It is currently 16-12-2017 12:13

The company WordFence found a botnet of WordPress sites created by one person

The company WordFence found a botnet of WordPress sites created by one person

by seo_worker » 2016-08-28 16:00:53

The company's specialists WordFence found a botnet consisting of WordPress sites and managed through IRC. To attack the attacker used the script on 25,000 lines of code, and then a successful attack could use contaminated resources for sending spam or DDoS attacks. WordFence researchers decided to find out who owns a botnet and how big the scale of the problem.

Among the 25 000 lines of code was discovered almost everything you need to start investigate the details of the configuration are the IP addresses of the IRC servers, ports and the channel name: #1x33x7 (see screenshot above). To connect to IRC, the researchers were able without problems, and then came the turn of the hashed password of the operator of the botnet, hiding under the nickname Bloodman, who also appeared in the code:

var $admins = array 
'LND-Bloodman' => '2cbd62e679d89acf7f1bfc14be08b045'
// pass = "lol_dont_try_cracking_12char+_:P"
// passes are MD5 format, you can also have multiple admins

The fact that this password hash (2cbd62e679d89acf7f1bfc14be08b045) has been used when submitting each new commands to the botnet via IRC chat, so cracking it, the researchers would have caught the management. Searching the hash in Google, experts have found that it has been known since 2012, even then, the administrators of hacked websites found someone else's code and asked for help in cracking the password, though to no avail.

The researchers had a head start in this matter, as they watched the IRC. Once Bloodman called for the canal and gave the bots a team, the researchers intercepted the password in clear text. The blog shows only the beginning: 1x33x7.0wnz-your.************. The researchers immediately changed the password and gained full access to control the infected machines.

It turned out that in the same IRC channel can be detected and the list of infected sites – they are "present" in chat in the form of ordinary users whose names contain the information about the compromised platform. Among the hacked websites were the most different from Apache servers on FreeBSD to Windows Server 2012 and Windows 8. Also among users, find two accounts of the operator of the botnet: LND-Bloodman and da-real-LND.

Using a simple whois command, the researchers learned that Bloodman uses German IP address as well as realized that the name of the channel (1x33x7) is also the second nickname of the operator of the botnet, which he uses in social networks: Twitter, YouTube and YouNow. Examining social networks, experts have seen that Bloodman is really from Germany: in all the sources he used German. Worse, on YouTube, the researchers found a video where Bloodman boasts of his botnet, which helped finally to associate a real person with the personality of the operator. The researchers also write, gleaned from open sources a lot of data, for example, now they know that a hacker loves fireworks, and they know what kind of car he drives.

Although in the hands of the researchers was comprehensive information about the botnet and its owner, they did not stop the work of a botnet, as by law they had no right to hack the hacker and, moreover, to intervene in the operation of its system. Attempt to clean infected machines may also be dangerous, because the representatives of the WordFence believe that they can not see the whole picture and to lose sight of something important. In addition, the researchers believe that even disabling all the command server will only lead to the fact that Bloodman infect new sites and start a new control server.

The researchers also decided not to report the botnet to law enforcement as a botnet, according to their calculations, has only about a hundred sites, and Bloodman initiates of the order of 2000 new attacks in a week, and almost all of them successfully blocked by protection systems. According to representatives of WordFence, Bloodman and your resources are not worth the effort that will be required from the police and representatives of WordFence for his arrest. The experts considered that to observe and study the tactics of the hacker in this case will be useful. However, users in the comments already actively challenge and criticize the position of the researchers.

Сообщений: 789
Депозит: 0.005 BTC

Rating: 2