Bots looking for FlashChat App

Published: 2006-09-04
Last Updated: 2006-09-04 00:37:37 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent  some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:

1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
----------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )


Keywords:
0 comment(s)
Diary Archives