<<< Date Index >>>     <<< Thread Index >>>

BotNet on the Rise



IUT-CERT has received some reports on suspicious link request on HTTP 404 web 
server log file.  All get parameters values were requested with the value of 
http://babyc***b.fortunecity.co.uk/index.htm. Visiting the suspicious site, we 
found a PHP malcode that was encrypted by the malicious attacker. After 
decrypting the code, we found that the attacker is trying to exploit remote 
file inclusion vulnerability that is why she is trying to inject the code in 
web site variables. Successful exploitation of this vulnerability leads to 
execution of the malcode on the vulnerable server.
After execution of the malcode, the code is trying to initialize a connection 
to one of the following sockets: 

homelessman.weedns.com:8080
burningman.weedns.com:8080
ballslessman.weedns.com:8080
mcar.dd.blueline.be:8080
mcarlos.opendns.be:8080
ns10.suroot.com:8080
mcarlos.dnip.net:8080
1.ns03.americanunfinished.com:8080

After the successful connection, the Bot sends a random number, password and 
the nickname to bot handler and waits for commands. These Bot nets are also 
used for further organized attack such as Distributed Denial of Service. It?s 
recommended to all Network administrators to filter the above connections.
For more information and receiving the decrypted code contact us at 
www.ircert.cc or faghani@xxxxxxxx