Security Incidents mailing list archives

Re: SQL injection worm ?

From: bugtraq () cgisecurity net
Date: Thu, 6 Jan 2005 10:38:29 -0500 (EST)
 Here is some additional information.
 
 An irc bot is launched and joins a channel named #!processor on 170.94.206.13 where about 118 hosts
 are currently idling.
 
 ??? [Users(#!processor:38)] 
 [ [UNC]84356] [ [UNC]85751] [ [UNC]85463] [ [UNC]42287] [ [UNC]29288] 
 [ [UNC]54723] [ h         ] [ [UNC]27930] [ [UNC]82158] [ [UNC]77161] 
 [ [UNC]91371] [v[UNC]88402] [ amax      ] [ [UNC]53174] [v[UNC]94664] 
 [ [UNC]26664] [ [UNC]91108] [ [UNC]95532] [ [UNC]10060] [ [UNC]85878] 
 [ [UNC]43397] [v[UNC]36335] [v[UNC]55167] [ [UNC]60320] [v[UNC]93886] 
 [v[UNC]69068] [ [UNC]87434] [v[UNC]32714] [v[UNC]67272] [ [UNC]70001] 
 [v[UNC]52515] [ [UNC]36701] [ [UNC]17521] [ [UNC]61060] [ [UNC]79272] 
 [ [UNC]22161] [v[UNC]43526] [ [UNC]69173] 
 ??? [Users(#!processor:37)] 
 [ [UNC]59399] [ [UNC]99219] [ [UNC]24943] [v[UNC]86397] [v[UNC]28185] 
 [ [UNC]29805] [ [UNC]35670] [ [UNC]07515] [ [UNC]52312] [v[UNC]62625] 
 [v[UNC]73047] [ [UNC]98522] [ [UNC]25010] [ [UNC]63090] [ [UNC]50668] 
 [ [UNC]68982] [ [UNC]29779] [ [UNC]54748] [ [UNC]15935] [ [UNC]43952] 
 [ [UNC]98525] [ [UNC]47729] [ [UNC]03825] [ [UNC]35432] [ [UNC]95447] 
 [ [UNC]15023] [v[UNC]77889] [v[UNC]85566] [ [UNC]74597] [ [UNC]81809] 
 [ [UNC]16345] [v[UNC]58170] [ [UNC]60124] [ [UNC]15746] [ [UNC]90485] 
 [ [UNC]23873] [ [UNC]62313] 
 ??? [Users(#!processor:37)] 
 [ [UNC]53226] [ [UNC]35507] [ [UNC]96122] [ [UNC]01170] [ [UNC]38323] 
 [v[UNC]75392] [ [UNC]52691] [ [UNC]14339] [v[UNC]94281] [v[UNC]46040] 
 [ [UNC]89112] [ [UNC]69402] [ [UNC]48153] [ [UNC]43861] [ [UNC]49034] 
 [ [UNC]78539] [ [UNC]35814] [ [UNC]32213] [v[UNC]17619] [ [UNC]65431] 
 [ [UNC]17094] [ [UNC]76164] [ [UNC]94358] [ [UNC]07494] [ [UNC]62847] 
 [ [UNC]59247] [ [UNC]40463] [ [UNC]15300] [ [UNC]63711] [ [UNC]49462] 
 [ [UNC]29512] [ [UNC]66122] [ [UNC]37752] [ [UNC]18282] [ [UNC]59637] 
 [ [UNC]07444] [v[UNC]04861] 
 ??? [Users(#!processor:6)] 
 [v[UNC]70180] [ [UNC]49130] [ [UNC]91806] [ [UNC]59229] [ [UNC]26914] 
 [ [UNC]81777] 
 ??? Channel #!processor was created at Tue Jan  4 23:10:07 2005
 ??? BitchX: Join to #!processor was synched in 0.376 secs!!
 ??????---?--??-??????---?--??-?????????--- --  -
 | amax (zzyvg () 39FC4D2A FA0F1DDD 7D6B7CFD IP) (unknown)
 ? ircname  : [UNC]66778
 | channels : #!processor 
 ? server   : shellcodewarez.info (ScW Network)
 : idle     : 4 hours 56 mins 28 secs (signon: Wed Jan  5 09:31:46 2005)
 [[UNC]48153     ] [[UNC]24943     ] [[UNC]70180     ] [[UNC]23873     ]
 [[UNC]07515     ] [[UNC]37752     ] [[UNC]01170     ] [[UNC]59247     ]
 [[UNC]81809     ] [[UNC]70001     ] [[UNC]40463     ] [[UNC]79272     ]
 [[UNC]49462     ] [[UNC]52691     ] [[UNC]15746     ] [[UNC]74597     ]
 [[UNC]29805     ] [[UNC]50668     ] [[UNC]69068     ] [[UNC]49130     ]
 [[UNC]76164     ] [[UNC]85751     ] [[UNC]25010     ] [[UNC]82158     ]
 [[UNC]42287     ] [[UNC]53226     ] [[UNC]94664     ] [[UNC]86397     ]
 [[UNC]99219     ] [[UNC]81777     ] [[UNC]62847     ] [[UNC]94358     ]
 [[UNC]61060     ] [[UNC]93886     ] [[UNC]29288     ] [[UNC]27930     ]
 [[UNC]54723     ] [[UNC]62313     ] [[UNC]26664     ] [[UNC]07444     ]
 [[UNC]52515     ] [[UNC]07494     ] [[UNC]78539     ] [[UNC]35507     ]
 [[UNC]62625     ] [[UNC]91806     ] [[UNC]29779     ] [[UNC]59399     ]
 [[UNC]18282     ] [[UNC]60320     ] [[UNC]66122     ] [[UNC]91371     ]
 [[UNC]43397     ] [[UNC]26914     ] [[UNC]65431     ] [[UNC]15935     ]
 [[UNC]17521     ] [[UNC]55167     ] [[UNC]46040     ] [[UNC]47729     ]
 [[UNC]88402     ] [[UNC]32213     ] [[UNC]94281     ] [[UNC]63090     ]
 [[UNC]96122     ] [[UNC]53174     ] [[UNC]03825     ] [[UNC]77161     ]
 [[UNC]17094     ] [[UNC]43526     ] [[UNC]36701     ] [[UNC]36335     ]
 [[UNC]85463     ] [[UNC]35814     ] [[UNC]69173     ] [[UNC]22161     ]
 [[UNC]89112     ] [[UNC]10060     ] [[UNC]91108     ] [[UNC]17619     ]
 [[UNC]68982     ] [[UNC]38323     ] [[UNC]43861     ] [[UNC]90485     ]
 [[UNC]87434     ] [[UNC]14339     ] [[UNC]59229     ] [[UNC]52312     ]
 [[UNC]67272     ] [[UNC]75392     ] [[UNC]58170     ] [[UNC]54748     ]
 [[UNC]28185     ] [[UNC]63711     ] [[UNC]04861     ] [[UNC]43952     ]
 [[UNC]32714     ] [[UNC]15300     ] [[UNC]77889     ] [[UNC]15023     ]
 [[UNC]49034     ] [[UNC]69402     ] [[UNC]85878     ] [[UNC]95447     ]
 [[UNC]98522     ] [[UNC]35670     ] [[UNC]73047     ] [[UNC]59637     ]
 [[UNC]16345     ] [[UNC]85566     ] [[UNC]35432     ] [[UNC]98525     ]
 [[UNC]84356     ] [[UNC]29512     ] [[UNC]60124     ] [[UNC]95532     ]
 [[UNC]29805     ] [[UNC]29288     ] [[UNC]29779     ] [[UNC]29512     ]
 [[UNC]29805     ] [[UNC]29288     ] [[UNC]29779     ] [[UNC]29512     ]
 ??????---?--??-??????---?--??-?????????--- --  -
 | [UNC]29805 (kczlexy () 205F319C BAFB8B13 4E5CAB49 IP) (unknown)
 ? ircname  : [UNC]29805
 | channels : #!processor 
 ? server   : shellcodewarez.info (ScW Network)
 : idle     : 4 hours 57 mins 11 secs (signon: Wed Jan  5 08:02:24 2005)
 ??????---?--??-??????---?--??-?????????--- --  -
 | [UNC]69402 (wahgb () 7805FEF DBD3D7BD 1E420BBA IP) (unknown)
 ? ircname  : [UNC]69402
 | channels : #!processor 
 ? server   : shellcodewarez.info (ScW Network)
 : idle     : 4 hours 57 mins 9 secs (signon: Tue Jan  4 23:40:01 2005)
 ??????---?--??-??????---?--??-?????????--- --  -
 | [UNC]73047 (vjfud () BFE013F 3F070E03 2BA09B8 IP) (unknown)
 ? ircname  : [UNC]73047
 | channels : +#!processor 
 ? server   : shellcodewarez.info (ScW Network)
 : idle     : 4 hours 57 mins 26 secs (signon: Wed Jan  5 07:48:45 2005)
 
 As you can see they are masking the ip addresses.
 
 
 Channel      Users   Topic                                   
 #wow!            1   [+nt]                                   
 #^_^            10                                           
 #!processor    118   [+smt]                                  
 ##forbot        24                                           
 ##fbot           6                                           
 
 Only about 5 public channels though.
 Going into some of the other channels yield what appear to be more bots.
 
 ??? [Users(##forbot:25)] 
 [ [UNC]12312] [ [hax]-cncw] [ [hax]-jvdr] [ [hax]-omaf] [ [hax]-dyfv] 
 [ [hax]-cpaq] [ [hax]-rnpe] [ [hax]-ifsb] [ [hax]-lvvx] [ [hax]-nzez] 
 [ [hax]-wftc] [ [hax]-dugg] [ [hax]-cdhp] [ [hax]-pxvh] [ [hax]-qyms] 
 [ [hax]-toze] [ [hax]-owlu] [ [hax]-skyj] [ [hax]-aeqo] [ [hax]-obhd] 
 [ [hax]-vmlv] [ [hax]-zlnv] [ [hax]-mnfy] [ [hax]-xhqh] [ [hax]-nvdt] 
 ??? Channel ##forbot was created at Mon Jan  3 19:25:40 2005
 ??? BitchX: Join to ##forbot was synched in 0.432 secs!!
 
 Users(##fbot:7)] 
 [ [UNC]12312] [ [fB]-jdiac] [ [fB]-fxxbw] [ [fB]-iclac] [ [fB]-jwmui] 
 [ [fB]-dzyhl] [ [fB]-gvgob] 
 ??? Channel ##fbot was created at Wed Jan  5 11:39:50 2005
 
 ??? [Users(#wow!:2)] 
 [ [UNC]12312] [@[XP]|7255 ] 
 
 i??? [Users(#^_^:11)] 
 [ [UNC]12312] [ [UNC]73498] [ [UNC]92388] [ [UNC]72772] [ [UNC]71548] 
 [ [UNC]25904] [ [UNC]52052] [ [UNC]16003] [ [UNC]68737] [ [UNC]58737] 
 [ [UNC]98004] 
 ??? Channel #^_^ was created at Mon Jan  3 19:25:32 2005
 
 
 
 - zeno () cgisecurity com
 http://www.cgisecurity.com
Current thread:

SQL injection worm ? Maxime Ducharme (Jan 05)
- <Possible follow-ups>
- Re: SQL injection worm ? bugtraq (Jan 06)