From 14afbc68008d19189ca81d0c50a46b9b3e96a6c5 Mon Sep 17 00:00:00 2001 From: JT Date: Sun, 6 Dec 2015 20:10:19 +0800 Subject: [PATCH] Update xdh_x_exec.rb updated description and new author. --- modules/exploits/multi/misc/xdh_x_exec.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/misc/xdh_x_exec.rb b/modules/exploits/multi/misc/xdh_x_exec.rb index 2eaca9b290..da2d37a138 100644 --- a/modules/exploits/multi/misc/xdh_x_exec.rb +++ b/modules/exploits/multi/misc/xdh_x_exec.rb @@ -13,11 +13,12 @@ class Metasploit4 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Xdh / fBot IRC Bot Remote Code Execution', + 'Name' => 'Xdh / LinuxNet perlbot / fBot IRC Bot Remote Code Execution', 'Description' => %q{ This module allows remote command execution on an IRC Bot developed by xdh. This perl bot was caught by Conor Patrick with his shellshock honeypot server - and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). + and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt + Thayer also found this script which has a description of LinuxNet perlbot. The bot answers only based on the servername and nickname in the IRC message which is configured on the perl script thus you need to be an operator on the IRC @@ -28,12 +29,14 @@ class Metasploit4 < Msf::Exploit::Remote [ #MalwareMustDie 'Jay Turla', # msf - 'Conor Patrick' # initial discovery and botnet analysis + 'Conor Patrick', # initial discovery and botnet analysis for xdh + 'Matt Thayer' # initial discovery for LinuxNet perlbot ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ], + [ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889'], [ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is ], 'Platform' => %w{ unix win },