[nsp-sec] Botnet controller gihan.sikwon.ch port 6969 - 29073 / Ecatel ... possibly another on 44042 / eSolutions
Matt.Carothers at cox.com
Matt.Carothers at cox.com
Tue Feb 10 18:06:16 EST 2009
I found a php bot on a cracked linux machine. Here's the config data:
class pBot
{
var $using_encode = true;
var $config = array(
'server' => 'Z2loYW4uc2lrd29uLmNo',
//server here (base64)
'port' => 6969,
'chan' => 'dW5peA==',
//channel here (base64) DO NOT USE "#", "#lazy" = "lazy"
'key' => '',
'nickform' => 'unickz[%d]',
'identp' => 'ez',
'modes' => '+p',
'maxrand' => 6,
'cprefix' => '.',
'host' => '*'
);
var $admins = array
(
'FlyMan' => 'c35312fb3a7e05b7a44db2326bd29040',
'Zach' => 'c35312fb3a7e05b7a44db2326bd29040',
'pimpinjg' => 'c35312fb3a7e05b7a44db2326bd29040'
);
The channel is "unix", and the server is gihan.sikwon.ch. The admin
passwords are "nigger" (md5 hashed). It currently resolves to
94.102.55.188.
AS | IP | AS Name
29073 | 94.102.55.188 | ECATEL-AS AS29073, Ecatel Network
"pimpinjg" claims to have 30k bots, and a screen shot he posted on a web
forum of his desktop does show some:
http://s5.tinypic.com/qzgmdc.jpg
Notice how his client is connected to "suckmydick.s<something>?"
suckmydick.sikwon.ch just happens to resolve. I'd be willing to bet
that's another controller.
suckmydick.sikwon.ch A 212.117.162.72
AS | IP | AS Name
44042 | 212.117.162.72 | ROOT-AS root eSolutions
Also of note: the uselessjunk.net server you can see him logged into is
the cracked one where the php file was found.
--
Matt Carothers
Cox Communications
(404) 269-7220 (office)
(404) 933-1125 (mobile)
More information about the nsp-security
mailing list