I came home from work after playing with PKI stuff most of the day and sat down to catch up on the mailing lists I’m subscribed to. There was a post to security-basics from kc@mikrobit.pl with a subject of “Strange found in apache error.log“.

“kc” had a server that had apparently been compromised through the use of a phpBB exploit. He noticed output from wget in Apache‘s error.log file.

Basically, his server executed the code and downloaded two files, bnc.txt and bot9.txt. bnc.txt is what appears to be a BNC implemented in Perl. bot9.txt is Perl code for a simple “bot”, which connects to an IRC server running on port 6664 at arcor.dal.net and joins the “#pantaicrew” channel.

Cool enough, the bot9.txt file tells us that the “administradores” are “nobodyknows” and “Jeny-”. Even cooler, “nobodyknows” was on the channel at the time. A quick entry into “#OperHelp” gained me the assistance of “Arfie”, who joined the channel with me and proceeded to shut down the channel.

My server will probably get DoS’d off the net now, but what the hell… another botnet down, only four gazillion more to go.

Is this a new exploit or an old one? I have to admit that I don’t keep up with them like I used to, and, in this field anyways, it’s easy to get behind real quick.

Update: Seems like this must be an old, known exploit. When I clicked on the link above for bot9.txt, McAfee triggered an alert:

server1.larrytech.biz ns2610.ovh.net 83.217.84.76 213.148.255.86 213.148.255.87 195.206.106.96 62.48.221.153 serv.megusia.net 213.148.255.85 202.97.68.246 209.152.161.213 wiley-203-36.roadrunner.nf.net

If you know who’s responsible for any of them, you may want to let ‘em know.