| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 26 Oct 2008 14:02:36 -0000 From: faghani@...c.ir To: bugtraq@...urityfocus.com Subject: BotNet on the Rise IUT-CERT has received some reports on suspicious link request on HTTP 404 web server log file. All get parameters values were requested with the value of http://babyc***b.fortunecity.co.uk/index.htm. Visiting the suspicious site, we found a PHP malcode that was encrypted by the malicious attacker. After decrypting the code, we found that the attacker is trying to exploit remote file inclusion vulnerability that is why she is trying to inject the code in web site variables. Successful exploitation of this vulnerability leads to execution of the malcode on the vulnerable server. After execution of the malcode, the code is trying to initialize a connection to one of the following sockets: homelessman.weedns.com:8080 burningman.weedns.com:8080 ballslessman.weedns.com:8080 mcar.dd.blueline.be:8080 mcarlos.opendns.be:8080 ns10.suroot.com:8080 mcarlos.dnip.net:8080 1.ns03.americanunfinished.com:8080 After the successful connection, the Bot sends a random number, password and the nickname to bot handler and waits for commands. These Bot nets are also used for further organized attack such as Distributed Denial of Service. It’s recommended to all Network administrators to filter the above connections. For more information and receiving the decrypted code contact us at www.ircert.cc or faghani@...c.ir.
Powered by blists - more mailing lists