[nsp-sec] mech found
Alfredo Sola
alfredo at solucionesdinamicas.net
Sun Feb 15 09:50:41 EST 2009
Good day,
On Friday night/Saturday morning European time we had some fun tracing
a DoS attack to a bot on an pwned box on AS6750. We found a mech bot and
went on to gather some intel from it. The most interesting piece is on
mech.set (somewhat confirmed by mech.session):
SERVER 88.191.99.23 6667
Which belongs to:
AS | IP | AS Name
12322 | 88.191.99.23 | PROXAD AS for Proxad/Free ISP
It does at this time have an IRC server on it, but I have been unable
to tell whether it is otherwise legit or not. An httpd process (which
"cleverly" disguises what actually seems the irc client binary -haven't
tested-) was also found. VirusTotal participants seem to agree that it
has Linux/Osf.A (or other similar fancy names). ITs
md5:4fa84a0c5a6bc304771a49a50067d886.
If anybody is interested in further dissecting the thing, I'll be happy
to send a tar.gz.
Another bit found on the box is called dc.pl and dc.txt. I guess this
was only used to put the bot in place.
--
Alfredo Sola
ASP5-RIPE
http://alfredo.sola.es/
More information about the nsp-security
mailing list