Posts Tagged ‘botnet’

DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:


Here we can see that a POST action “stop” makes the DDoS go away..

function stoped()
cmdexec("killall ping;");
print "Stop & Clean";

And here is where the typo sits:

if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request




good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

Seems like a good source for information.

Ghost Click: Botnet busted

Thursday, November 10th, 2011

The FBI announced the arrest of 6 estonian nationals for creating the worlds biggest botnet (DNSChanger) so far:
FBI Announcement

German magazin Heise made also an article about that:

C&C – honeypot

Thursday, November 4th, 2010

Now the criminals run honeypots too:

Don’t trust the admin interface of a Malware Control Server..:-)

own rbl started

Saturday, May 8th, 2010

I finally managed to create my own RBL (realtime blocklist) feeded by my honeypot.
All verified IPs which successfully attacked the honeypot are put into a database, which
provides a rbl for our MXes. The IPs are held for 24 hours except those which have more than 50
successful attacks within the last day. I was wondering if there were any mail-hits to be seen
at all; at least these are totally different attack vectors. But strangely enough I could see
blocked emails because of the entries made by the honeypot. We will see how well this

torpig powned

Tuesday, May 5th, 2009

According to a recent article on Heise some scientists have
taken over the torpig-botnet for 10 days. The original article an
be found here.


Saturday, January 10th, 2009

Recently a team of scientists posted an article about dealing with the Storm – Botnet. posted some parts of the source-code “stormfucker” in the mailing-list “Full Dislosure”.
Here is the alpha code for Stormfucker. Patched a few things to not make
it work out of the box.


If you want to work with this code, you need to undecrypt the source. Here is a version of

1) save the source in a file
2) start python:
$ python
Python 2.5.1 (r251:54863, May 18 2007, 16:56:43)
[GCC 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import *
>>> a=file("stf.txt",'r')
>>> c=b64decode(b)
>>> a=file("stf.out",'w')
>>> a.write(c)
>>> a.close()

Now we have a stf.out - file, which is bzip2 compressed. (check with "file")
$ bzip2 -d stf.out
bzip2: Can't guess original name for stf.out -- using stf.out.out

Now we have tar-file.. lets have a look:

$ tar tvf stf.out.out
drwxr-xr-x tw/tw 0 2008-01-01 00:00 stormfucker/
-rw-r--r-- tw/tw 610 2008-01-01 00:00 stormfucker/routing.h
-rw-r--r-- tw/tw 75 2008-01-01 00:00 stormfucker/install.h

Extract with tar xvf and have phun..:)