HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #39
From team OpenTU
New advisory by : anonymous coward
Affected service(s): unknown/several
Severity [lmh] : high
===== Problem =====
A botnet is running with bots connecting per the IRC protocol to 10.5.1.99 on port 24051. This botnet is probably operated by h4ck!nb3rg. The nickname of the bot consists of the string "CTF-" and a random number. The username is "CTF", the real name "CT".
After connecting, the bots attempt to join two channels, #bot (channel key: ddosit), and #<nickname of bot>.
===== Impact =====
The bots are currently running on the host of several vulnerable teams (7, 17, 10, 4, 9). In the #bot channel, they report various information and try to capture flags (after the services have been fixed). They seem to leave a backdoor shell. In the #<nic
name of bot> channels, other bots continually join and posting messages consisting only of "root". The meaning of this is currently unknown.
===== Fix =====
As a short-time fix, use netstat to check which processes are connecting to the IRC server, and kill them. Note they disguise as "apache2".
As a long-time fix, find and close the backdoor they used to gain entry.
Rating
[0] Sry. Neither it's a service nor a system related bug. (only those are counting)