|
Here is what they do....
they break into a server... and make a simple edit to the httpd.conf file in apache adding in an easy to overlook "Include" line like this:
Include /usr/src/redhat/.../.h
(note the hidden directory named ... they try to blend that in with normal unix directory listings so it skips past your vision in directory listings)
Inside the directory /usr/src/redhat, they have a file called .h which is an include file that includes many other files listing HUNDREDS AND HUNDREDS of domains like this:
ServerName violence
ServerAlias crosspointm.info *.crosspointm.info crowa.info *.crowa.info declinev.biz *.declinev.biz declinev.info *.declinev.info declinev.net *.declinev.net defrosti.info *.defrosti.info deletiony.info *.deletiony.info delphinem.biz *.delphinem.biz delphinem.info *.delphinem.info delphinem.net *.delphinem.net deputations.biz *.deputations.biz detoxifyp.info *.detoxifyp.info dieboldb.info *.dieboldb.info diffracty.info *.diffracty.info discreete.info *.discreete.info diversiond.info *.diversiond.info dodecahedrai.net *.dodecahedrai.net dosek.biz *.dosek.biz droopg.biz *.droopg.biz droopg.info *.droopg.info dualismv.net *.dualismv.net durrellw.info *.durrellw.info eavesdroppingx.info *.eavesdroppingx.info effiek.net *.effiek.net eiderc.biz *.eiderc.biz escritoireb.info *.escritoireb.info fireq.info *.fireq.info flowerpotb.info *.flowerpotb.info fossl.biz *.fossl.biz fowlp.net *.fowlp.net frozena.biz *.frozena.biz frozena.info *.frozena.info frozena.net *.frozena.net fussyt.biz *.fussyt.biz fussyt.info *.fussyt.info galenaw.net *.galenaw.net grandniecei.info *.grandniecei.info haploidx.net *.haploidx.net hebew.biz *.hebew.biz hebew.info *.hebew.info hibbardf.info *.hibbardf.info histrionica.info *.histrionica.info hoveo.biz *.hoveo.biz hugod.info *.hugod.info hurricanex.info *.hurricanex.info indignityw.info *.indignityw.info inkj.info *.inkj.info intransigentx.info *.intransigentx.info iraniana.info *.iraniana.info joaquinp.info *.joaquinp.info kavam.biz *.kavam.biz laxativeh.biz *.laxativeh.biz laxativeh.info *.laxativeh.info laxativeh.net *.laxativeh.net leachm.info *.leachm.info
ServerName ugly
ServerAlias mathieuh.info *.mathieuh.info monetaryq.info *.monetaryq.info nagasakiw.info *.nagasakiw.info newbornx.biz *.newbornx.biz occurreda.net *.occurreda.net orthonormalm.info *.orthonormalm.info orthonormalm.net *.orthonormalm.net partisanh.info *.partisanh.info perspectivee.info *.perspectivee.info photolyticu.biz *.photolyticu.biz photolyticu.info *.photolyticu.info photolyticu.net *.photolyticu.net pokerfaceu.biz *.pokerfaceu.biz primpm.info *.primpm.info pulsatea.net *.pulsatea.net quickenq.info *.quickenq.info radicesg.info *.radicesg.info rejuvenatet.net *.rejuvenatet.net responsives.biz *.responsives.biz revisionz.info *.revisionz.info rollickk.info *.rollickk.info salutationr.info *.salutationr.info sandrao.info *.sandrao.info sapiensa.info *.sapiensa.info sapiensa.net *.sapiensa.net sauteh.info *.sauteh.info scmg.info *.scmg.info shadflowerc.info *.shadflowerc.info shipleye.net *.shipleye.net sideshowi.info *.sideshowi.info sightseez.biz *.sightseez.biz sightseez.info *.sightseez.info sightseez.net *.sightseez.net smuggleu.info *.smuggleu.info statev.info *.statev.info stipendo.info *.stipendo.info sucroseh.biz *.sucroseh.biz sucroseh.info *.sucroseh.info sucroseh.net *.sucroseh.net sustenancem.net *.sustenancem.net synagoguey.biz *.synagoguey.biz theologyu.biz *.theologyu.biz thighl.net *.thighl.net truthfulo.info *.truthfulo.info twitchyk.biz *.twitchyk.biz upslopeu.info *.upslopeu.info varietyi.biz *.varietyi.biz virtuep.net *.virtuep.net witheb.biz *.witheb.biz zellerbachz.biz *.zellerbachz.biz
They literally have thousands of domains.
Here it the ip they broke into the server from:
May 31 10:14:42 sp82 sshd[22426]: Illegal user cisco from 128.198.60.40
May 31 10:14:47 sp82 sshd[22467]: Illegal user jason from 128.198.60.40
May 31 10:14:53 sp82 sshd[22491]: Illegal user patrick from 128.198.60.40
May 31 10:14:58 sp82 sshd[22553]: Illegal user richard from 128.198.60.40
May 31 10:15:04 sp82 sshd[22598]: Illegal user jerry from 128.198.60.40
May 31 10:15:09 sp82 sshd[22615]: Illegal user auth from 128.198.60.40
May 31 10:15:15 sp82 sshd[22643]: Failed password for games from 128.198.60.40 port 49145 ssh2
May 31 10:15:21 sp82 sshd[22675]: Illegal user pub from 128.198.60.40
May 31 10:15:26 sp82 sshd[22685]: Illegal user support from 128.198.60.40
May 31 10:15:32 sp82 sshd[22698]: Illegal user research from 128.198.60.40
May 31 10:15:37 sp82 sshd[22724]: Illegal user view from 128.198.60.40
May 31 10:15:43 sp82 sshd[22755]: Illegal user master from 128.198.60.40
May 31 10:15:48 sp82 sshd[22806]: Illegal user tmp from 128.198.60.40
May 31 10:15:54 sp82 sshd[22835]: Illegal user temp from 128.198.60.40
May 31 10:15:59 sp82 sshd[22873]: Illegal user work from 128.198.60.40
May 31 10:14:31 sp82 sshd[22323]: Failed password for mail from 128.198.60.40 port 48937 ssh2
May 31 10:14:36 sp82 sshd[22365]: Failed password for cpanel from 128.198.60.40 port 48965 ssh2
traceroute to 128.198.60.40 (128.198.60.40), 30 hops max, 38 byte packets
1 service168-143-119-2.splitinfinity.net (168.143.119.2) 0.744 ms 1.052 ms 0.572 ms
2 ge-1-1-0-3.r01.sndgca01.us.bb.verio.net (129.250.27.110) 0.897 ms 0.930 ms 0.860 ms
3 p4-2-0-0.r00.lsanca01.us.bb.verio.net (129.250.2.165) 4.248 ms 4.350 ms 4.256 ms
4 bur-brdr-01.inet.qwest.net (205.171.4.37) 4.813 ms 4.656 ms 4.764 ms
5 bur-core-01.inet.qwest.net (205.171.13.9) 4.888 ms 4.903 ms 5.000 ms
6 dia-core-03.inet.qwest.net (205.171.8.118) 47.876 ms 47.949 ms 47.748 ms
7 dvr-edge-03.inet.qwest.net (205.171.10.34) 47.993 ms 47.979 ms 47.872 ms
8 65.121.122.206 (65.121.122.206) 50.575 ms 50.721 ms 49.534 ms
9 frgp-link-at-uccs.uccs.edu (128.198.254.1) 54.139 ms 53.909 ms 53.982 ms
10 uccshub-v254.uccs.edu (128.198.254.11) 53.800 ms 54.181 ms 53.653 ms
university of colorado
a script kiddie most likely
With alot of money or stolen credit cards.
because they have hundreds of domains.
|