.comment-link {margin-left:.6em;}
Xavier's Security Post
Sunday, November 27, 2005
  Interaction with *nix-based botnet channel
in my last post I quickly briefed on the idea of a possible mambo-based worm -- and these days, thats a very trivial task; since there are several templates of worms written with the task of exploiting several holes.

the other night I discovered an automated worm in the process of attacking my personal server. I grabbed the binary used in an attempted code inclusion, and discovered it was a basic kaiten.c binary. it had a default password of "bleh" from the original code, its servers pointed to undernet, and the channel "#uid0".

so, I joined the channel and noticed that there were several high profile machines up there, including ***.*** (which I've tried to contact but to no avail). the worms were going at full blast, for many machines a minute were logging into the channel. all kaiten. now usually when I find a kaiten channel, I tend to be evil and make the bots quit with a simple command. it's actually very trivial to do:


but the channel was in +m (moderated) mode.

I noticed a user on the channel, who had operator status, was running commands on a bot. I whois'd the bot and discovered it was an ***.*** machine. I contacted the user and asked him if he knew that trespassing onto the machine (in much simpler terminology) was illegal. I doubt he cared.

upon further questioning, he revealed the worm they used was running on C++, attacked xmlrpc, ekinboard, phpbb, and a few other web-based vulnerabilities (including mamboserver). he wouldn't show me the source, but I really didn't care anyway.

just another day in the neighborhood..
Comments: Post a Comment

Links to this post:

Create a Link

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /