Below are my findings of the two servers used in the (targetted) attack mainly taking place in the Netherlands.
We have 2 server setups that are close to identical, their ip-adresses are:
220.127.116.11 (Domain: reslove-dns.com)
18.104.22.168 (Domains: 10ba.com, windows-update-server.com, wsef32asd1.org, dns-local.org)
Both are hosted within AS21788
From now on I consider both IP-adresses as one server. Or both IP-adresses as a proxy.
Both have the following ports open:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
80/tcp open http nginx 0.7.67
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
545/tcp open http Apache httpd 2.2.16
2407/tcp open http Apache httpd 2.2.3 ((CentOS))
2408/tcp open http Apache httpd 2.2.3
41666/tcp open status (status V1) 1 (rpc #100024)
| ssh-hostkey: 1024 c6:2f:e9:64:2c:ac:27:77:ed:da:60:a2:da:46:1f:fb (DSA)
|_ 2048 e9:97:b5:d7:7d:01:f2:03:7b:9f:22:4c:a0:eb:a9:a5 (RSA)
Googling both of them brings up this page, prompting us with another IP-adres and domain name to investigate: 22.214.171.124 with the domain passget.com (date: 2011-10-26 04:22). This time SSH on port 222 is used instead of 22.
Directory listing of 126.96.36.199 and 188.8.131.52 (nginx/0.7.67 PHP/5.3.3-7+squeeze13):
|_/secure/ (Fragus login)
|_/files/ (virus binaries)
|_/english/ (Fragus login)
|_ /milk/ (phpMyAdmin)
/ppp/ (password login)
3 interesting finds here. Apparently Fragus is used for administratering the bots. Screenshot of the login:
phpMyAdmin is used with only 3 languages installed (en-US, en-UK, ru-RU), screenshot below:
And the last one is a login with only a password field, screenshot below:
A complete backup of the files can be found here: http://www.sendspace.com/file/ak8q2f
But please remember everything is full of virusses, so be carefull.
I will keep updating this blog.
Pretty fast after posting this blog both IP-adresses stopped displaying any html messages. Eventhough the servers themselves are still up. Which is an indiction of them just being proxies.
Discovered that these 3 domains once pointed to this same server, google has some good cache pages:
handicaptaskprint.info (Registrated 10/7/2012) 184.108.40.206
intermediatedefragger.info (Registrated 26/7/2012) Undefined
onesizefitsallnik.info (Registrated 10/7/2012) 220.127.116.11
Here we have just one ip-adres 18.104.22.168 which once hosted the domain: lertionk13.be
This domain was registrated by: Elsakov Oleg using email adress firstname.lastname@example.org.
The name Elsakov Oleg points to yet another domain, bank-auth.org. Which has an A record pointing to: 22.214.171.124.
These 2 domains are connected to the "Police Trojan". More details here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf
If you look closely at the files and types of malware used by this gang, you'll see everything matches. They make the same directory listing mistakes over and over, and use exactly the same files. So this can be considered their fingerprint.
The gang registrated a certificate for https://bank-auth.org on the 1-8-2012. So they are probably planning to do something valuable with the website, which is running the default installation at the time being.
Oh well, I think we pretty close to the source now.
Lets get further into investigating this bank-auth.org domain. It resolves to: 126.96.36.199.
Once we investigate this machine further this is the first thing to pop-up: Apache/2.2.16 (Debian) Server at 188.8.131.52 Port 80.
That same Apache version with Debian again. I don't know why they use this version all the time, but one thing is for sure, they don't know nothing about directory listing, so I'm mirroring their site again....
And because this time I have ALL the logs, I'll make sure the right people receive them aswell!
I will upload a mirror of the site later. The admin passwords included.
I've made an online backup of the admin panel here, with all the original data.
This could be the IP-adress of the russian owner: 184.108.40.206. Not sure though. But this 'person' is also known as Ozgur Morkan and according to it's IBAN number he's from Turkey. If we look at this page we'll see the Russian IP-adres 220.127.116.11 involved in another kind of scam, this time the owner is known as Olga: http://www.anti-scam-forum.net/showFullThread_1288628426.htm
Further investigation reveals that the https://bank-auth.org domain with its valid certificate is used for the injection of malicious code within the victims browser. Several warning messages shows the criminals are no native speaking Dutchies:
Om technische redenen, het internet bankieren dienst is tijdelijk niet beschikbaar, gelieve in te loggen in 24 uurSince the files found on the server are all in Dutch, the Dorifel compaign can be considered a targetted campaign against The Netherlands. Its a good example of the capabilities of Citadel, which was used to spread Dorifel.
Directory listing of https://bank-auth.org:
I've been convicted for hacking already, never tried to steel a penny though. These guys have never been convicted. For me now it's very very hard in the security industry (Banks for example, is out of the question). Yet I stay on the right side. But thats probably because I'm such a bad bad boy!