[nsp-sec] srv5.su and some other interesting shellshocky stuff.
Smith, Donald
Donald.Smith at CenturyLink.com
Thu Apr 9 18:30:06 EDT 2015
TLP?
And I have taken that root kit apart a few times but downloaded your urls so I can see what changed.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Scott A. McIntyre [scott at howyagoin.net]
Sent: Thursday, April 09, 2015 4:05 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] srv5.su and some other interesting shellshocky stuff.
----------- nsp-security Confidential --------
Hi,
I've noticed some interesting attempts to exploit Bash bugs this week.
Seems that there's an ircd on 188.42.240.97 (6667, possibly other ports)
which is where the Linux bot tries to connect.
SU1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically
linked (uses shared libs), for GNU/Linux 2.6.0, stripped
SU2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped
The inbound traffic sets a few http headers:
Cookie: () { :;} ;echo;/usr/bin/php -r %s
Referer: () { :;} ;echo;/usr/local/bin/php -r %s
And from there
Tries to insert itself into rc.conf or rc.local, and then begins outward
scanning for:
/dana-na/auth/url_default/welcome.cgi
/cgi-bin/ICuGI/EST/blast_detail.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-mod/index.cgi
/cgi-bin/test.cgi
/cgi-bin-sdb/printenv
/admin.cgi
/cgi-bin/bash
/cgi-bin/hello
/cgi-bin/helpme
/cgi-bin/info.sh
/cgi-bin/php5-cli?
/cgi-bin/php5?
/cgi-bin/test-cgi
/cgi-bin/test.sh
/cgi-sys/guestbook.cgi
/cgi-sys/php5?
/phppath/cgi_wrapper?
/phppath/php?
/tmUnblock.cgi
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin/signon.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/tools/tools.pl
/phppath/cgi_wrapper
/phppath/php
/cgi-sys/FormMail-clone.cgi
/xul/
/gitweb/
/gitweb.cgi
/cgi-bin/
/cgi-bin/php4
/cgi-bin/php.cgi
/cgi-bin/firmwarecfg
/cgi-bin/%2f/admin.html
/cgi-bin/admin.html
/sys-cgi
/cgi-bin/tree.php
/cgi-bin/w3mman2html.cgi
/cgi-bin/status/status.cgi
The binaries themselves live at:
http:// srv5.su /SU2
http:// srv5.su /SU1
Top inbound sources today are:
16339 | 212.78.67.123 | VI-UK Virtual Internet (UK) Ltd,GB
16095 | 81.19.235.60 | JAYNET jay.net a/s,DK
Anyone else been digging into this one?
Just a mild curiosity thus far, but it showed up earlier this week at
another domain, x5d.su. Same attempted exploits, same binaries (but AS1
and AS2)..
Thanks,
Scott A. McIntyre
Telstra AS1221
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
More information about the nsp-security
mailing list