Bots looking for FlashChat App

Published: 2006-09-04
Last Updated: 2006-09-04 00:37:37 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent  some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on domains!
So, my final instructions to you are:

1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
Pedro Bueno ( pbueno //&&// isc. sans. org )

0 comment(s)


Diary Archives