Malware and vulnerabilities on a eu.server Apache HTTP server

Malware reported - emotet - heodo malware → https://urlhaus.abuse.ch/url/236912/
On IP and Apache vulnerabilities there: https://www.shodan.io/host/92.222.83.23
See: https://toolbar.netcraft.com/site_report?url=23.ip-92-222-83.eu
Consider also: https://censys.io/ipv4/92.222.83.23
https://mxtoolbox.com/SuperTool.aspx?action=mx%3A ip-92-222-83.eu&run=toolpage
Revealing description there, VT IP relations and detections: https://www.virustotal.com/gui/ip-address/92.222.83.23/relations
malicious word documents, which avast detects: https://www.virustotal.com/gui/file/14445473a8b471e550c9e36677223a3d0ffb017647dc8d7a01ae88efd1b993ac/detection

polonus

Ports (Open/Filtered)


Port 22 - SSH - v7.4p1 Debian
Port 25 - SMTP
Port 80 - HTTP - v2.4.25 (Debian Linux)
(Filtered) Port 111 - rpcbind
Port 443 - HTTPS - v2.4.25 (Debian Linux)
(Filtered) Port 445 - microsoft-ds 
Port 2000 - Cisco?
Port 5060 - Cisco?
Port 8081 - Apache - v2.4.25 (Debian Linux)
Port 8181 - nginx - (phpMyAdmin exposed)
Port 9876 - Back-end access

Apache is vulnerable


(Priv Escalation) https://www.exploit-db.com/exploits/46676

Interestingly enough - they also have a mysql service running there.


mySQLi_real_connect(): (28000/1045): Access Denied for user 'admin'@'X.X.X.X' (using password: NO)
[b]*IP Removed*[/b]

Cheers

Hi Michael (alan1998)

Thank you for that additional info, very interesting indeed.

Shodan.io and Censys.io for that matter are among your best friends online.
I have a personal Censys account and the data, they sit on, are often quite revealing.

For quite other security background info use https://intelx.io/
Peter Kleissner’s specific info search engine, quite remarkable to say the least.
This security expert educated me on sinkholing, a couple of years ago,
while seeking ways to automate the process, which was hard to do.

Combine with the findings of a Dazzlepod IP scan and you know so much more,
what is behind an address or service there.

You can use these results according to these site’s policies,
but are never allowed to use such retrieved info against a(ny) particular website.
That is a big no-no against the Confidentiality Integrity Awareness regulations.
This is whenever you operate in the field of website security.

Then see: https://urlscan.io/ also a source not to be missed in website security analysis and website error-hunting :wink:

polonus a.k.a. Damian

malicious word documents, which avast detects: https://www.virustotal.com/gui/file/14445473a8b471e550c9e36677223a3d0ffb017647dc8d7a01ae88efd1b993ac/detection
Payload from the fake .doc (downloader) is Emotet banking trojan

First Submission 2019-10-02
https://www.virustotal.com/gui/file/3c3fec3cef9506c1e7d333a079384baa19b70f6ed56ec2f51485682543ac1235/detection

Good to give this detection, Pondus.

But emotet is an ongoing malware campaign of what is really a gigantic size.

Emotet galore, see how it spreads everywhere like ill weed online:
https://urlhaus.abuse.ch/browse/

polonus

yepp, and for those interested

Let’s talk Emotet malware
https://www.malwarebytes.com/emotet/

Emotet malspam campaign uses Snowden’s new book as lure
https://blog.malwarebytes.com/botnets/2019/09/emotet-malspam-campaign-uses-snowdens-new-book-as-lure/

I will add it to the list of known IOC we pull from the ineterwebs and check for it. (Emotet has been on our radar for the last month).

Cheers