[nsp-sec] Botnet controller gihan.sikwon.ch port 6969 - 29073 / Ecatel ... possibly another on 44042 / eSolutions
Serge Droz
serge.droz at switch.ch
Wed Feb 11 02:49:33 EST 2009
Hi Matt,
We've suspended the sikwon.ch.
Best regards
Serge
Matt.Carothers at cox.com wrote:
> ----------- nsp-security Confidential --------
>
> I found a php bot on a cracked linux machine. Here's the config data:
>
> class pBot
> {
> var $using_encode = true;
>
> var $config = array(
> 'server' => 'Z2loYW4uc2lrd29uLmNo',
> //server here (base64)
> 'port' => 6969,
> 'chan' => 'dW5peA==',
> //channel here (base64) DO NOT USE "#", "#lazy" = "lazy"
> 'key' => '',
> 'nickform' => 'unickz[%d]',
> 'identp' => 'ez',
> 'modes' => '+p',
> 'maxrand' => 6,
> 'cprefix' => '.',
> 'host' => '*'
> );
>
> var $admins = array
> (
> 'FlyMan' => 'c35312fb3a7e05b7a44db2326bd29040',
> 'Zach' => 'c35312fb3a7e05b7a44db2326bd29040',
> 'pimpinjg' => 'c35312fb3a7e05b7a44db2326bd29040'
> );
>
>
> The channel is "unix", and the server is gihan.sikwon.ch. The admin
> passwords are "nigger" (md5 hashed). It currently resolves to
> 94.102.55.188.
>
>
> AS | IP | AS Name
> 29073 | 94.102.55.188 | ECATEL-AS AS29073, Ecatel Network
>
> "pimpinjg" claims to have 30k bots, and a screen shot he posted on a web
> forum of his desktop does show some:
>
> http://s5.tinypic.com/qzgmdc.jpg
>
> Notice how his client is connected to "suckmydick.s<something>?"
> suckmydick.sikwon.ch just happens to resolve. I'd be willing to bet
> that's another controller.
>
> suckmydick.sikwon.ch A 212.117.162.72
>
> AS | IP | AS Name
> 44042 | 212.117.162.72 | ROOT-AS root eSolutions
>
> Also of note: the uselessjunk.net server you can see him logged into is
> the cracked one where the php file was found.
>
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
More information about the nsp-security
mailing list