To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Which hosting company?
(hopefully not mine)
I have a few contacts…
++++++++++++++++++
Marcel Chastain
Security
Administration
iPower, Inc.
-----Original Message-----
From: David Leinbach
[mailto:[EMAIL PROTECTED]
Sent: Friday, April
14, 2006 1:54 PM
To: [email protected]
Subject: [botnets] Perl-Based
Botnet
This one seems to be propegating using a vulnerability
in the <a href="" href="http://www.horde.org/" target="_blank"
>http://www.horde.org/">Horde</a>
framework <= 3.0.9, 3.1.0 as detailed at <a href="" http://www.milw0rm.com/exploits/1660">
http://www.milw0rm.com/exploits/1660</a>. It causes the web
server to download a perl script and run it. The script connects to the
following IRC server and listens. I modified the bot to output what is
happening and not to actually execute any of the malicious commands but have
not observed any malicious acts yet.
Server: 81.3.28.133
Port: 4444
Channel: #hor
Nick: hor-${PID}
The admins seem to be "spart" and "hacked". I also
observed a copy of the script that connects to 209.59.131.211
instead but was not able to connect to that one myself.
I have contacted the web host that is hosting the perl scripts and alerted them
to it. I have not heard back yet.
David
|
Which hosting company?
(hopefully not mine)
I have a few contacts…
++++++++++++++++++
Marcel Chastain
Security
Administration
iPower, Inc.
-----Original Message-----
From: David Leinbach
[mailto:[EMAIL PROTECTED]
Sent: Friday, April
14, 2006 1:54 PM
To: [email protected]
Subject: [botnets] Perl-Based
Botnet
This one seems to be propegating using a vulnerability
in the <a href="" href="http://www.horde.org/" target="_blank"
>http://www.horde.org/">Horde</a>
framework <= 3.0.9, 3.1.0 as detailed at <a href="" http://www.milw0rm.com/exploits/1660">
http://www.milw0rm.com/exploits/1660</a>. It causes the web
server to download a perl script and run it. The script connects to the
following IRC server and listens. I modified the bot to output what is
happening and not to actually execute any of the malicious commands but have
not observed any malicious acts yet.
Server: 81.3.28.133
Port: 4444
Channel: #hor
Nick: hor-${PID}
The admins seem to be "spart" and "hacked". I also
observed a copy of the script that connects to 209.59.131.211
instead but was not able to connect to that one myself.
I have contacted the web host that is hosting the perl scripts and alerted them
to it. I have not heard back yet.
David
|
PGPexch.htm.asc
Description: PGP signature
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
