM BLANK CARD that can hack any ATM MACHINE and withdraw money from any account. You do not require anybody’s account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction can’t be traced .You can use it anywhere in the world. With this card,you can withdraw nothing less than $4,500 a day. So to get the card,reach the hackers via email address : besthackersworld58@gmail.com or whatsapp him on +1(323)-723-2568
BeantwoordenVerwijderenHello everyone I want to introduce you guys to a group a private investigators who can help you with information you need in any situation in life and they are ready to follow you step by step until your case is cleared just contact +17078685071 and you will happily ever after
BeantwoordenVerwijderenPremiumhackservices@gmail.com
**SELLING SSN+DOB FULLZ**
BeantwoordenVerwijderenCONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
>>1$ each without DL/ID number
>>2$ each with DL
>>5$ each for premium (also included relative info)
*Will reduce price if buying in bulk
*Hope for a long term business
FORMAT OF LEADS/FULLZ/PROS
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->COMPLETE ADDRESS
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYMENT DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
>Fresh Leads for tax returns & w-2 form filling
>Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY
''OTHER GADGETS PROVIDING''
>SSN+DOB Fullz
>CC with CVV
>Photo ID's
>Dead Fullz
>Spamming Tutorials
>Carding Tutorials
>Hacking Tutorials
>SMTP Linux Root
>DUMPS with pins track 1 and 2
>Sock Tools
>Server I.P's
>HQ Emails with passwords
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
THANK YOU
Providing Fresh Fullz USA UK CANADA
BeantwoordenVerwijderenDL|ID Front back with selfie available as well
Fresh database & Verified Info
Availble in bulk quantity
CONTACT HERE 24/7
(at)killhacks - 752822040 - I C Q
(at)leadsupplier - (at)killhacks - T3l3gram
Bigbull0334 (at) onion mail . org
(at)peeterhacks - Skyp3
Fullz USA SSN DOB DL ADDRESS
Fullz UK NIN DOB DL ADDRESS SORTCODE
Fullz CANADA SIN DOB ADDRESS MMN
Real ID|DL front back with selfie
Passport Photos with selfie
High Credit Scores Pros
Young & Old age fullz (2002 above & 1960 Below)
Business EIN Company fullz
Fullz for KYC|UBEREATS|DOORDASH
Benifits filling Fullz|Leads|Pros
Email Leads & Logins office365
Carding & Loan Methods
Tools & Tutorials
SBA|PUA|UI|Tax Return Filling fullz
SMTP|RDP|SHELL|WEB MAILER|C-PANELS
Server I'Ps|Proxies|SMTP's
SSN DOB DL FULLZ AVAILABLE
BeantwoordenVerwijderenSIN DOB MMN FULLZ AVAILABLE
NIN DOB DL SORTCODE FULLZ AVAILABLE
USA UK CANADA FULLZ
FRESH SPAMMED & FRESH STUFF
LEGIT INFO GUARANTEED
INVALID FOUND REPLACE
HERE I'M
============
(AT)killhacks (AT)leadsupplier T3l3 Gr@m
752822040 (AT)killhacks I/C/Q
(AT)peeterhacks Skyp3
bigbull0334 (AT) onion mail . org
Real ID|DL Scan Front Back with Selfie & SSN
UK CANADA USA DL|ID Front Back with Selfie
Business EIN Company Fullz
High Credit Scores Pros
Young & Old Age Fullz
UBEREATS|DOORDASH KYC Filling Fullz with Info & ID Proof
Company Owner Fullz
Fullz with DL Expiry Date
Bulk Dead Fullz
Email Leads in bulk
Bank & Routing Number Info Leads
Employee Info Leads
Payday Leads
House Owners & Business Owner Fullz
Many Other Fullz of many Countries Available
Each & Everything will be provided Fresh & Legit
NO Scam & NO Delay in Providing Stuff
*Be aware of fake id's
*Many Fake Id's with my username rotating on the internet
Thank You Guy's