To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------The files were being hosted on a 6te.net virtual server (which is now part of freewebhostingarea.com). Although I have still not heard back, the files were gone when I checked on Sunday.
David
Which hosting company? (hopefully not mine)
I have a few contacts…
++++++++++++++++++
Marcel Chastain
Security Administration
iPower, Inc.
-----Original Message-----
From: David Leinbach [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 14, 2006 1:54 PM
To: [email protected]
Subject: [botnets] Perl-Based Botnet
This one seems to be propegating using a vulnerability in the <a href="" href="http://www.horde.org/" target="_blank" >http://www.horde.org/">Horde</a> framework <= 3.0.9, 3.1.0 as detailed at <a href="" http://www.milw0rm.com/exploits/1660 "> http://www.milw0rm.com/exploits/1660</a>. It causes the web server to download a perl script and run it. The script connects to the following IRC server and listens. I modified the bot to output what is happening and not to actually execute any of the malicious commands but have not observed any malicious acts yet.
Server: 81.3.28.133
Port: 4444
Channel: #hor
Nick: hor-${PID}
The admins seem to be "spart" and "hacked". I also observed a copy of the script that connects to 209.59.131.211 instead but was not able to connect to that one myself.
I have contacted the web host that is hosting the perl scripts and alerted them to it. I have not heard back yet.
David
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
