Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Shellbot InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Shellbot

Published: 2006-01-21
Last Updated: 2006-01-21 20:05:03 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We received a submission from our reader James reporting on a compromised system. It is likely exploited through the vulnerable mambo installed.

The system being compromised will attempt to download tool and a perl script from:

http://www.fullcrew.net/cmd/tool25.dat
http://shikoe.net/multi.txt
http://shikoe.net/ok.txt

The multi.txt and ok.txt are the same perl script that will perform various tasks such as TCP/UDP/HTTP flood, port scan and will also use Google to search for vulnerable targets. This is very similar to what is seen on:

http://www.webhostingtalk.com/archive/thread/478039-1.html

It will also attempt to connect to an IRC server (shell.durresi.be) over port 34345. The interesting part of the domain durresi.be is:

* The domain is just registered on 20 Jan 06.
* Some of the registration information is suspicious and fake. It is a .be domain but registered using a .it email address, a UK snail mail address and a fake US telephone number.

How interesting. If you are running mambo application, make sure it is running the latest version.

Thanks to Patrick Nolan, Marc Sachs and Swa Frantzen for the information.

Keywords:
0 comment(s)
Diary Archives