Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.

Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.

[ How-To / FAQ ]

WsIRT -> Confirmed Attacks | Terminated Attacks

status: confirmed attack

HTTP Response 21 Nov, 2008 19:50:27	HTTP/1.1 404 Not Found
ID	86 (termination link)
Title	OS Disclosure, id Disclosure
Entry	http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????
WsIRT Squad Reporter	Paul
Timestamp	28 Nov, 2007 @ 15:51:33
Topic ID	209157 - Read/respond to WsIRT commentary.
Handler Note: 29 Nov, 2007 12:21:55	Paul: This script is used by an attacker, in this case allegedly UNITED ALBANIANS aka ALBOSS PARADISE, to remotely determine system information of web servers that'll give knowledge as to how they can takeover that system illegally.
Handler Note: 29 Nov, 2007 12:22:10	Paul: View CIDR AS30968 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30968 "30968 \| RU \| ripencc \| 2004-01-29 \| DATAP-AS Infobox company network, hosting service provider,"
Handler Note: 29 Nov, 2007 12:22:11	Paul: Extended information for AS30968: State/Province: Country: Responsible Domain: infobox.ru Abuse Email: support@infobox.ru
Handler Note: 29 Nov, 2007 12:22:48	Paul: Generated and sent email attack alert to respective parties.
Fetched URLs	http://www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????

Report for at 28 Nov, 2007 @ 18:41:16

fetched page

at 28 Nov, 2007 @ 18:41:17
MD5 Fingerprint: 4295f9cbbb58e1d5271f79e8a269a8cc
SHA1 Fingerprint: ecdf24e9e8edd33fda8a02187f1753ef479fb47a

Version 1.0


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 145ppm 0.224s (0.044s) Making cybercriminals unhappy since 2002*

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

status: confirmed attack

Report for at 28 Nov, 2007 @ 18:41:16

whois

dig any

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT(TM)

Webserver Incident Reporting and Termination(TM) Squad

status: confirmed attack

Report for at 28 Nov, 2007 @ 18:41:16

whois

dig any

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad