[nsp-sec] Botnetserver in AS7097 + local root exploit

Rune Sydskjør rune.sydskjor at uninett.no
Thu Sep 3 08:49:35 EDT 2009 

Anyone from AS7097 (Hostway Services, Inc) here?
There's a botnetserver in your network, though I can't see any clients
on that channel right now.

We've had some findings on a compromised server. Local root-exploit and
bot-client attached for those who are interessted.
It was connected to irc.snugglenets.com (216.139.245.58)
The botclient was downloaded from here: http://s11.info/d/m (AS 46816,
DirectSpace Networks, LLC.)

Sharknarc against snugglenets gives me:
Timestamp: 2009-09-03 11:31:30 GMT
Server ID: hub.snugglenets.com
	hub.snugglenets.com -> 216.139.245.58	(Matches server ip)
Welcome: Welcome to the snugglenets IRC network
Server IP: 216.139.245.58
Server Port: 6667
Server Password: passwd
Server AS: AS      | IP               | AS Name
Server AS: 7097    | 216.139.245.58   | HWSERVICES--7097 - Hostway
Services, Inc.
Peer AS  : PEER_AS | IP               | AS Name
Peer AS  : 32400   | 216.139.245.58   | HWSERVICES-32400 - Hostway
Services, Inc.
Motd: - --      \___ \|  \| | | | | |  _| |  _| |   |  _| |  \| |  _|
| | \___ \    --
Motd: - --       ___) | |\  | |_| | |_| | |_| | |___| |___| |\  | |___
| |  ___) |   --
Motd: - --      |____/|_| \_|\___/ \____|\____|_____|_____|_| \_|_____|
|_| |____/    --
Motd: - --
              --
Motd: - --                      __________
              --
Motd: - --                     < loldongs >
              --
Motd: - --                      ----------
              --
Motd: - --                                \    _______
              --
Motd: - --                                 \ (" . _ . ")
              --
Motd: - --                                   __{  +  }__
              --
Motd: - --                                 ( )__"""""__( )
              --
Motd: - --                                   (__)   (__)
              --
Motd: -
--------------------------------------------------------------------------------
Motd: -
--------------------------------------------------------------------------------
Motd: - --
              --
Motd: - --                   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              --
Motd: - --                   |i|r|c|.|s|n|u|g|g|l|e|n|e|t|s|.|c|o|m|
              --
Motd: - --                   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              --
Motd: - --
              --
Motd: -
--------------------------------------------------------------------------------
Motd: -
--------------------------------------------------------------------------------
Motd: - --                             Home of #dongescrow
              --
Motd: -
--------------------------------------------------------------------------------
Motd: -
--------------------------------------------------------------------------------
Mode: +iwx
Notice: [Random News - Nov 15 2008] LOL DONGS
Notice: Your nick isn't registered.
     Global Users: 52
          Visible: 20
        Invisible: 32
   Global Servers: 2
Percent Invisible: 61%
Channels: 12
Global Client/Channel Ratio: 4.33
Clients: 30
Servers: 1
Local Client/Channel Ratio: 2.50
Max Local Users:  229
Max Global Users: 301
Link: hub.snugglenets.com - hub.snugglenets.com	0 snugglenets
LinkRdns: hub.snugglenets.com -> 216.139.245.58
List: #lool	1	
List: #staff	2	[+ntrO] Snugglenets Staff Channel | Serious Opers Only ||
This is the new staff channel since #opers got taken over by fags and is
no longer usable for decent network discussion. || Only real opers in
this channel
List: #vhost	1	[+ntr] vhosts here and now: !vhost <v.host.here>
List: #prophecy	1	[+ntr] Aush0k clones. All day, all night. | Check in
any time you like, but know that you can never leave.
List: #donges	1	
List: #m3n	4	[+ntr] http://i29.tinypic.com/2s9653q.png | WB are you
still alive - grinm3n | RIP WB - Skambrent || RIP MY ANUS |
http://www.wepump.in/asciimaker/
List: #notgay	1	
List: #dongescrow	26	[+ntr] just pull down the console of life and type
/quit
ERROR: Permission Denied- You do not have the correct IRC operator
privileges
Admin: Administrative info about hub.snugglenets.com
Admin: NeoLobster
Admin: neolobster at snugglenets.com
Listener: *:7031, clients 1. is PERM SSL
Listener: *:7029, clients 0. is PERM
Listener: *:7028, clients 0. is PERM SSL
Listener: *:6697, clients 11. is PERM clientsonly SSL
Listener: *:6667, clients 20. is PERM
Map: hub.snugglenets.com         (30)
Created: Tue Mar 17 2009 at 12:07:21 CDT
Version: Unreal3.2.8
Summary: CHANNEL_SIZE 0
Summary: CLIENT_VISIBLE_RATIO +3
Summary: GLOBAL_CLIENT_CHANNEL_RATIO +4
Summary: LOCAL_CLIENT_CHANNEL_RATIO +2
Summary: NAME_MATCHES_IP -20
Summary: PORT_NON_STANDARD_6697 +16
Summary: PORT_NON_STANDARD_7028 +16
Summary: PORT_NON_STANDARD_7029 +16
Summary: PORT_NON_STANDARD_7031 +16
Summary: SUSPICIOUS_HOSTNAME +20
Score: 73

Regards,
Rune Sydskjør, UNINETT
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: m
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090903/1050914b/attachment-0001.ksh>

More information about the nsp-security mailing list