Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

NOTE: Web servers have logs and in those logs is evidence of attempted hacking. For instance, one may notice an attack that calls such a script from a remote server "r57.php??". Its these kinds of attacks we're looking to investigate. For a concrete example, see these reports.

Please do not submit phish, spam, or malware to WsIRT. Only submit attack signatures from web server logs. As this project hasn't officially been publicly launched, we are still reclassifying the tool and its verbiage.

[ How-To / FAQ ]

WsIRT -> Confirmed Attacks | Terminated Attacks

status: confirmed attack

HTTP Response 15 Jul, 2008 02:13:44	HTTP/1.1 404 Not Found
ID	1102 (termination link)
Title	C99Shell
Entry	http://kashiwadaisuke.com/templates_c/contact_us.php
WsIRT Squad Reporter	tetak
Timestamp	19 Dec, 2007 @ 11:36:16
Topic ID	211113 - Read/respond to WsIRT commentary.
Handler Note: 22 Dec, 2007 18:18:06	Paul: View CIDR AS7514 Report: http://www.cidr-report.org/cgi-bin/as-report?as=7514 "7514 \| JP \| apnic \| 1997-03-03 \| MEX Media EXchange, Inc."
Handler Note: 22 Dec, 2007 18:18:07	Paul: Extended information for AS7514: State/Province: Country: jp Responsible Domain: mex.ad.jp Abuse Email: security@mex.ad.jp
Handler Note: 22 Dec, 2007 18:18:07	Paul: This domain has been compromised, it is running a known hijacking shell called c99. Please investigate your system as this shell permits criminals to conduct spam, phish, malware and other nefarious campaigns.
Handler Note: 22 Dec, 2007 18:18:48	Paul: Generated and sent email attack alert to respective parties.
Handler Note: 29 Dec, 2007 01:21:14	Robin: ATTN JP CERT: We have attempted to notify the owner of this domain as well as the ISP without success in having the shell or any related malware removed. Please contact them. This server very urgently needs to be secured.
Fetched URLs	http://kashiwadaisuke.com/templates_c/contact_us.php

Report for at 19 Dec, 2007 @ 11:40:01

whois

at 19 Dec, 2007 @ 11:40:20

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.

Checking server [whois.crsnic.net]

Checking server [whois.melbourneit.com]
Results:

Domain Name.......... kashiwadaisuke.com
  Creation Date........ 2005-04-20
  Registration Date.... 2007-05-05
  Expiry Date.......... 2009-04-20
  Organisation Name.... Daisuke Kashiwa
  Organisation Address. Kudankita
  Organisation Address. 1-10-5
  Organisation Address. Chiyoda-ku
  Organisation Address. 102-0073
  Organisation Address. Tokyo
  Organisation Address. JAPAN

Admin Name........... Dep. VDNS
  Admin Address........ Yaesu
  Admin Address........ 2-8-1
  Admin Address........ Chuo-ku
  Admin Address........ 104-0028
  Admin Address........ Tokyo
  Admin Address........ JAPAN
  Admin Email.......... nsi-dns@verisign.co.jp
  Admin Phone.......... +81.332717014
  Admin Fax............ +81.332717029

Tech Name............ Yuji Koyano
  Tech Address......... Kudannkita1-10-5
  Tech Address......... *
  Tech Address......... Chiyoda-ku
  Tech Address......... 102-0073
  Tech Address......... Tokyo
  Tech Address......... JAPAN
  Tech Email........... nic@ride.ne.jp
  Tech Phone........... +81.332371173
  Tech Fax............. +81.332371073
  Name Server.......... NS01.DOMAINSERVER.NE.JP
  Name Server.......... NS02.DOMAINSERVER.NE.JP

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (CastleCops WsIRT) has visited 84 times today.

whois

at 22 Dec, 2007 @ 18:12:30

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for CastleCops WsIRT... ok.
Final results obtained from whois.nic.ad.jp.
Results:
[ JPNIC database provides information regarding IP address and ASN. Its use   ]
[ is restricted to network administration purposes. For further information,  ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output,        ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.      ]

Network Information:
a. [Network Number]             210.198.4.0/24
b. [Network Name]               DOMAINSERVER
g. [Organization]               ride Co., Ltd.
m. [Administrative Contact]     YK11621JP
n. [Technical Contact]          YK11621JP
p. [Nameserver]                 ns01.domainserver.ne.jp
p. [Nameserver]                 ns02.domainserver.ne.jp
[Assigned Date]                 2003/11/13
[Return Date]
[Last Update]                   2007/11/26 13:59:24(JST)

Less Specific Info.
----------
Media Exchange Co., Inc.
                     [Allocation]                               210.198.0.0/20

More Specific Info.
----------
No match!!

fetched page

at 19 Dec, 2007 @ 11:40:03
MD5 Fingerprint: f4ed192840c0f05d646d11a4eee5005a
SHA1 Fingerprint: a2298aeb74054bcbd9bc82abd9831c0de3f28abe

Version 1.0


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 222ppm 0.627s (0.047s) Making cybercriminals unhappy since 2002*

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad

status: confirmed attack

Report for at 19 Dec, 2007 @ 11:40:01

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT(TM)

Webserver Incident Reporting and Termination(TM) Squad

status: confirmed attack

Report for at 19 Dec, 2007 @ 11:40:01

whois

whois

dig any

host

host

fetched page

Corresponding BGP Origin ASN

Possible BGP peer ASNs one AS hop away from BGP Origin ASN

AS Description of a given BGP ASN

WsIRT^(TM)

Webserver Incident Reporting and Termination^(TM) Squad