[nsp-sec] DDoS against 213.27.239.85 (paging L3+NTT)
John Kristoff
jtk at ultradns.net
Mon Feb 4 23:20:35 EST 2008
On Fri, 1 Feb 2008 04:26:35 +0000 (GMT)
Chris Morrow <morrowc at ops-netman.net> wrote:
> So, it seems to:
> 1) require a command/scan in IRC (I presume this would let you scan for
> phpBB, axis-cam, whatever... without changing the bot code)
Here is one version you an analyze or put into your collection:
<http://layer9.com/~jtk/tmp/rfiscan_google.txt>
I think I may have given a copy of this or a similar one to pjm before.
There are versions for aol, msn, altavista, etc. In a nutshell, you
pass it a search string, which will likely be something that would find
a potentially vulneable PHP page, then the RFI exploit or test code to
send to the pages found via a search.
> 2) find a random set of page returns from that result-set
> 3) infect new hosts
Correct.
> I could be wrong, but i don't think I can filter out the queries :(
Maybe, maybe not. I haven't analyzed the code, but if you want to,
maybe see if HTTP::Request and/or LWP::UserAgent behave in a way a
typical search client will not. Also this piece of code is probably
worth a once over:
sub google(){ my @lst; my $key = $_[0]; for($b=0;$b<=1000;$b+=100){ my $Go=("http://www.google.it/search?hl=it&q=".key($key)."&num=100&filter=0&start=".$b);
That piece of code may change, but I bet there are some other telltale
signs of the queries. They likely come pretty frequently and in bursts,
possibly from some odd some odd-looking hosts. Likely the bot loaded on
an ircd host or, more interesting, loaded on a perp's client connected
to the ircd controller. The search strings will usually match this
regex, but not exclusively:
/\.php\?\w+=/
John
More information about the nsp-security
mailing list