Waktu IRC bot was installed on our server

Printable View

February 22nd, 2008, 02:40 AM
niggles

Waktu IRC bot was installed on our server

Hi,

One of our clients servers was hacked overnight (it appears through a vulnerability in the Sphider script we used) and a "Hacked By kangkung Indonesian Hacker" placed on the front page + a copy in "/Sphider/" along with a couple of IRC bot scripts.

I found two references to on Google as "Waktu Bot" by searching for strings from the source but nothing else.

It was only up for about 12 hours thankfully and nothing else in the site seems to have been touched, but we've pulled the site down anyway for now while we do a more thorough check.

Has anyone else had dealings with this script or been defaced by this Skiddie?

Addendum : Found in another directory which was only protected by .htpasswd that they'd uploaded an "eggdrop" script - not something I'd heard of until now. More bots - fun, fun...

Cheers,
Niggles
February 22nd, 2008, 08:59 AM
SirDice

I'm not familiar with this bot but I've seen many others..

Backup the data and just reinstall everything from scratch. Don't forget to patch things..

It's the only way to make sure it's clean.

Edit: Oh.. If possible I'd like to see that bot :D
February 24th, 2008, 10:25 PM
niggles

SirDice - Sent you a PM with a link to see the code.

We ended up just wiping the server and and re-installing a clean backup of the site minus the areas we felt may have been the vulnerable entry points and will leave them out until we recode them.

Cheers,
Niggles
February 27th, 2008, 07:32 AM
tarpi

Sounds like a good excuse to setup a honeypot.