PERL_SHELLBOT.DI

Verbindet sich mit IRC-Servern (Internet Relay Chat). Wählt sich in einen IRC-Kanal ein. Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

Backdoor-Routine

Verbindet sich mit einem oder mehreren der folgenden IRC-Server:

• {BLOCKED}.{BLOCKED}.240.38:1337

Wählt sich in einen oder mehrere der folgenden IRC-Kanäle ein:

• #xrt

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

• !die - Terminate current process
• !killall - Terminate all Perl processes
• !reset - Reconnect to IRC server
• !jo - Join a channel
• !part - Leave a channel
• !nick - Change nickname
• !pid - Send fake process name and process ID
• ! - Execute a shell command
• !raw - Send raw IRC message
• !say - Send private message
• !act - Send an action command
• !timot - Set timeout value used in performing HTTP GET
• !matek - Terminate current process
• !modarkabeh - Terminate all Perl processes
• !reset - Reconnect to IRC server
• !jo - Join a channel
• !part - Leave a channel
• .sh - Execute a shell command
• {current nickname} - Execute a shell command
• !Goox - Enable or disable usage of Google search engines
• !engine - Enable or disable usage of non Google search engines
• !pid - Send fake process name and process ID
• !cari - Search for websites with accessible Magento database configuration file
• !jnews - Search for websites that uses vulnerable jNews extensions
• !jnews2 - Search for websites that uses vulnerable jNews extensions
• !open - Search for websites using vulnerable OpenEMR
• !civ - Search for websites using vulnerable CiviCRM
• !civic - Search for websites using vulnerable CiviCRM
• !letter - Search for websites that uses vulnerable jNews extensions
• !letter2 - Search for websites that uses vulnerable jNews extensions
• !tum - Search for websites using PBV MULTI VirtueMart theme with vulnerable TimThumb
• !piwik - Search for websites using vulnerable Piwik
• !slim - Search for websites using vulnerable Slimstat Ex
• !seo - Search for websites using vulnerable SEO Watcher
• !sql - Search for websites vulnerable to SQL injection
• !civicrm - Search for websites using vulnerable CiviCRM
• !acymailing - Search for websites using vulnerable AcyMailing
• !acymailing2 - Search for websites using vulnerable AcyMailing
• !jinc - Search for websites using vulnerable JINC
• !jinc2 - Search for websites using vulnerable JINC
• !maianmedia - Search for websites using vulnerable Maian Media
• !maianmedia2 - Search for websites using vulnerable Maian Media
• !joomleague - Search for websites using vulnerable JoomLeague
• !joomleague2 - Search for websites using vulnerable JoomLeague
• !woopra - Search for websites using vulnerable Woopra
• !jce - Search for websites using vulnerable JCE
• !gento - Search for websites using vulnerable Magento API
• !zimbra - Search for websites using vulnerable Zimbra
• !zim - Search for websites using vulnerable Zimbra
• !shock - Search for websites with CVE-2014-6271 vulnerability and download and execute http://{BLOCKED}x.com/shock/cgi in the vulnerable sites
• !wplfd - Search for websites vulnerable to directory traversal attacks