vrijdag 10 augustus 2012

Complete details of the Dorifel servers, including its 'master' server in Austria


Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.

We have 2 server setups that are close to identical, their ip-adresses are:
184.22.103.202 (Domain: reslove-dns.com)
184.82.162.163 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788

From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.

Both have the following ports open:
PORT      STATE    SERVICE              VERSION
22/tcp    open     ssh                  OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp    open     http                 nginx 0.7.67
111/tcp   open     rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp   open     http                 Apache httpd 2.2.16
2407/tcp  open     http                 Apache httpd 2.2.3 ((CentOS))
2408/tcp  open     http                 Apache httpd 2.2.3
41666/tcp open     status (status V1)   1 (rpc #100024)

The SSH-keys are:
 | ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
 |_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 184.22.62.88 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.

Directory listing of 184.22.103.202 and 184.82.162.163 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
/index/
/icons/
 |_/small/
/www/
 |_/images/
 |_/secure/ (Fragus login)
       |_/files/ (virus binaries)
               |_23 (Virustotal)
               |_24 (Virustotal)
               |_25 (Virustotal)
               |_26 (Virustotal)
               |_27 (Virustotal)
               |_28 (Virustotal)
               |_29 (Virustotal)
               |_30 (Virustotal)
               |_31 (Virustotal)
               |_32 (Virustotal)
       |_/templates/
               |_/english/ (Fragus login)
/web/
 |_/mak/
/doc/
/cgi-bin/
/img/
/uk/
/jump/
/ssl/
 |_ /milk/ (phpMyAdmin)
 |_/billk/
/bl/
/gl/
/ppp/ (password login)
 |_/css/
      |_/css/
      |_/ajax/
 |_/img/
 |_/data/
 |_/install/
      |_/install/
 |_/temp/
      |_/stat/
      |_/options/
      |_/temp/
      |_/config/
 |_/script/
      |_/script/
 |_/ppp/
      |_/bd/
      |_/card/
      |_/bot/
      |_/priv/
      |_/del/
      |_/c2txt2c/
      |_/virustxt/
      |_/govtxt/
      |_/xls/
      |_/searchform/
      |_/convertxtodvd/
      |_/intellitxt/
      |_/1txt1/
      |_/search_txt/
      |_/pictlogotxt110x60/
      |_/1txt2/
      |_/1txt3/
      |_/login_txt/
      |_/customnews_txt/
      |_/password_txt/
      |_/robots-txt/
/ver/
/vox/
/mak/
/server-status/

3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:

phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:

And the last one is a login with only a password field, screenshot below:

A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.

I will keep updating this blog.

Update 0:18:
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.

Update 2:12
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 149.154.154.47
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 149.154.154.47

Here we have just one ip-adres 149.154.154.47 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress thefirstweek@yandex.ru.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 158.255.211.28.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf

If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.

The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.
Update:
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 158.255.211.28.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 158.255.211.28 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.


I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 188.187.144.152. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 188.187.144.152 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm

Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:

Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uur
Since the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.

Directory listing of https://bank-auth.org:

/
/index/
/cgi-bin/
/7/
/icons/
/www/
/p/
 |_dns.php
 |_ing.php
 |_ing2.php
 |_jys.php
/ca/
 |_/admin/
/javascript/
/inc/
/abc/
 |_inc.php
 |_sig1nl
 |_sig2nl
 |_sig3
 |_waitnl
/phpmyadmin/
 |_/themes/
/ing/
 |_inc.php
 |_tan1.txt
 |_wait
 |_wait.txt
/sns/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait
/abn/
 |_inc.php
 |_sig1
 |_sig2
 |_sig3
 |_wait

/rabo/
 |_WARNING.txt
 |_inc.php
 |_sig1
 |_sig1.txt.crypt
 |_sig2
 |_sig2.txt.crypt
 |_sig3
 |_sig3.txt.crypt
 |_wait

index.php
7.php
www.php
inc.php
sns.php
abn.php


ps.
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!


15 opmerkingen:

  1. Wauw. Knap werk zeg! Erg indrukwekkend voor een securityleek als mijzelf. Wel boeiend leesvoer, beetje een detective. :-) Groet!

    BeantwoordenVerwijderen
  2. Very nice work Rickey !
    here myspace account of Ozgur Morkan:
    http://www.myspace.com/ozgurmorkan
    is this the BAD guy ?
    greetz

    BeantwoordenVerwijderen
  3. Hi Rickey,

    Ik heb ook maar een stukje geschreven op fred-de-vries.blogspot.com om besmette mensen iets op weg te helpen om zichzelf te beschermen. Als er nog meer IPs en sites bijkomen, zou een tooltje wel handig zijn.

    Fred

    BeantwoordenVerwijderen
  4. how to scan dir and file on server, you use tools?

    BeantwoordenVerwijderen
  5. http://www.elisting.at/ business and personal webpages from austria.

    BeantwoordenVerwijderen
  6. If you are looking for a reputable contextual ad network, I suggest you have a look at ExoClick.

    BeantwoordenVerwijderen
  7. I have been using Kaspersky protection for a couple of years now, I'd recommend this solution to all of you.

    BeantwoordenVerwijderen
  8. Looking for the Ultimate Dating Site? Join and find your perfect date.

    BeantwoordenVerwijderen
  9. i felt i was being cheated on by my husband and talked to some friends about it and i was referred to Binary H. who helped me hack my husbands mobile phone giving me unrestricted access to the phone.i caught him cheating with a co worker from text messages i saw and also followed up on their conversation and on their next meeting i caught them on the act. All thanks to Binary H. if you are ever in need of a hacker you can contact him and tell him i referred you for swift response.

    Contact : Binaryhacker016@gmail.com

    BeantwoordenVerwijderen
  10. BlueHost is one of the best web-hosting provider with plans for all of your hosting requirements.

    BeantwoordenVerwijderen
  11. TESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.

    BeantwoordenVerwijderen
  12. TESTIMONY TESTIMONY TESTIMONY Hello friends!!! My name is Jeff Chandler. I want to testify of the good Loan Lender who showed light to me after been scammed by 3 different Internet international lender, they all promise to give me a loan after making me pay a lot of fees which yield nothing and amounted to no positive result. I lost my hard earn money and it was a total of $1,000.00. One day I was browsing through the internet looking frustrated when I came across a testimony of a woman who was also scammed and eventually got linked to a legit loan company called mr peter Loan Company and where she finally got her loan, so I decided to contact the same loan company and then told them my story on how I have been scammed by 3 different lenders who did nothing but to cause me more pain. I explain to the company by whattsApp (+2349063879939) you can also Email the company on their Email Address on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and all they told me was to cry no more because I will get my loan in their company and also I have made the right choice of contacting them. I filled the loan application form and proceeded with all that was requested of me and to my greatest astonishment I was given a loan amount of $580,000.00 US Dollars at a very low interest rate of 4% by this great Company. if there is anyone who is also in need of an urgent loan should kindly whattsapp this great loan company offers on (+2349063879939) or kindly email them. (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) managed by mr peter loan a God fearing man and here I am today happy because this company has given me a loan so I made a vow to my self that I will keep testifying on the internet on how I got my loan. Do you need a loan urgently? kindly and quickly contact This great company now for your loan via whattsApp +2349063879939. or Email (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and share your own testimony thanks. Peter loan company offers is a great company and they are the only loan lender who can offers you loan without collateral others are fraud. Mr peter is a very good and kind man he is a God fearing man And i believe God has sent him to come and help us so any one who is really in need of an urgent loan should contact him own and get your instant loan thanks once again. contact him on (+2349063879939). OR Email him on (peterloanfirmcompany112@gmail.com (mailto:peterloanfirmcompany112@gmail.com)) and celebrate by sharing your own great testimony too do not lose this great opportunity thanks.

    BeantwoordenVerwijderen