herm1t LIVE!ng room - Sucuri Web RAT [entries|archive|friends|userinfo]
herm1t

[ website | twilight corner in the herm1t's cave ]
[ userinfo | ljr userinfo ]
[ archive | journal archive ]

Sucuri Web RAT [Nov. 12th, 2015|01:27 am]
Previous Entry Add to Memories Tell A Friend Next Entry
[Tags|, , , , , , ]

Sucuri Integrity Monitor
I found the "monitoring software" installed by ‪#‎AV‬ firm ‪#‎Sucuri‬ (it's available to their subscribers). What I have to say. It just RAT, or web-shell or whatever you want to call it, but its single purpose is to download an unknown code from their servers and execute it. The real name for such a thing is a ‪#‎Trojan‬ ‪#‎Horse‬. That's how I used to call these things. More than that it contains security flaws... You don't just trust them your data (that's not necessary bad), but you let the back door wide open.
Попаля в руки RAT от Sucuri, который они ставят на сайты клиентов, чем эта херь отличается от веб-шелла, хоть убейте не пойму: 
curl_setopt($ch, CURLOPT_URL, "https://$MYMONITOR.sucuri.net/imonitor");
...
$my_sucuri_encoding =  base64_decode(
                       substr($my_sucuri_encoding, 7));
eval(
    $my_sucuri_encoding
    );

Бонусом, список их IP-шек:
    [0] => 97.74.127.171
    [1] => 69.164.203.172
    [2] => 173.230.128.135
    [3] => 66.228.34.49
    [4] => 66.228.40.185
    [5] => 50.116.3.171
    [6] => 50.116.36.92
    [7] => 198.58.96.212
    [8] => 50.116.63.221
    [9] => 192.155.92.112
    [10] => 192.81.128.31
    [11] => 198.58.106.244
    [12] => 104.237.143.242
    [13] => 104.237.139.227
    [14] => 2600:3c00::f03c:91ff:feae:e104
    [15] => 2600:3c00::f03c:91ff:fe84:e275
    [16] => 2600:3c03::f03c:91ff:fee4:c9f0
    [17] => 2600:3c02::f03c:91ff:fee4:c998
    [18] => 2600:3c00::f03c:91ff:fe84:e218
    [19] => 2600:3c02::f03c:91ff:fedf:58c6
    [20] => 2600:3c02::f03c:91ff:fedf:5835
    [21] => 2600:3c03::f03c:91ff:fedf:6a7a
    [22] => fe80::fcfd:adff:fee6:8087
    [23] => 2600:3c03::f03c:91ff:fe70:36ce
    [24] => 2600:3c02::f03c:91ff:fe70:f12d
    [25] => 2600:3c01::f03c:91ff:fe70:52bb
    [26] => 50.116.36.93
    [27] => 192.155.95.139
    [28] => 2600:3c02::f03c:91ff:fe69:4b66
    [29] => 2600:3c00::f03c:91ff:fe70:5213
    [30] => 2600:3c03::f03c:91ff:fedb:b9ce
    [31] => 23.239.9.227
    [32] => 198.58.112.103
    [33] => 192.155.94.43
    [34] => 162.216.16.33
    [35] => 45.79.210.57
    [36] => 45.33.76.17
    [37] => 2600:3c00::f03c:91ff:fe6e:a046
    [38] => 2600:3c02::f03c:91ff:fe6e:a0dd
    [39] => 2600:3c03::f03c:91ff:fe6e:a0ac
А вот за это (и еще кое за что): 
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']
Нужно вырывать ногти. А потом руки. Ж;-]
LinkLeave a comment

Comments:
From:(Anonymous)
Date:November 12th, 2015 - 03:52 am
(Link)
зашёл на официальный вебсайт - на фото два пидараса
ушёл
[User Picture]
From:[info]herm1t
Date:November 12th, 2015 - 04:01 am
(Link)
причем в плохом смысле. :-)
From:(Anonymous)
Date:November 12th, 2015 - 07:35 am
(Link)
Нахуй эти пидарасы кому-то нужны? Почитал вики, про них там всё расписано. Нужно быть ебанутым, чтобы у них что-то покупать.
[User Picture]
From:[info]herm1t
Date:November 12th, 2015 - 07:54 am
(Link)
мне не нужны. на глаза попалось.
From:(Anonymous)
Date:November 12th, 2015 - 08:10 am
(Link)
эт верно
помоги себе сам

никому нельзя верить, мне можно (с) доктор хаус
[User Picture]
From:[info]herm1t
Date:November 12th, 2015 - 08:16 am
(Link)
Угу, Хаус. В исполнении Броневого. :-)
From:(Anonymous)
Date:November 12th, 2015 - 08:20 am
(Link)
а ведь точно!
еще одно подтверждение тезиса
From:(Anonymous)
Date:November 12th, 2015 - 11:59 pm

offtop

(Link)
ты разгадал https://lj.rossia.org/users/herm1t/79130.html#cutid1 ?

это антивирусные базы есличо
[User Picture]
From:[info]herm1t
Date:November 13th, 2015 - 02:31 pm

Re: offtop

(Link)
Нет, не разгадал. Нет, это не базы :-)