To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
What makes you think Denzel and aslpls- are running the bots? I saw one line where aslpls- changed his nick (he was obviously friendly with xeQt), but I saw nothing in the log about Denzel.
Also, as far as the bot script, toyo.txt, goes:
$vhost = "e8ea21c62fc9b75647054059b815d350";
$vhost2 = "7886906c819599697c97aa15d8e37f62";
$vhost3 = 'xeQt.users.undernet.org';
...
if ( md5(md5($hostname[1])) == $vhost || md5(md5($hostname[1]))
== $vhost2
|| $hostname[1] == $vhost3 ) {
The md5 of xeQt.users.undernet.org is e8ea21c62fc9b75647054059b815d350
- however, I don't think that first match will ever work, as it passes
the result of the first md5 to a second call of md5() - which should
effectively generate an md5 of an md5.
I'm not sure what the host in $vhost2 is yet - if I can find more
information on the drone herders in the channel, it may be possible to
figure that out.
Also, on a side note, xeQt appears to be coming from 217.116.179.150
(either ns.host4u.at or ns2.host4u.at, depending on whether you believe
the A or the PTR).
On Wed, Mar 21, 2007 at 07:03:16PM +0100, David Vorel babbled thus:
> zombie based botnet spreads throught various bugs in PHP. Undernet
> admins please take look on it. Description follows. Botnet herders are
> Denzel, xeQt, aslpls-.
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
