You are here: start » 2005 » 11 » 02 » malware_lofts
Table of Contents

malware lofts

We saw too many downloads from a static ftp daemon .. so we checked it out.

checkout where we are going to

telnet nusphere.com.ar 21
Trying 67.15.122.25...
Connected to nusphere.com.ar.
Escape character is '^]'.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 12 of 50 allowed.
220-Local time is now 16:35. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
QUIT
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

connect with a reliable ftp client

lftp
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> set ftp:ssl-force off
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> set ftp:ssl-allow off
lftp :~> open nusphere.com.ar
lftp nusphere.com.ar:~> user fumado@nusphere.com.ar
Passwort:

check the today's special

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> ls
drwxr-xr-x    2 32110    nusphere     4096 Oct 26 19:10 .
drwxr-xr-x    2 32110    nusphere     4096 Oct 26 19:10 ..
-rw-------    1 32110    nusphere       11 Oct 26 19:10 .ftpquota
-rw-r--r--    1 32110    nusphere   107520 Sep 22 03:37 111.exe
-rw-r--r--    1 32110    nusphere   128000 Jul  1 04:56 MsConf.exe
-rw-r--r--    1 32110    nusphere    93008 Jul  1 04:56 MsSanSerif.exe
-rw-r--r--    1 32110    nusphere    79360 Jul  1 04:56 SabeDumps.exe
-rw-r--r--    1 32110    nusphere    96224 Jul  1 04:56 ServicesMsDos.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:29 SistemscamzTray.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:27 Ststema.exe
-rw-r--r--    1 32110    nusphere   107184 Jul  1 04:57 Ststema2.exe
-rw-r--r--    1 32110    nusphere   108544 Sep 19 21:45 aaa.exe
-rw-r--r--    1 32110    nusphere   119808 Sep 19 14:12 arse.exe
-rw-r--r--    1 32110    nusphere    92944 Jul  1 04:55 bt.exe
-rw-r--r--    1 32110    nusphere    42496 Sep 14 05:42 camara.exe
-rw-r--r--    1 32110    nusphere    86528 Jul  1 04:56 camiviejo.exe
-rw-r--r--    1 32110    nusphere   108544 Sep 19 13:46 dulcor.exe
-rw-r--r--    1 32110    nusphere        0 Sep 11 19:25 index.htm
-rw-r--r--    1 32110    nusphere    78848 Sep 22 14:22 mama.exe
-rw-r--r--    1 32110    nusphere   109056 Jul  1 04:36 memesystem.exe
-rw-r--r--    1 32110    nusphere    61952 Sep 18 21:26 merda.exe
-rw-r--r--    1 32110    nusphere    58880 Sep 16 20:00 moma.exe
-rw-r--r--    1 32110    nusphere   125440 Sep 16 12:36 mome.exe
-rw-r--r--    1 32110    nusphere    90112 Jul  1 04:56 mspad.exe
-rw-r--r--    1 32110    nusphere    60928 Jul  1 04:56 msplus32.exe
-rw-r--r--    1 32110    nusphere    79360 Jul  5 16:42 none.exe
-rw-r--r--    1 32110    nusphere    87808 Jul  1 04:56 ntc.exe
-rw-r--r--    1 32110    nusphere   123392 Jul 10 20:20 pad.exe
-rw-r--r--    1 32110    nusphere    49152 Jul  1 04:56 padoriginal.exe
-rw-r--r--    1 32110    nusphere   123392 Jul 10 20:43 regsvcs.exe
-rw-r--r--    1 32110    nusphere   108544 Jul  1 04:57 spooIs.exe
-rw-r--r--    1 32110    nusphere   108544 Jul 21 23:08 sysload.exe
-rw-r--r--    1 32110    nusphere    81408 Jul  1 04:57 taskMplus.exe
-rw-r--r--    1 32110    nusphere    80896 Jul  1 04:57 taskplus.exe
-rw-r--r--    1 32110    nusphere    37968 Sep 15 21:56 tkb.exe
-rw-r--r--    1 32110    nusphere    60416 Sep 11 21:59 undetected.exe
-rw-r--r--    1 32110    nusphere   100480 Jul  1 04:58 wincamz.exe
-rw-r--r--    1 32110    nusphere    93696 Jul 10 18:50 winstart.exe
-rw-r--r--    1 32110    nusphere   106512 Aug  8 21:23 wpad.exe
-rw-r--r--    1 32110    nusphere   106512 Aug  8 21:24 wspad.exe

order everything and leave

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> !mkdir nusphere.com.ar
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> lcd nusphere.com.ar/
lcd OK, lokales cwd=/tmp/nusphere.com.ar
lftp fumado@nusphere.com.ar@nusphere.com.ar:/> mirror ./ ./
mirror: Zugriff nicht möglich: 550 Prohibited file name: .ftpquota
**** .ftpquota: Datei oder Verzeichnis nicht gefunden
Gesamt: 1 Verzeichnis, 38 Dateien, 0 Verknüpfungen
Neu: 38 Dateien, 0 Verknüpfungen
3321568 Bytes übertragen in 51 Sekunden (63.9K/s)
1 error detected

lftp fumado@nusphere.com.ar@nusphere.com.ar:/> exit

examine the plates taste

clamscan *
111.exe: OK
aaa.exe: OK
arse.exe: OK
bt.exe: OK
camara.exe: Worm.Mytob.HH FOUND
camiviejo.exe: Trojan.Mybot-2574 FOUND
dulcor.exe: OK
index.htm: Empty file
mama.exe: OK
memesystem.exe: OK
merda.exe: OK
moma.exe: OK
mome.exe: OK
MsConf.exe: OK
mspad.exe: OK
msplus32.exe: Worm.Mytob.CD FOUND
MsSanSerif.exe: OK
none.exe: OK
ntc.exe: Trojan.Wootbot-202 FOUND
pad.exe: Trojan.Mybot-2243 FOUND
padoriginal.exe: OK
regsvcs.exe: Trojan.Mybot-2243 FOUND
SabeDumps.exe: OK
ServicesMsDos.exe: OK
SistemscamzTray.exe: OK
spooIs.exe: OK
Ststema2.exe: OK
Ststema.exe: OK
sysload.exe: OK
taskMplus.exe: Trojan.Mybot-2196 FOUND
taskplus.exe: Trojan.Mybot-1701 FOUND
tkb.exe: Worm.Mytob.GE FOUND
undetected.exe: Exploit.DCOM.Gen FOUND
wincamz.exe: OK
winstart.exe: OK
wpad.exe: OK
wspad.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 40929
Engine version: 0.87
Scanned directories: 0
Scanned files: 36
Infected files: 10
Data scanned: 4.09 MB
Time: 2.866 sec (0 m 2 s)

any questions left?

really?

This blog post was created on 2009-11-13 at 20:28 and last modified on 2010-06-15 at 13:28 by Markus.

Comments



Related

Recent Posts

Tags

alix botnet bpf carniwwwhore ctypes dataviz dionaea ftp gnuplot libemu metasploit mssql nepenthes pcap python python3 smb sqlite ssl xmpp

Comments

2005/11/02/malware_lofts.txt · Last modified: 2010/06/15 13:28 by common
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0