I dont know if you are familiar with FlashChat , but I wasn't until today. One of our readers, Rodrigo Freire, sent some log traces of those perl based bots.
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001. The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list. Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan . Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains! So, my final instructions to you are: 1- If you run FlashChat, check for patches, security patches, APPLY THEM! 2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion. ---------------------------------------------------------------------------------- Pedro Bueno ( pbueno //&&// isc. sans. org ) |
Pedro 155 Posts ISC Handler Sep 4th 2006 |
Thread locked Subscribe |
Sep 4th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!