IRC-based Botnet (phpmyadmin injection)

Somebody has been trying to infect servers running old versions of phpmyadmin. They dumped a perl scrpt in, which takes over port 80. (Dumb really, fast way to alert what you’ve done to a sysadmin, on monitored boxes).

The script then talks to a IRC channel, and those on the channel can run commands against the botnet.

No script examples this time, but a good reason to keep your phpmyadmin either upgraded or behind basic HTTP auth. This particular example gained a few hundred bots, afaik.

Found some code today. Here’s some heavily edited extracts, so you can see what they’ve been up to. I’ve totally mangled the code, don’t trust it. All in perl. This is actually pretty basic, not that advanced at all. Most modern botnets, for example, do not use IRC as their C&C’s.

So, apparently, this is a “unix” perlbot, made by zew at some irc channel in 2009.

First, the config. Pretty basic.

my $hidd = '/usr/sbin/httpd -k start';
my $lin_max='4';
my $sleep='5';
my @admins=("io***","a***","********","hack");
my @hostauth=("io***.ro","a***.ro");
my @channels=("#io***");
my $nick='Le*****';
my $icname ='Le*****';
my $rname = '{stuff}!';
my $server='';
my $port='guess';

Massive snip, and we get to the part it set’s its own process name, and swaps around to that process:

my $pid=fork;
exit of $pid;
die "fork problem: $!" unless defined($pid);

Even more snip. Here we skip IRC stuff, connecting to servers, listening for commands, all that fun joyous code.

One of it’s functions is a port scan. It will run this on your target(s) of choice, against these (curtailed) ports:


If you’re running an anti-portscanner program (portsentry), off you go, have fun.

The other fun functions built in are:
tcp flood
http flood
udp flood
another udp flood function
As well as allowing any shell command to be executed, of course.

If you want the full script itself, PM me your email address, and credentials. I’ll not send it to just anyone.

Ok, here’s the “hot to stay safe” recommendation;

Never run PHPMYADMIN on an open port/address, always tie it down to a static IP address or use it in conjunction with OpenVPN or similar.

Indeed to all those of you who are running SSH on open IP’s - Arhrhrhrhrhrhrh! :o

Feel sorry for everyone who runs a shared box. Which reminds me, new thread about shared systems coming up…