Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
 Posted: Sun Dec 09, 2007 7:10 pm Post subject: [WsIRT#649] IRC Bot Shell (multiple IP locations) |
|
|
Attack Alert
Full Report:  /IRC_Bot_Shell_attack649.html
Changed status to confirmed attack.
The array inside this malicious script hosted on this server:
$array2 = array("sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==","sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR","rpihlYyTr5LWVKHDi6SRl0+jko4=","rZytgpFPr5TDlI7MmW6FiQ==","sKJuhYdPopDTi5bHlKVRhoY=","tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ","vaOokJFUbpPOi5jClLNRhoY=","sqywiZKPpVeMipjHlm6RiZU=","sqytlpaKo5eMipjHlm6RiZU=");
Translates to:
mymusicband.weedns.com
myphonenumber.weedns.com
ieatironx.weedns.com
himan.opendns.be
ko.dd.blueline.be
p4n33123e.dd.blueline.be
xphon3.opendns.be
myphone3.dnip.net
mymusics.dnip.net
This code is just another obfuscation of an earlier version worked in WsIRT in report number 195. It attempts to make connections to the above and then gives the attacker the ability to compromise a remove web server. It should be removed immediately, and any remaining domains (above) that aren't already taken care of should be immediately.
IP Converted: 195.161.119.84
dword = 3282138964
hex1 = 0xc3a17754
hex2 = 0xc3.0xa1.0x77.0x54
oct = 0303.0241.0167.0124
Reference to original find: /IRC_Bot_Shell_attack195.html
View CIDR AS8342 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8342
"8342 | RU | ripencc | 1997-06-11 | RTCOMM-AS RTComm.RU Autonomous System"<br />
Extended information for AS8342:
State/Province:
Country: ru
Responsible Domain: rtcomm.ru
Abuse Email: security@rtcomm.ru
;; QUESTION SECTION:
;mymusicband.weedns.com. IN A
;; ANSWER SECTION:
mymusicband.weedns.com. 300 IN A 80.53.30.234
mymusicband.weedns.com. 300 IN A 211.21.125.194
mymusicband.weedns.com. 300 IN A 202.123.84.169
mymusicband.weedns.com. 300 IN A 216.32.78.162
mymusicband.weedns.com. 300 IN A 80.247.203.96
mymusicband.weedns.com. 300 IN A 121.119.172.49
mymusicband.weedns.com. 300 IN A 87.236.196.115
mymusicband.weedns.com. 300 IN A 84.245.99.6
mymusicband.weedns.com. 300 IN A 88.191.26.64
mymusicband.weedns.com. 300 IN A 67.19.83.228
;; QUESTION SECTION:
;myphonenumber.weedns.com. IN A
;; ANSWER SECTION:
myphonenumber.weedns.com. 300 IN A 216.32.78.162
myphonenumber.weedns.com. 300 IN A 88.191.26.64
myphonenumber.weedns.com. 300 IN A 211.21.125.194
myphonenumber.weedns.com. 300 IN A 121.119.172.49
myphonenumber.weedns.com. 300 IN A 80.53.30.234
myphonenumber.weedns.com. 300 IN A 67.19.83.228
myphonenumber.weedns.com. 300 IN A 84.245.99.6
myphonenumber.weedns.com. 300 IN A 87.236.196.115
myphonenumber.weedns.com. 300 IN A 202.123.84.169
myphonenumber.weedns.com. 300 IN A 80.247.203.96
;; QUESTION SECTION:
;ieatironx.weedns.com. IN A
;; ANSWER SECTION:
ieatironx.weedns.com. 300 IN A 88.191.26.64
ieatironx.weedns.com. 300 IN A 216.32.78.162
ieatironx.weedns.com. 300 IN A 80.247.203.96
ieatironx.weedns.com. 300 IN A 84.245.99.6
ieatironx.weedns.com. 300 IN A 87.236.196.115
ieatironx.weedns.com. 300 IN A 202.123.84.169
ieatironx.weedns.com. 300 IN A 80.53.30.234
ieatironx.weedns.com. 300 IN A 121.119.172.49
ieatironx.weedns.com. 300 IN A 67.19.83.228
ieatironx.weedns.com. 300 IN A 211.21.125.194
;; QUESTION SECTION:
;himan.opendns.be. IN A
;; ANSWER SECTION:
himan.opendns.be. 2560 IN A 84.245.99.6
;; QUESTION SECTION:
;ko.dd.blueline.be. IN A
;; ANSWER SECTION:
ko.dd.blueline.be. 297 IN A 87.236.196.115
;; QUESTION SECTION:
;p4n33123e.dd.blueline.be. IN A
;; ANSWER SECTION:
p4n33123e.dd.blueline.be. 300 IN A 121.119.172.49
;; QUESTION SECTION:
;xphon3.opendns.be. IN A
;; ANSWER SECTION:
xphon3.opendns.be. 0 IN A 216.32.78.162
;; QUESTION SECTION:
;myphone3.dnip.net. IN A
;; ANSWER SECTION:
myphone3.dnip.net. 100 IN A 67.19.83.228
;; QUESTION SECTION:
;mymusics.dnip.net. IN A
;; ANSWER SECTION:
mymusics.dnip.net. 100 IN A 80.53.30.234
Each of the domains in the script are mapped to one of ten unique IP addresses:
121.119.172.49
202.123.84.169
211.21.125.194
216.32.78.162
67.19.83.228
80.247.203.96
80.53.30.234
84.245.99.6
87.236.196.115
88.191.26.64
IP Converted: 121.119.172.49
dword = 2037886001
hex1 = 0x7977ac31
hex2 = 0x79.0x77.0xac.0x31
oct = 0171.0167.0254.061
IP Converted: 202.123.84.169
dword = 3397080233
hex1 = 0xca7b54a9
hex2 = 0xca.0x7b.0x54.0xa9
oct = 0312.0173.0124.0251
View CIDR AS8342 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8342
"8342 | RU | ripencc | 1997-06-11 | RTCOMM-AS RTComm.RU Autonomous System"<br />
Extended information for AS8342:
State/Province:
Country: ru
Responsible Domain: rtcomm.ru
Abuse Email: security@rtcomm.ru
IP Converted: 211.21.125.194
dword = 3541401026
hex1 = 0xd3157dc2
hex2 = 0xd3.0x15.0x7d.0xc2
oct = 0323.025.0175.0302
View CIDR AS4713 Report: http://www.cidr-report.org/cgi-bin/as-report?as=4713
"4713 | JP | apnic | 1995-08-30 | OCN NTT Communications Corporation"<br />
Extended information for AS4713:
State/Province:
Country: jp
Responsible Domain: ocn.ad.jp
Abuse Email: abuse@ocn.ad.jp
IP Converted: 216.32.78.162
dword = 3625995938
hex1 = 0xd8204ea2
hex2 = 0xd8.0x20.0x4e.0xa2
oct = 0330.040.0116.0242
View CIDR AS10098 Report: http://www.cidr-report.org/cgi-bin/as-report?as=10098
"10098 | HK | apnic | 2007-10-24 | HENDERSON-HK Henderson Data Centre Limited"<br />
Extended information for AS10098:
State/Province:
Country: hk
Responsible Domain: ihenderson.com
Abuse Email: postmaster@ihenderson.com
IP Converted: 67.19.83.228
dword = 1125340132
hex1 = 0x431353e4
hex2 = 0x43.0x13.0x53.0xe4
oct = 0103.023.0123.0344
View CIDR AS3462 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3462
"3462 | TW | apnic | 2002-08-01 | HINET Data Communication Business Group"<br />
Extended information for AS3462:
State/Province:
Country: tw
Responsible Domain: hinet.net
Abuse Email: cracker@hinet.net
IP Converted: 80.247.203.96
dword = 1358416736
hex1 = 0x50f7cb60
hex2 = 0x50.0xf7.0xcb.0x60
oct = 0120.0367.0313.0140
View CIDR AS3561 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3561
"3561 | US | arin | 1998-10-07 | SAVVIS - Savvis"<br />
Extended information for AS3561:
State/Province: nc
Country: us
Responsible Domain: savvis.net
Abuse Email: abuse@savvis.net
IP Converted: 80.53.30.234
dword = 1345658602
hex1 = 0x50351eea
hex2 = 0x50.0x35.0x1e.0xea
oct = 0120.065.036.0352
View CIDR AS21844 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21844
"21844 | US | arin | 2001-06-29 | THEPLANET-AS - THE PLANET"<br />
Extended information for AS21844:
State/Province: tx
Country: us
Responsible Domain: theplanet.com
Abuse Email: abuse@theplanet.com
IP Converted: 84.245.99.6
dword = 1425367814
hex1 = 0x54f56306
hex2 = 0x54.0xf5.0x63.0x6
oct = 0124.0365.0143.06
View CIDR AS15703 Report: http://www.cidr-report.org/cgi-bin/as-report?as=15703
"15703 | NL | ripencc | 2000-09-19 | TRUESERVER-AS TrueServer BV AS number"<br />
Extended information for AS15703:
State/Province:
Country: nl
Responsible Domain: trueserver.nl
Abuse Email: abuse@true.nl
IP Converted: 87.236.196.115
dword = 1475134579
hex1 = 0x57ecc473
hex2 = 0x57.0xec.0xc4.0x73
oct = 0127.0354.0304.0163
View CIDR AS5617 Report: http://www.cidr-report.org/cgi-bin/as-report?as=5617
"5617 | PL | ripencc | 1996-04-29 | TPNET Polish Telecom_s commercial IP network"<br />
Extended information for AS5617:
State/Province:
Country: pl
Responsible Domain: tpnet.pl
Abuse Email: abuse@tpnet.pl
IP Converted: 88.191.26.64
dword = 1488919104
hex1 = 0x58bf1a40
hex2 = 0x58.0xbf.0x1a.0x40
oct = 0130.0277.032.0100
View CIDR AS16317 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16317
"16317 | SK | ripencc | 2001-02-23 | SK-4CALL 4CONSULT Ltd."<br />
Extended information for AS16317:
State/Province:
Country: sk
Responsible Domain: ipnet.sk
Abuse Email: security@ipnet.sk
View CIDR AS35592 Report: http://www.cidr-report.org/cgi-bin/as-report?as=35592
"35592 | CZ | ripencc | 2005-09-13 | COOLHOUSING-AS COOLHOUSING Autonomous System"<br />
Extended information for AS35592:
State/Province:
Country: cz
Responsible Domain: network.cz
Abuse Email: abuse@network.cz
To all the ISPs, please check for port connectivity on 8080, which this script attempts to establish a connection with and take instructions for its enslavement of the compromised server it was injected into.
| Quote: | | http://yurimusimsoumsis.chat.ru/body/head? |
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
