Posted by: Dan O'Connor
casper rfi, casper rfi bot, casper unix, rfi bot, unix bot
If you saw the ISC today (isc.sans.edu) there is a posting about a perl Unix bot making the rounds.
There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176
I have found a server with almost* everything intact so this should be interesting..
First I am going to start with the site, the one I found was something like this (I am not going to give the real URL, I have already informed them about this)
Google found this pretty fast, I would have suspected if you have that much control over a web server you would have started by editing the robo.txt so no one can find your little prize. But then again people can be lazy.
The casper dir has a lot of txt’s in it, but if you go one level back you see something that’s really nice.
-rw-r--r-- 1 2e107_images.rar drwxr-xr-x 2 casper -rw-r--r-- 1 e107_images.rar
Humm, we have the dir named casper and two rar’s?
A little odd but not totally out of place, whats inside of these bad boy’s?
2e107_images.rar bot.txt casper2.txt casper.txt cmd_kod.txt def.txt eggdrop.tar.gz.tar iso.txt psy.tar.gz.tar sat.txt scan.pl scan.txt sh.txt e107_images.rar Ckrid1.txt Ckrid2.txt iso.txt myid.jpg nnee.pl nnee.txt php.jpg scan2.txt scan.txt
Ohh pay dirt!
Not only do we have one, but we have two and they seem to be from different sources. A little diff will let us know what is going on.
Only in 2: bot.txt Only in 2: casper2.txt Only in 2: casper.txt Only in e: Ckrid1.txt Only in e: Ckrid2.txt Only in 2: cmd_kod.txt Only in 2: def.txt Only in 2: eggdrop.tar.gz.tar
This is good to know, we will have to come back to that tar.
Next post we will start going through the files and see what the deal is with these two rar’s is.