Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Bots looking for FlashChat App - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bots looking for FlashChat App
I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent  some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:

1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
----------------------------------------------------------------------------------
Pedro Bueno ( pbueno //&&// isc. sans. org )


Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!