Hacker News new | comments | show | ask | jobs | submit login

Interesting.

I ran the "nginx" binary thru strace in a vagrant vm and got some connection attempts to a clouldflare IP

connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("108.162.197.26")}, 16) = 0

but didn't see anything interesting being sent there... My tcpdump output showed it connects to a http server at 89.238.150.154:5 and exchanges some data there

sent >>> BUILD X86

recv >>> !* HTTP

recv >>> 190.93.240.15,190.93.241.15,141.101.112.16,190.93.243.15,190.93.242.15 pastebin.com /4HQ2w4AZ 80 2

recv >>> PING

sent >>> PONG

then it just goes to do ping/pong with the same server. At one point the process forks a separate process of itself and dies...

The pastebin link leads to an uploadcash.org file named hermoine_granger_jpg.jpg which I can assume is a payload of somekind...




Interesting that they're presumably hiding behind Cloudflare, does it send a HTTP Host header?

FWIW, it doesn't appear to be a new bit of malware - the same strings match this pastebin from March - http://pastebin.com/xa87Gh7q


Yes the syntax looks familiar, I got few more responses that match the commands from that pastebin. Seems like a general C&C setup where they just add new exploits as they get published.

Anyhow, doesn't seem like it sends anything to Cloudflare. I think it just checks if the IP is alive (perhaps this is how it tests connectivity to the internet). It also checks my routing table and extracts the MAC address.

P.S as of now, the CC server at 89.238.150.154:5 is not accessible.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: