Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Shellbot SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
We received a submission from our reader James reporting on a compromised system. It is likely exploited through the vulnerable mambo installed.

The system being compromised will attempt to download tool and a perl script from:

The multi.txt and ok.txt are the same perl script that will perform various tasks such as TCP/UDP/HTTP flood, port scan and will also use Google to search for vulnerable targets. This is very similar to what is seen on:

It will also attempt to connect to an IRC server ( over port 34345. The interesting part of the domain is:

* The domain is just registered on 20 Jan 06.
* Some of the registration information is suspicious and fake. It is a .be domain but registered using a .it email address, a UK snail mail address and a fake US telephone number.

How interesting. If you are running mambo application, make sure it is running the latest version.

Thanks to Patrick Nolan, Marc Sachs and Swa Frantzen for the information.

Koon Yaw

68 Posts
Jan 21st 2006

Sign Up for Free or Log In to start participating in the conversation!