So I have a new client and they needed a site-to-site VPN. I opted for a DD-WRT solution to save them money. I get the two Linksys WRT54GL routers and load DD-WRT on them.
In my test environment I was able to establish an OpenVPN connection. As SOON as I get them on the customer’s site and change the IPs, everything breaks. I had to temporarily set them up with a PPTP VPN solution until I can get OpenVPN working.
The solution I tried was using just one static key as shown in the DD-WRT wiki docs for establishing a VPN. I’m going to try a CA/Cert next; that may do the trick.
G13 Linux, Security
Following two different leads from the hacked websites, I found two very different types of malware going on. The first one I discovered was a sort of fake anti-virus program. The site is hosted on bestantimalwarelivescanner.com and there is a click hijack running on securedradiostation.cn. A copy of the malware can be found here. Soon I will be testing this inside a VM and will post those results.
The other piece of malware I found was an exploited PDF file. The PDF files contains some JavaScript which I have not been able to extract yet. An example of the PDF can be found here.
I am still working on figuring out what is going on with this malware. When the preceding page, http://www.se-jewelry.net/111 called the file, it passed three variables. The entire string is this:
http://www.se-jewelry.net/111/include/spl.php?stats=Unknown|Unknown|67.240.120.204
I have also pulled down the HTML on these sites. So far it has not shown anything interesting except the examples of malware above.
G13 Security
I receieved a response from the host of one of the IPs which was accessing my site via ftp. Below is the message:
Hello,
Thank you for your information, I have forwarded these log entries to our tier2 department who is presently looking into the issue. If you have any further information regarding this issue, or any new logs you can provide, please provide them to this ticket, or email to xxx@xxx.com
Hopefully they find more information.
G13 Security
One of the hijacked links has been removed! Thank you prime-task.com!
G13 Security
All the files I have collected are available here. Will add more when available.
G13 Security
***WARNING: This post contains links and code which are taken from LIVE RUNNING MALICIOUS SITES! Please take all precautions when examining files.
Yesterday evening I discovered that this website was hosting a malicious file. I will post what I have found soon. I believe this instrusion stems from a password leak from my host around the time I signed up. Here is the log file showing the FTP access:
ftpd24914 84.19.186.93 Sat Mar 7 04:40 gone - no
ftpd24070 84.19.186.93 Sat Mar 7 03:49 gone - no
ftpd20416 84.19.186.93 Sat Mar 7 00:49 gone - no
ftpd2595 206.125.222.101 Wed Mar 4 18:35 gone - no
ftpd21566 95.52.31.16 Wed Mar 4 06:14 gone - no
ftpd3011 206.125.222.101 Tue Mar 3 14:01 gone - no
ftpd20665 206.125.222.101 Tue Mar 3 13:39 gone - no
ftpd25549 84.19.186.93 Mon Mar 2 17:12 gone - no
ftpd16660 66.147.227.184 Mon Mar 2 11:14 gone - no
Most of the IPs were from Europe, some were from the US. I have emailed the providers in the US’ abuse box as well as the host of the 84.19.186.93 address. This address showed up more than any other.
When I came to the site yesterday, this index file was being presented. The file contains links to other hijacked sites. Here are some of the examples of hijacked sites: **DO NOT FOLLOW THESE LINKS
href=”http://www.kit-cars.com/beta/2/index.html”>ushi digard
href=”http://www.kit-cars.com/beta/2/index1.html”>military calisthenics
href=”http://www.kit-cars.com/beta/2/index2.html”>ishizu
href=”http://www.kit-cars.com/beta/2/index3.html”>antiaging dry-oily skin care
product
When I followed these links I found that these pages are legitimate sites which have also been hacked some how. There were a few more that seem to be hosted in England as well as Europe.
I was able to find some of the javascript code that was hiding around on these sites. All these sites had Javascript which was obfuscated. From one of the sites a colleague of mine pulled the obfuscated code and pulled out an IP. The hijacked IP of 200.155.17.172 not only has IIS running hosting malicious sites but also terminal services and MS SQL open to the internet. I have notified their ISP of the leak and I believe I identified the company which has the box.
I will post all the files I found during this investigation as well as any replies I get from my abuse complaints. Anyone know where I could possibly submit these files for review? SANS?
-G
G13 Security