Irregular Expressions

Aug 20 2010   10:31PM GMT

Casper RFI crack bot – Part 1



Posted by: Dan O'Connor
Tags:
casper rfi
casper rfi bot
casper unix
rfi bot
unix bot

If you saw the ISC today (isc.sans.edu) there is a posting about a perl Unix bot making the rounds.

http://isc.sans.edu/diary.html?storyid=9430

There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176

I have found a server with almost* everything intact so this should be interesting..

First I am going to start with the site, the one I found was something like this (I am not going to give the real URL, I have already informed them about this)

http://XXX.XXX/e107_images/casper/

Google found this pretty fast, I would have suspected if you have that much control over a web server you would have started by editing the robo.txt so no one can find your little prize. But then again people can be lazy.

The casper dir has a lot of txt’s in it, but if you go one level back you see something that’s really nice.

-rw-r--r-- 1     2e107_images.rar
drwxr-xr-x 2     casper
-rw-r--r-- 1     e107_images.rar

Humm, we have the dir named casper and two rar’s?

A little odd but not totally out of place, whats inside of these bad boy’s?

2e107_images.rar
bot.txt
casper2.txt
casper.txt
cmd_kod.txt
def.txt
eggdrop.tar.gz.tar
iso.txt
psy.tar.gz.tar
sat.txt
scan.pl
scan.txt
sh.txt

e107_images.rar
Ckrid1.txt
Ckrid2.txt
iso.txt
myid.jpg
nnee.pl
nnee.txt
php.jpg
scan2.txt
scan.txt

Ohh pay dirt!

Not only do we have one, but we have two and they seem to be from different sources. A little diff will let us know what is going on.

Only in 2: bot.txt
Only in 2: casper2.txt
Only in 2: casper.txt
Only in e: Ckrid1.txt
Only in e: Ckrid2.txt
Only in 2: cmd_kod.txt
Only in 2: def.txt
Only in 2: eggdrop.tar.gz.tar

This is good to know, we will have to come back to that tar.

Next post we will start going through the files and see what the deal is with these two rar’s is.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: