[Dshield] Dalnet being uses as a C&C server
Charles Hamby
fixer at gci.net
Wed Jun 20 01:17:06 GMT 2007
Can you send me a copy of the script? I'd like to take a look at it. Thanks!
-cdh
"No trees were killed in the sending of this message. However, a large number of electrons were inconvenienced."
----- Original Message -----
From: Larry <lbrower at servermanagementsolutions.com>
Date: Tuesday, June 19, 2007 4:56 pm
Subject: [Dshield] Dalnet being uses as a C&C server
To: list at lists.dshield.org
> greetings:
>
> I have found a compromised hosting client on one of our servers.
> The bot
> is connecting to dalnet for C&C. Can you please assist in
> terminating this?
>
> >From one of the perl scripts:
>
> root at w11 [/home/serluna/public_html]# cat
> /home/serluna/public_html/includes/.log/jancok.pl
> #!/usr/bin/perl
>
> $chan="#JagungNet";
> $nick=$ARGV[0];
> $server="rumble.dal.net";
>
> $SIG{TERM}={};
> exit if fork;
>
> use IO::Socket;
>
>
> full script available upon request.
>
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS
> topinstructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)
>
More information about the list
mailing list