To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi,
On Fri, Apr 14, 2006 at 01:54:20PM -0700, David Leinbach wrote: > This one seems to be propegating using a vulnerability in the <a href=" > http://www.horde.org/";>Horde</a> framework <= 3.0.9, 3.1.0 as detailed at <a > href=" http://www.milw0rm.com/exploits/1660";> > http://www.milw0rm.com/exploits/1660</a>. It causes the web server to > download a perl script and run it. The script connects to the following IRC > server and listens. I modified the bot to output what is happening and not > to actually execute any of the malicious commands but have not observed any > malicious acts yet. > Server: 81.3.28.133 > Port: 4444 > Channel: #hor > Nick: hor-${PID} two additional horde exploit based deface/irc bots: --excerpt of 17d32fa457ba49aa7e9bb3774f8e5fdc-- my $processo = '[httpd]'; my $linas_max='5'; my $sleep='5'; my @adms=("spart","hacked"); my @hostauth=("spart.gov","muie.gov"); my @canais=("#hor"); my $pwned="/tmp/horderd"; my $nick='hor-'; my $ircname = 'spart'; chop (my $realname = 'id'); $servidor='66.36.243.65' unless $servidor; my $porta='4444'; my $VERSAO = '0.2'; --end of excerpt-- --excerpt of f3577e24501b067174ce56b9c51e16c0-- my $processo = '[httpd]'; my $linas_max='5'; my $sleep='5'; my @adms=("spart","hacked"); my @hostauth=("spart.gov","muie.gov"); my @canais=("#hor"); my $pwned="/tmp/horderd"; my $nick='hor-'; my $ircname = 'spart'; chop (my $realname = 'id'); $servidor='66.93.101.19' unless $servidor; my $porta='4444'; my $VERSAO = '0.2'; --end of excerpt-- Scan report of 17d32fa457ba49aa7e9bb3774f8e5fdc AntiVir 6.34.0.24/20060417 found [Perl/Asan.A.1] Avast 4.6.695.0/20060417 found nothing AVG 386/20060416 found [PERL/ShellBot] Avira 6.34.0.56/20060417 found [Perl/Asan.A.1] BitDefender 7.2/20060417 found [Backdoor.Perl.Shellbot.B] CAT-QuickHeal 8.00/20060417 found nothing ClamAV devel-20060202/20060416 found [Trojan.Perl.Shellbot.C] DrWeb 4.33/20060417 found nothing eTrust-InoculateIT 23.71.131/20060416 found nothing eTrust-Vet 12.4.2164/20060417 found [Perl/Shellbot.A] Ewido 3.5/20060417 found nothing Fortinet 2.71.0.0/20060417 found nothing F-Prot 3.16c/20060416 found [Unix/Asan.A] Ikarus 0.2.59.0/20060417 found nothing Kaspersky 4.0.2.24/20060417 found nothing McAfee 4742/20060417 found [Perl/Shellbot] NOD32v2 1.1492/20060416 found [probably a variant of Perl/IRCBot.B ] Norman 5.90.15/20060417 found nothing Panda 9.0.0.4/20060417 found [PHP/Santy.C] Sophos 4.04.0/20060417 found nothing Symantec 8.0/20060417 found nothing TheHacker 5.9.7.130/20060416 found nothing UNA 1.83/20060414 found nothing VBA32 3.10.5/20060417 found nothing Scan report of f3577e24501b067174ce56b9c51e16c0 AntiVir 6.34.0.24/20060417 found [Perl/Asan.A.1] Avast 4.6.695.0/20060417 found nothing AVG 386/20060416 found [PERL/ShellBot] Avira 6.34.0.56/20060417 found [Perl/Asan.A.1] BitDefender 7.2/20060417 found [Backdoor.Perl.Shellbot.B] CAT-QuickHeal 8.00/20060417 found nothing ClamAV devel-20060202/20060416 found [Trojan.Perl.Shellbot.C] DrWeb 4.33/20060417 found nothing eTrust-InoculateIT 23.71.131/20060416 found nothing eTrust-Vet 12.4.2164/20060417 found [Perl/Shellbot.A] Ewido 3.5/20060417 found nothing Fortinet 2.71.0.0/20060417 found nothing F-Prot 3.16c/20060416 found [Unix/Asan.A] Ikarus 0.2.59.0/20060417 found nothing Kaspersky 4.0.2.24/20060417 found nothing McAfee 4742/20060417 found [Perl/Shellbot] NOD32v2 1.1492/20060416 found [probably a variant of Perl/IRCBot.B ] Norman 5.90.15/20060417 found nothing Panda 9.0.0.4/20060417 found [PHP/Santy.C] Sophos 4.04.0/20060417 found nothing Symantec 8.0/20060417 found nothing TheHacker 5.9.7.130/20060416 found nothing UNA 1.83/20060414 found nothing VBA32 3.10.5/20060417 found nothing -- Tom Fischer _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
