Monday, February 10, 2014

Nigerian Citadel on

Citadel - Nigerian Admin, 121 bots

inetnum: -
netname:        OneGbits
descr:          1 Gbits Com
country:        NL

We have seen Citadel on this OneGbits network before. Hmm..

At first it seems pretty standard, nothing too interesting here.

Someone loved this botnet:
121 bots
+200k reports


Open Directory listings.
Hmm..There are more than one panel on this machine.
Not too many bots in these ones.

A malware sample.


As you can see from the screenshots, this is the url to the panel:


I dropped a shell and had a peek at the logs - grep for what we need. - - [07/Jan/2014:12:48:02 -0800] "GET /office/ben/server/install/ HTTP/1.1" 200 3685 - - [07/Jan/2014:12:49:05 -0800] "GET /office/ben/server/cp.php?m=login HTTP/1.1" 200 1470 - - [07/Jan/2014:12:49:16 -0800] "GET /office/ben/server/cp.php?m=home HTTP/1.1" 200 8293 - - [20/Jan/2014:23:29:39 -0800] "GET /office/ben/server/cp.php?m=reports_db&bots=ADMIN-PC_E532648A321E07F6&botnets=&ips=&countries=&q=&qstop=&urlmask=&blt=0&online=0&cs=0&grouping=0&nonames=0&rm=0&date=140121 HTTP/1.1" 200 627

We can see the installation occurred on 7-Jan-2014 and from the control panel, the first activity was 9-Jan-2014. IP address of installer and user, Lagos Nigeria.

It looks like some Yahoo boys are back at their old tricks.

I have taken this pile of junk down.

There is more to this story. Coming soon.

No comments:

Post a Comment