Malware and vulnerabilities on a eu.server Apache HTTP server

[polonus]

Malware reported - emotet - heodo malware -> https://urlhaus.abuse.ch/url/236912/
On IP and Apache vulnerabilities there: https://www.shodan.io/host/92.222.83.23
See: https://toolbar.netcraft.com/site_report?url=23.ip-92-222-83.eu
Consider also: https://censys.io/ipv4/92.222.83.23
https://mxtoolbox.com/SuperTool.aspx?action=mx%3a%09ip-92-222-83.eu&run=toolpage
Revealing description there, VT IP relations and detections: https://www.virustotal.com/gui/ip-address/92.222.83.23/relations
malicious word documents, which avast detects: https://www.virustotal.com/gui/file/14445473a8b471e550c9e36677223a3d0ffb017647dc8d7a01ae88efd1b993ac/detection

polonus

[Michael (alan1998)]

Ports (Open/Filtered)

Code: [Select]

Port 22 - SSH - v7.4p1 Debian
Port 25 - SMTP
Port 80 - HTTP - v2.4.25 (Debian Linux)
(Filtered) Port 111 - rpcbind
Port 443 - HTTPS - v2.4.25 (Debian Linux)
(Filtered) Port 445 - microsoft-ds
Port 2000 - Cisco?
Port 5060 - Cisco?
Port 8081 - Apache - v2.4.25 (Debian Linux)
Port 8181 - nginx - (phpMyAdmin exposed)
Port 9876 - Back-end access

Apache is vulnerable

Code: [Select]

(Priv Escalation) https://www.exploit-db.com/exploits/46676

Interestingly enough - they also have a mysql service running there.

Code: [Select]

mySQLi_real_connect(): (28000/1045): Access Denied for user 'admin'@'X.X.X.X' (using password: NO)
[b]*IP Removed*[/b]

Cheers

[polonus]

Hi Michael (alan1998)

Thank you for that additional info, very interesting indeed.

Shodan.io and Censys.io for that matter are among your best friends online.
I have a personal Censys account and the data, they sit on, are often quite revealing.

For quite other security background info use https://intelx.io/ 
Peter Kleissner's specific info search engine, quite remarkable to say the least.
This security expert educated me on sinkholing, a couple of years ago,
while seeking ways to automate the process, which was hard to do.

Combine with the findings of a Dazzlepod IP scan and you know so much more,
what is behind an address or service there.

You can use these results according to these site's policies,
but are never allowed to use such retrieved  info against a(ny) particular website.
That is a big no-no against the Confidentiality Integrity Awareness regulations.
This is whenever you operate in the field of website security.

Then see: https://urlscan.io/ also a source not to be missed in website security analysis and website error-hunting 

polonus a.k.a. Damian

[Pondus]

malicious word documents, which avast detects: https://www.virustotal.com/gui/file/14445473a8b471e550c9e36677223a3d0ffb017647dc8d7a01ae88efd1b993ac/detection

Payload from the fake .doc (downloader) is Emotet banking trojan

First Submission   2019-10-02
https://www.virustotal.com/gui/file/3c3fec3cef9506c1e7d333a079384baa19b70f6ed56ec2f51485682543ac1235/detection

[polonus]

Good to give this detection, Pondus.

But emotet is an ongoing malware campaign of what is really a gigantic size.

Emotet galore, see how it spreads everywhere like ill weed online:
https://urlhaus.abuse.ch/browse/

polonus

[Pondus]

yepp, and for those interested

Let’s talk Emotet malware 
https://www.malwarebytes.com/emotet/

Emotet malspam campaign uses Snowden’s new book as lure
https://blog.malwarebytes.com/botnets/2019/09/emotet-malspam-campaign-uses-snowdens-new-book-as-lure/

[Michael (alan1998)]

yepp, and for those interested

Let’s talk Emotet malware 
https://www.malwarebytes.com/emotet/

Emotet malspam campaign uses Snowden’s new book as lure
https://blog.malwarebytes.com/botnets/2019/09/emotet-malspam-campaign-uses-snowdens-new-book-as-lure/

I will add it to the list of known IOC we pull from the ineterwebs and check for it. (Emotet has been on our radar for the last month).

Cheers