herm1t LIVE!ng room - Post a comment [entries|archive|friends|userinfo]
herm1t

[ website | twilight corner in the herm1t's cave ]
[ userinfo | ljr userinfo ]
[ archive | journal archive ]

Sucuri Web RAT Nov. 12th, 2015|01:27 am

herm1t
Sucuri Integrity Monitor
I found the "monitoring software" installed by ‪#‎AV‬ firm ‪#‎Sucuri‬ (it's available to their subscribers). What I have to say. It just RAT, or web-shell or whatever you want to call it, but its single purpose is to download an unknown code from their servers and execute it. The real name for such a thing is a ‪#‎Trojan‬ ‪#‎Horse‬. That's how I used to call these things. More than that it contains security flaws... You don't just trust them your data (that's not necessary bad), but you let the back door wide open.
Попаля в руки RAT от Sucuri, который они ставят на сайты клиентов, чем эта херь отличается от веб-шелла, хоть убейте не пойму: 
curl_setopt($ch, CURLOPT_URL, "https://$MYMONITOR.sucuri.net/imonitor");
...
$my_sucuri_encoding =  base64_decode(
                       substr($my_sucuri_encoding, 7));
eval(
    $my_sucuri_encoding
    );

Бонусом, список их IP-шек:
    [0] => 97.74.127.171
    [1] => 69.164.203.172
    [2] => 173.230.128.135
    [3] => 66.228.34.49
    [4] => 66.228.40.185
    [5] => 50.116.3.171
    [6] => 50.116.36.92
    [7] => 198.58.96.212
    [8] => 50.116.63.221
    [9] => 192.155.92.112
    [10] => 192.81.128.31
    [11] => 198.58.106.244
    [12] => 104.237.143.242
    [13] => 104.237.139.227
    [14] => 2600:3c00::f03c:91ff:feae:e104
    [15] => 2600:3c00::f03c:91ff:fe84:e275
    [16] => 2600:3c03::f03c:91ff:fee4:c9f0
    [17] => 2600:3c02::f03c:91ff:fee4:c998
    [18] => 2600:3c00::f03c:91ff:fe84:e218
    [19] => 2600:3c02::f03c:91ff:fedf:58c6
    [20] => 2600:3c02::f03c:91ff:fedf:5835
    [21] => 2600:3c03::f03c:91ff:fedf:6a7a
    [22] => fe80::fcfd:adff:fee6:8087
    [23] => 2600:3c03::f03c:91ff:fe70:36ce
    [24] => 2600:3c02::f03c:91ff:fe70:f12d
    [25] => 2600:3c01::f03c:91ff:fe70:52bb
    [26] => 50.116.36.93
    [27] => 192.155.95.139
    [28] => 2600:3c02::f03c:91ff:fe69:4b66
    [29] => 2600:3c00::f03c:91ff:fe70:5213
    [30] => 2600:3c03::f03c:91ff:fedb:b9ce
    [31] => 23.239.9.227
    [32] => 198.58.112.103
    [33] => 192.155.94.43
    [34] => 162.216.16.33
    [35] => 45.79.210.57
    [36] => 45.33.76.17
    [37] => 2600:3c00::f03c:91ff:fe6e:a046
    [38] => 2600:3c02::f03c:91ff:fe6e:a0dd
    [39] => 2600:3c03::f03c:91ff:fe6e:a0ac
А вот за это (и еще кое за что): 
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']
Нужно вырывать ногти. А потом руки. Ж;-]
Link Read Comments

Reply:
From:
(will be screened)
Identity URL: 
имя пользователя:    
Вы должны предварительно войти в LiveJournal.com
 
E-mail для ответов: 
Вы сможете оставлять комментарии, даже если не введете e-mail.
Но вы не сможете получать уведомления об ответах на ваши комментарии!
Внимание: на указанный адрес будет выслано подтверждение.
Username:
Password:
Subject:
No HTML allowed in subject
Message:



Notice! This user has turned on the option that logs IP addresses of anonymous posters.