Brief Analysis of inj3ct0r.com

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Starting yesterday afternoon, I had a bunch of people begin to ask me about
> inj3ct0r.com. Google it and you find:
>
> 1) "milw0rm.com is dead, inj3ct0r.com is born!"
> 2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com"
>
> Two red flags right off the bat. (A Bugtrack project? Get real!)
>
>
> Asking several well connected folks in the industry, only one had ever heard
> of
> the site and his opinion was exactly the same as mine: evil site. Any
> legitimate
> effort to distribute exploits for defensive purposes would require being
> known
> in the industry and being trusted by your peers before there could be a
> reasonable expectation of site contributions. This is a BIG RED FLAG to have
> an
> unknown person taking on such a task.
>
> If you visit the site, it just looks bogus. It has the appearance of a
> sloppy
> and incomplete wget of milw0rm, with some editing to make links work and to
> provide some replacement scripts. The site just looks completely bogus.
> Another
> set of big red flags!
>
>
> Checking inj3ct0r.com's registration record:
> - ----------
>         whois -h whois.PublicDomainRegistry.com inj3ct0r.com
>         Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
> PUBLICDOMAINREGISTRY.COM
>         Registration Service Provided By: RU@HOSTING
>         Contact: +7.38526996373
>
>         Domain Name: INJ3CT0R.COM
>
>         Registrant:
>             milw0rm now at inj3ct0r.com
>             str0ke aka r00t0ro0t3r        (e-c-h-0@...)
>             Burdenko 43
>             inj3ct0r
>             Adana,123000
>             TR
>             Tel. +7.4953216549
>
>         Creation Date: 13-Dec-2008
>         Expiration Date: 13-Dec-2013
>
>         Domain servers in listed order:
>             ns.secondary.net.ua
>             wateam.org.ua
>
>
>         Administrative Contact:
>             inj3ct0r
>             str0ke aka r00t0ro0t3r        (e-c-h-0@...)
>             Burdenko 43
>             inj3ct0r
>             Adana,123000
>             TR
>             Tel. +7.4953216549
>
>         Technical Contact:
>             inj3ct0r
>             str0ke aka r00t0ro0t3r        (e-c-h-0@...)
>             Burdenko 43
>             inj3ct0r
>             Adana,123000
>             TR
>             Tel. +7.4953216549
>
>         Billing Contact:
>             inj3ct0r
>             str0ke aka r00t0ro0t3r        (e-c-h-0@...)
>             Burdenko 43
>             inj3ct0r
>             Adana,123000
>             TR
>             Tel. +7.4953216549
>
>         Status:ACTIVE
> - ----------
>
> Okay, how many red flags to we see here?
>
> 1) Clams to be owned by str0ke.
> 2) Has a .ru email address.
> 3) Has a claimed TR address (.ru + TR has been a past RBN clue).
> 4) Is trying to associate itself with milw0rm.
>
> And those are just the red flags that I see without doing any more research!
>
>
> Next, where is the site hosted?
>
> - ----------
>         $ host www.inj3ct0r.com
>         www.inj3ct0r.com is an alias for inj3ct0r.com.
>         inj3ct0r.com has address 77.120.101.8
>
>         $ wip 77.120.101.8
>         checking whois.arin.net...
>         checking whois.ripe.net...
>
>         inetnum:        77.120.101.0 - 77.120.101.255
>         netname:        VOLIA-DC
>         descr:          Volia DC colocation #6
>         remarks:        Send spam reports to: abuse@...
>         country:        UA
>         admin-c:        VDCA-RIPE
>         tech-c:         VDCT-RIPE
>         status:         ASSIGNED PA
>         mnt-by:         VOLIA-DC-MNT
>         source:         RIPE # Filtered
>
>         person:         Volia DC Admin contact
>         address:        Ukraine, Kiev
>         phone:          +38 044 2852716
>         abuse-mailbox:  abuse@...
>         nic-hdl:        VDCA-RIPE
>         mnt-by:         VOLIA-DC-MNT
>         source:         RIPE # Filtered
> - ----------
>
> Hosted in Kiev, UA. Not a good sign.
>
>
> Everything about the site looks and smells suspect.
>
> As it is said...
>    "If it looks like a duck, and
>     it quacks like a duck, then
>     it is probably a duck."
>
> In my professional opinion, everything about this site is "wrong." I would
> strongly recommend avoiding it. It just looks too bogus and it is trying too
> hard to appear legitimate, but no one knows who is behind it.
>
> Never trust a site handing out exploits if you don't know who is providing
> the
> exploits!
>
> So what could be the purpose of this site? These are only some hypothesis
> and
> speculations... no hard evidence to date to back up my thoughts:
>
> 1) The site could be phishing for new 0-day exploits that could be used in
> targeted or wide spread attacks by criminal organizations.
>
> 2) The site could be modifying know exploits, adding back doors (if you are
> a
> script kiddie, are you going to check the embedded shell code?) that had
> over
> compromised boxes to some botnet.
>
> 3) A means of infecting systems that visit the site. (No sign of that at
> this time.)
>
> 4) Other?
>
>
> Bottom line: My recommendation is to avoid this site like the plague.
>
> Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's
> wait
> and see if anyone picks up his site and runs with it.
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler@...
> e: Jon.R.Kibler@...
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrxiqsACgkQUVxQRc85QlNl4ACdFTyCPjmn8/GyLOgqhh0HuLSO
> XC0AnijJsGAfIY/sPkJEqWi7LkvFVjsE
> =Cpy5
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> djamel djamel wrote:
>> is there any GOOD alternative other than packet storm???
>>
>
> Milw0rm will be back soon. See: "Milw0rm / Str0ke Not Dead" from yesterday.
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler@...
> e: Jon.R.Kibler@...
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkry6VUACgkQUVxQRc85QlNqOACghARpS6VnO9g8YpQRV6vg0h6u
> Zp8An1bo+XKaOoGoPA9pkYPBtbWxkR7Y
> =96wx
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>

> Yes , I totally agree with you as a simple nmap scan on the
> Inj3ct0r.com shows the output with a smtp having title "WAteam" and
> the title at 80 port is also same. Also , site is not working right
> now.
>
> DO NOT SUBMIT/VISIT ANY 0day Exploit at this site.
>
> Here is the nmap scan result for the inj3ct0r
>
> Host 8.101.120.77.colo.static.dc.volia.com (77.120.101.8) appears to
> be up ... good.
>
> Interesting ports on 8.101.120.77.colo.static.dc.volia.com (77.120.101.8):
>
> Not shown: 985 closed ports
>
> PORT      STATE    SERVICE      VERSION
>
> 21/tcp    open     ftp          ProFTPD 1.3.0
>
> |_ FTP bounce check: no banner
>
> 22/tcp    open     ssh          OpenSSH 4.3p2 Debian 9etch3 (protocol 2.0)
>
> 25/tcp    open     smtp         Postfix smtpd
>
> |_ SMTPcommands: EHLO wateam.localdomain, PIPELINING, SIZE 10240000,
> VRFY, ETRN, AUTH LOGIN PLAIN, AUTH=LOGIN PLAIN, ENHANCEDSTATUSCODES,
> 8BITMIME, 250 DSN
>
> 53/tcp    open     domain?
>
> 80/tcp    open     http         Apache httpd 2.2.3 ((Debian))
>
> |_ HTML title: WAteam server
>
> 110/tcp   open     pop3         Openwall popa3d
>
> |_ POP3 Capabilites:  capa
>
> 111/tcp   filtered rpcbind
>
> 135/tcp   filtered msrpc
>
> 139/tcp   filtered netbios-ssn
>
> 445/tcp   filtered microsoft-ds
>
> 1720/tcp  filtered H.323/Q.931
>
> 1723/tcp  open     pptp         linux (Firmware: 1)
>
> 2049/tcp  filtered nfs
>
> 3306/tcp  open     mysql        MySQL 5.0.32-Debian_7etch11
>
> |  MySQL Server Information: Protocol: 10
>
>
> |  Version: 5.0.32-Debian_7etch11
>
>
> |  Thread ID: 33073
>
>
> |  Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
>
>
> |  Status: Autocommit
>
>
> |_ Salt: vh'',G`/g<53>!'BS\Tq
>
> 12345/tcp filtered netbus
>
>
>
>
>
>
>
> On Thu, Nov 5, 2009 at 8:33 PM, Jon Kibler <Jon.Kibler@...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> djamel djamel wrote:
>>> is there any GOOD alternative other than packet storm???
>>>
>>
>> Milw0rm will be back soon. See: "Milw0rm / Str0ke Not Dead" from yesterday.
>>
>> Jon
>> - --
>> Jon R. Kibler
>> Chief Technical Officer
>> Advanced Systems Engineering Technology, Inc.
>> Charleston, SC  USA
>> o: 843-849-8214
>> c: 843-813-2924
>> s: 843-564-4224
>> s: JonRKibler
>> e: Jon.Kibler@...
>> e: Jon.R.Kibler@...
>> http://www.linkedin.com/in/jonrkibler
>>
>> My PGP Fingerprint is:
>> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkry6VUACgkQUVxQRc85QlNqOACghARpS6VnO9g8YpQRV6vg0h6u
>> Zp8An1bo+XKaOoGoPA9pkYPBtbWxkR7Y
>> =96wx
>> -----END PGP SIGNATURE-----
>>
>>
>>
>>
>> ==================================================
>> Filtered by: TRUSTEM.COM's Email Filtering Service
>> http://www.trustem.com/
>> No Spam. No Viruses. Just Good Clean Email.
>>
>>
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------
>>
>