For several years now, there has been a trigger on our website that triggers on a certain combination of words in queries, in particular, such as: union, eval, passthru, alert, javascript, cookie, etc. In the event of a trigger, soap is sent. This allows you to see the majority of attempts to make SQL injection, use PHP include or XSS. Hacking attempts are carried out quite often, but in the last month of reports about a hundred per day began to arrive. All the same type. We are looking for a vulnerability in some kind of standard contact module, in which, as I understand it, there is a pseudo tag [php] with all the consequences. The exploit, using this pseudo-tag, is trying to upload a Perl script to the server of the victim and transfer control to it. Here you can find a list of links to bots (these are text files with Perl code), although some files are already worn out. The exploits are different and try to download different bots, perhaps from different groups, antivirus is triggered on some of these bots and silently deletes. The code is safer to download using rocking, and not through the browser. Accordingly, if the code runs on the victim's server (basically, this is a regular web server on a cheap hosting with a million sites), the bot immediately connects to the IRC channel, where it is already waiting. After downloading one of the bots at random, I decided to see as it is, everything is arranged there.

Bot

From a quick glance at the file, it is clear that in the settings of this bot, the admin who has the right to work with bots is the person with the login Conficker. The bot immediately connects to the IRC server: irc.planetwork.tk:6667, on the #autorun channel. The bots have several logins to choose from ( all women seem to be ). I decided not to think too long and logged in under the admin nickname. But here with me a bad service was played by one little-known service for storing photos and instead of the correct nickname, I logged in as Conflicker. But I noticed this not immediately and at first I tried to steer some of the bots with a quite expected result. On the main channel, there were about 120 bots, some of them crawled websites for vulnerabilities and periodically wrote the results in a general chat. From time to time they found different vulnerabilities, in particular SQL Injection, with which, apparently, people will already have to deal with manually. Search for victims is standard, through search engines. I tried to give commands to the bots via chat, but only the PING test worked, as this did not require any login. And here I was very surprised by the channel administrator.

Some years ago

')
A little way aside, I want to talk about how I “researched” one of the botnets a couple of years ago. The story is quite short, I just went to the channel, the channel administrator opened the chat and the first thing I did was ls –al. Accordingly, having repeated the operation on one of our servers in a meaningless directory, I threw back the list of files (the real bot had to do the same, but somewhat quicker). Thus, acting as a proxy, I downloaded the rest of the botnet files (unfortunately, the compiled httpd was the basis). Realizing that I couldn’t squeeze more, I simply said “hi” to one of the queries, asked how are you, got the answer that this was some kind of mistake, my interlocutor was by chance at all, was kicked out of the channel and banned.

Bot Continuation

I expected something similar here, in case they consider me a person. But the administrator, having seen the login Conflicker, said “wow” and gave me an op. Since I’m not particularly keen on IRC, I just thought that it’s a good time to just kick the admin from the channel and, changing my login, take his place, but so far I have decided not to do anything. It took some time to research the possibility of changing the nickname so that the bots would perceive me as an admin. And then a miracle happened - Conficker wrote that he needed to reboot and fell off. By changing my login to Conficker, I got full access.

What managed to find out and some thoughts

There are two types of bots:
- “newbie”, he submits to the administrator without question and, I think, serves mainly to download bots of the second type. A team written in the chat of such a bot will be executed on the server as if it were typed in the terminal, the result will also be displayed in the terminal;
- “Worker”; here the administrator needs to enter a password for more or less important operations. However, the `` help 'command works for everyone in general.

The body of the "worker" was able to download. The main functions are to check other sites for vulnerabilities, DDoS, download exploits from the service, etc. In this version of the login bot, there were already two: Conficker and ikhy (the second login really did not work for everyone). Password dor. After the command “` auth dor ”in the chat with a specific bot (in the general channel it is better not to do this), extended help appears and access to all commands.

If you select a login from the “newbie” bot predefined by the bot, add a random number to the end and then go to the IRC server, the channel #bajinganIRCD automatically opens. How it all looks (I logged in as “Sylvie-12“) can be seen in the screenshot.



The body of the “worker” lies in /temp/.logs.

“Work” started with “apache” rights.

To steal such a botnet is not difficult. Firstly, all the “workers” have the same password. It is enough to get the body of one of them (you can sit and pens to emulate a "newbie" or use a honeypot), rewrite, putting a trigger on the administrator's output from the channel, change your nickname to the rest of the herd to the new server when you exit. Secondly, in this particular case, just wait, as the administrator constantly falls off. Another thing is why it is needed.

Actually on this my curiosity dried up. If someone is interested in picking up a botnet, then at the moment it works and the passwords, I think, no one has changed.