http://isc.sans.edu/diary.html?storyid=9430

There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176

I have found a server with almost* everything intact so this should be interesting..

First I am going to start with the site, the one I found was something like this (I am not going to give the real URL, I have already informed them about this)

http://XXX.XXX/e107_images/casper/

Google found this pretty fast, I would have suspected if you have that much control over a web server you would have started by editing the robo.txt so no one can find your little prize. But then again people can be lazy.

The casper dir has a lot of txt’s in it, but if you go one level back you see something that’s really nice.

-rw-r--r-- 1     2e107_images.rar
drwxr-xr-x 2     casper
-rw-r--r-- 1     e107_images.rar

Humm, we have the dir named casper and two rar’s?

A little odd but not totally out of place, whats inside of these bad boy’s?

2e107_images.rar
bot.txt
casper2.txt
casper.txt
cmd_kod.txt
def.txt
eggdrop.tar.gz.tar
iso.txt
psy.tar.gz.tar
sat.txt
scan.pl
scan.txt
sh.txt

e107_images.rar
Ckrid1.txt
Ckrid2.txt
iso.txt
myid.jpg
nnee.pl
nnee.txt
php.jpg
scan2.txt
scan.txt

Ohh pay dirt!

Not only do we have one, but we have two and they seem to be from different sources. A little diff will let us know what is going on.

Only in 2: bot.txt
Only in 2: casper2.txt
Only in 2: casper.txt
Only in e: Ckrid1.txt
Only in e: Ckrid2.txt
Only in 2: cmd_kod.txt
Only in 2: def.txt
Only in 2: eggdrop.tar.gz.tar

This is good to know, we will have to come back to that tar.

Next post we will start going through the files and see what the deal is with these two rar’s is.