Andrew Martin

As I was perusing my logs today on a lazy Sunday afternoon I found I was being attacked by more RFI bots than usual. To my surprise I realized it is because of my previous post on controlling RFI bots.  In my last post I included a dork that is frequently scanned for, and in [...]

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.
First the attacker issues a command to the bot to begin [...]

Gumblar compromises clients using 2 different exploits. The first is a Adobe Acrobat PDF exploit CVE-2008-2992 and the second is a Adobe Flash exploit. Unfortunately I haven’t been able to figure out which Flash exploit is employed as decoding flash is not an expertise of mine.
Here is the Wepawet output of the exploit script employed [...]

Lets take a look at a facebook phish I received recently. I received this message from a friend:
XXXXX sent you a message.
Subject: Hi
“Look at bestspace.be”
I’ve included a screenshot of the site below, note that it looks like the facebook login page complete with poor spelling of “helps”.
The form sends your stolen credentials back to bestspace.be [...]

I first found out about Gumblar a couple days ago via one of Scan Safe’s blog posts. Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R)  has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so [...]

For my next installment on RFI attacks we will look at the extremely popular FX29 shell.
To find if you or someone else has been compromised with this shell search for the following:
intitle:”FaTaLisTiCz_Fx”
At the time of writing this, the above search query returns 17,400 matches which certainly indicates the prevalence of this shell.
Here is what the [...]