inetnum: 220.127.116.11 - 18.104.22.168
descr: 1 Gbits Com
At first it seems pretty standard, nothing too interesting here.
Someone loved this botnet:
Open Directory listings.
Hmm..There are more than one panel on this machine.
Not too many bots in these ones.
A malware sample.
As you can see from the screenshots, this is the url to the panel:
I dropped a shell and had a peek at the logs - grep for what we need.
22.214.171.124 - - [07/Jan/2014:12:48:02 -0800] "GET /office/ben/server/install/ HTTP/1.1" 200 3685
126.96.36.199 - - [07/Jan/2014:12:49:05 -0800] "GET /office/ben/server/cp.php?m=login HTTP/1.1" 200 1470
188.8.131.52 - - [07/Jan/2014:12:49:16 -0800] "GET /office/ben/server/cp.php?m=home HTTP/1.1" 200 8293
184.108.40.206 - - [20/Jan/2014:23:29:39 -0800] "GET /office/ben/server/cp.php?m=reports_db&bots=ADMIN-PC_E532648A321E07F6&botnets=&ips=&countries=&q=&qstop=&urlmask=&blt=0&online=0&cs=0&grouping=0&nonames=0&rm=0&date=140121 HTTP/1.1" 200 627
We can see the installation occurred on 7-Jan-2014 and from the control panel, the first activity was 9-Jan-2014. IP address of installer and user, Lagos Nigeria.
It looks like some Yahoo boys are back at their old tricks.
I have taken this pile of junk down.
There is more to this story. Coming soon.