To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------This one seems to be propegating using a vulnerability in the <a href="" href="http://www.horde.org/" target="_blank" >http://www.horde.org/">Horde</a> framework <= 3.0.9, 3.1.0 as detailed at <a href="" http://www.milw0rm.com/exploits/1660"> http://www.milw0rm.com/exploits/1660</a>. It causes the web server to download a perl script and run it. The script connects to the following IRC server and listens. I modified the bot to output what is happening and not to actually execute any of the malicious commands but have not observed any malicious acts yet.
Server: 81.3.28.133
Port: 4444
Channel: #hor
Nick: hor-${PID}
The admins seem to be "spart" and "hacked". I also observed a copy of the script that connects to 209.59.131.211 instead but was not able to connect to that one myself.
I have contacted the web host that is hosting the perl scripts and alerted them to it. I have not heard back yet.
David
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
