ET SHELLCODE Rothenburg Shellcode flood in log...
-
0000 94 c6 91 a1 08 cb 90 e2 ba 0b 1b a2 08 00 45 00 ..............E. 0010 04 e4 00 00 40 00 3f 06 8f b1 0a 7d d2 17 c0 a8 ....@.?....}.... 0020 0a 26 0c bc b8 a6 d3 cf 86 5b 1f 22 6c 4a 80 18 .&.......[."lJ.. 0030 60 00 c8 fa 00 00 01 01 08 0a 1a 9f 78 db db 59 `...........x..Y 0040 af 87 5d dc 8f 4d 59 bd 57 ac cd 66 4e d2 8a 14 ..]..MY.W..fN... 0050 01 80 f2 9a 88 10 40 4e 75 f4 8a 14 08 80 f2 9a ......@Nu....... 0060 88 11 41 4e 75 f4 8b 68 fc 8b 30 2b ce 83 e9 05 ..ANu..h..0+.... 0070 89 68 f8 8b 68 fc 2b 08 83 e9 05 89 68 f8 74 04 .h..h.+.....h.t. 0080 2c 05 eb 02 2c 0a 88 84 0d 66 6f 6e 74 73 5c 67 ,...,....fonts\g 0090 90 03 02 02 74 68 62 6d 90 00 26 7a 6f 6e 65 3d ....thbm..&zone= 00a0 25 73 26 73 65 72 76 65 72 3d 25 73 26 6e 61 6d %s&server=%s&nam 00b0 65 3d 25 73 26 70 61 73 73 88 21 53 77 69 7a 7a e=%s&pass.!Swizz 00c0 6f 72 2e 55 00 cc 21 56 42 49 6e 6a 65 63 74 2e or.U..!VBInject. 00d0 67 65 6e 21 41 44 00 a4 21 48 61 62 64 2e 41 00 gen!AD..!Habd.A. 00e0 88 21 42 61 6e 63 6f 73 2e 58 00 8c 21 44 65 6c .!Bancos.X..!Del 00f0 72 61 70 63 61 2e 41 00 da 81 57 6f 66 74 65 65 rapca.A...Woftee 0100 6d 2e 41 00 da 81 57 6f 66 74 65 65 6d 2e 42 00 m.A...Wofteem.B. 0110 da 81 57 6f 66 74 65 65 6d 2e 43 00 a6 81 41 75 ..Wofteem.C...Au 0120 74 6f 72 75 6e 2e 4c 00 a6 81 41 75 74 6f 72 75 torun.L...Autoru 0130 6e 2e 4d 00 8a 81 48 61 6c 6f 66 69 2e 41 00 8a n.M...Halofi.A.. 0140 81 48 61 6c 6f 66 69 2e 42 00 8a 81 48 61 6c 6f .Halofi.B...Halo 0150 66 69 2e 43 00 8a 81 48 61 6c 6f 66 69 2e 44 00 fi.C...Halofi.D. 0160 90 21 45 6d 65 67 72 61 62 2e 41 00 02 00 00 00 .!Emegrab.A..... 0170 e9 1d 02 80 d5 8b ea 08 78 80 01 00 55 4a d2 6f ........x...UJ.o 0180 3f f1 82 1c 79 50 1e ce 81 c4 55 4f 5a 57 db 7f ?...yP....UOZW.. 0190 6a 06 6a 01 6a 02 ff 15 90 01 02 01 05 8b e8 83 j.j.j........... 01a0 fd ff 0f 84 90 01 02 00 00 68 d6 04 00 00 66 c7 .........h....f. 01b0 44 24 08 02 00 90 00 81 39 52 61 72 21 75 06 b8 D$......9Rar!u.. 01c0 01 00 00 00 c3 8a 01 3c 37 75 0c 80 79 01 7a 75 .......<7u..y.zu 01d0 06 b8 02 00 00 00 c3 3c 42 75 0c ff d6 8b 44 24 .......<Bu....D$ 01e0 90 01 01 33 d2 b9 4e 15 00 00 f7 f1 8b c2 3d 13 ...3..N.......=. 01f0 09 00 00 7d 0e 47 81 ff e8 03 00 00 7c da b8 13 ...}.G......|... 0200 09 00 00 90 00 2e 30 2d 39 2d 5d 7b 31 2c 7d 2e ......0-9-]{1,}. 0210 28 3f 3a 69 6e 66 6f 7c 72 75 7c 6e 65 74 7c 62 (?:info|ru|net|b 0220 69 7a 7c 63 6f 6d 7c 73 75 7c 6f 72 67 29 29 39 iz|com|su|org))9 0230 34 2e 37 35 2e 90 10 03 00 2e 90 10 03 00 00 90 4.75............ 0240 00 3f 62 61 73 65 3d 00 00 69 6e 64 65 78 2e 70 .?base=..index.p 0250 68 70 00 00 00 47 45 54 20 2f 00 45 6d 61 69 6c hp...GET /.Email 0260 47 72 61 62 62 65 72 2e 65 78 65 00 46 54 50 5f Grabber.exe.FTP_ 0270 47 52 41 42 42 45 52 31 00 70 63 72 65 5f 63 61 GRABBER1.pcre_ca 0280 6c 6c 6f 75 74 00 70 63 72 65 5f 63 6f 6d 70 69 llout.pcre_compi 0290 6c 65 00 70 63 72 65 5f 63 6f 6d 70 69 6c 65 32 le.pcre_compile2 02a0 00 70 63 72 65 5f 65 78 65 63 00 70 63 72 65 5f .pcre_exec.pcre_ 02b0 66 72 65 65 00 70 63 72 65 5f 6d 61 6c 6c 6f 63 free.pcre_malloc 02c0 00 70 63 72 65 5f 73 74 61 63 6b 5f 66 72 65 65 .pcre_stack_free 02d0 00 70 63 72 65 5f 73 74 61 63 6b 5f 6d 61 6c 6c .pcre_stack_mall 02e0 6f 63 00 a4 21 41 6c 6f 6d 69 6d 2e 41 00 02 00 oc..!Alomim.A... 02f0 00 00 ea 1d 02 80 c6 9c 22 6c 78 e2 00 00 df f3 ........"lx..... 0300 01 d9 99 23 31 06 5e d3 24 1a ac 5a 78 2d 8a dd ...#1.^.$..Zx-.. 0310 75 97 31 c9 83 e9 da d9 ee d9 74 24 f4 5b 81 73 u.1.......t$.[.s 0320 13 89 fa fc a2 83 eb fc e2 f4 75 12 b8 a2 89 fa ..........u..... 0330 77 e7 b5 71 80 a7 f1 fb 13 29 c6 e2 77 fd a9 fb w..q.....)..w... 0340 17 eb 02 ce 77 a3 67 cb 3c 3b 25 7e 3c d6 8e 3b ....w.g.<;%~<..; 0350 36 af 88 38 17 56 b2 ae d8 a6 fc 1f 77 fd ad fb 6..8.V......w... 0360 17 c4 02 f6 b7 29 d6 e6 fd 49 02 e6 77 a3 62 73 .....)...I..w.bs 0370 a0 86 8d 39 cd 62 ed 71 bc 92 0c 3a 84 ae 02 ba ...9.b.q...:.... 0380 f0 29 f9 e6 51 29 e1 f2 17 ab 02 7a 4c a2 89 fa .)..Q).....zL... 0390 77 ca b5 a5 cd 54 e9 ac 75 5a 0a 3a 87 f2 e1 0a w....T..uZ.:.... 03a0 76 a6 d6 92 64 5c 03 f4 ab 5d 6e 89 88 c3 fb 8e v...d\...]n..... 03b0 dc e1 b3 a6 8f c7 fb 8c 8f c7 e7 9e d2 c7 f1 9f ................ 03c0 fc a2 61 69 6d 3a 67 6f 69 6d 3f 73 63 72 65 65 ..aim:goim?scree 03d0 6e 6e 61 6d 65 3d 90 02 10 26 6d 65 73 73 61 67 nname=...&messag 03e0 65 90 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e e...aRootkitdrv. 03f0 4d 41 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MA..aRootkitdrv. 0400 4d 42 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MB..aRootkitdrv. 0410 4d 43 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MC..aRootkitdrv. 0420 4d 44 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MD..aRootkitdrv. 0430 4d 45 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e ME..aRootkitdrv. 0440 4d 46 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MF..aRootkitdrv. 0450 4d 47 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MG..aRootkitdrv. 0460 4d 48 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MH..aRootkitdrv. 0470 4d 49 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MI..aRootkitdrv. 0480 4d 4a 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MJ..aRootkitdrv. 0490 4d 4b 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MK..aRootkitdrv. 04a0 4d 4c 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e ML..aRootkitdrv. 04b0 4d 4d 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MM..aRootkitdrv. 04c0 4d 4e 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MN..aRootkitdrv. 04d0 4d 4f 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MO..aRootkitdrv. 04e0 4d 50 00 cc 61 52 6f 6f 74 6b 69 74 64 72 76 2e MP..aRootkitdrv. 04f0 4d 51 MQWhat the actual F?! All i did after clearing out the usual bloatware is to download firefox staright from mozilla's site....
-
You appear to have a real mystery on your hands here. Perhaps the malware was not totally eradicated, or else you have other infected hosts that are quickly re-establishing the infection.
-
I deleted the VM so in theory that purged every bit of it. No other windows machine is running ATM so IDK how it gets infected. Also no other alarm from suricata that could imply i have a compromised host.....
/EDIT
Suricata alert log:08/23/2021-17:13:32.799962 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:13:32.963161 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:14:28.261221 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:23:41.258658 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:26:28.712807 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:38:58.081742 [**] [1:2014819:3] ET INFO Packed Executable Download [**] [Classification: Misc activity] [Priority: 3] {TCP} 31.46.5.80:80 -> 192.168.10.105:50603 08/23/2021-17:39:01.034485 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.105:50615 -> 31.46.5.80:80 08/23/2021-17:39:01.734259 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 31.46.5.18:80 -> 192.168.10.105:50614 08/23/2021-17:39:38.226988 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.058505 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.067656 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:39:49.086628 [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:40:00.414606 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:40:06.774212 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.10.38:47270 -> 10.125.210.23:3260 08/23/2021-17:40:56.119765 [**] [1:2018373:5] ET EXPLOIT Malformed HeartBeat Response [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:01.073513 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:01.096700 [**] [1:2017318:5] ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:03.541890 [**] [1:2009247:3] ET SHELLCODE Rothenburg Shellcode [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 10.125.210.23:3260 -> 192.168.10.38:47270 08/23/2021-17:43:32.355036 [**] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 205.185.216.10:80 -> 192.168.10.105:50673 08/23/2021-17:44:58.130630 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50704 08/23/2021-17:44:58.270305 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.10:80 -> 192.168.10.105:50705 08/23/2021-17:44:59.587323 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 205.185.216.42:80 -> 192.168.10.105:50707Dumped hex packet hex for matches:
https://www.dropbox.com/s/4u03qz1lsy39f2z/hex.txt?dl=0(Nothing is on that pc so i dont mind.)
/EDIT3
Directly exposed services (to the internet i mean):
haproxy (running on pfsense)
minecraft server
apache webserver (exposed through haproxy, extremely limited setup, only capable of serving files) -
@jagdtigger Stop the minecraft server and log again....
-
@cool_corona
Will do, ill get back to this tomorrow. I think i have a pcengines apu board somewhere so i can basically use suricata to do the logging then use my switch to do the capture via port mirroring. -
Ill have to postpone to tomorrow, darned apu board is a real slowpoke when it comes to updating, installing stuff, and applying settings.....
-
Okay, apu board in transparent bridge mode and suricata running on the bridge, straight between the proxmox minipc and switch. I set up an another minipc to dump the mirrored traffic to a hdd. Left the minecraft jail up just to see if it is really what is causing the issues. (Im not worried about leaving it up, the network it is on is specifically used for stuff that is exposed to the net, it is restricted from talking to anything besides 2 NAS, but those have proper FW rules in place to not expose the mgmt interface to this network .) Ill reinstall windows (in a new vm) and let it sit overnight while capturing traffic. (During install the VM wont have internet to get around the pesky ms account enforcement.)
-
Okay, stopped capture and downloaded suricata alert log. Capture anded up 68 GB in size. I can already see the same alerts but i noticed something strange. They started showing up during install, when i have the virtual nic disconnected. The ISO is downloaded directly from MS so i dont think it could be infected...
-
Still crawling through the capture concentrating on traffic from the VM, so far its only chatter between w10 and MS, plus the traffic resulting from installing ff and steam. No suspicious domain names or ip addresses so far.
-
@jagdtigger LEft over from the Solarwinds attack??
-
@cool_corona
Which is lingering to this day in their iso downloads? (Im just a simple home user who likes to tinker with things so i never used their products.) So far the only thing that is out of place is in the traffic between proxmox and the nas hosting the iscsi share.... Could it be defender reading its database? -
Finished crawling though the capture, only looked at the VM's traffic. Nothing out of the ordinary. A lot of chatter between ms and windows, some from AVG (<i installed it after i seen the alerts in suricata) and the rest of the installed sw. Did not spot any suspicious IP or DNS name.... I still have the apu board inspecting the traffic bu8t since i shut off the vm the only warning it generates is triggered by proxmox looking for updates.
-
I see you're dealing with the Rothenburg shellcode flood in your logs. That sounds frustrating! Have you tried analyzing the logs to see if you can identify patterns or signatures specific to this shellcode? It might help you create filters or rules to block or mitigate the flood. Also, ensuring your system is up-to-date with patches and using strong passwords can help prevent future attacks. You can find more detailed guides and discussions about shellcode and security on https://guidedhacking.com/threads/how-to-find-shellcode-in-malware-memory.20588/ . They have a supportive community that can offer insights and advice based on their experiences.
