google-analytics.pw (WordPress bruting botnet hosted by intermedia.md)

Resolved google-analytics.pw to 89.45.14.74

Yet another wordpress brute forcing botnet. This one is different from the previously posted one as it uses HTTP for it’s C&C server.
It gets a bit tricky, as it tries to hide it’s gate by sending
Host: google-analytics.pw.
In the request instead of
Host: google-analytics.pw
Here is a correct request

GET /cmd.php HTTP/1.0
Host: google-analytics.pw.
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

HTTP/1.1 200 OK
Date: Sun, 08 Sep 2013 18:59:04 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 67
Connection: close
Content-Type: text/html; charset=UTF-8

1
30
hxxp://google-analytics.pw/pass_bot_pull/952536.txt
steven
480

952536.txt (mirror) is a list of 5000 wordpress sites for the bot to try and brute force using the password “steven”

The usernames to use are grabbed from the server using the same method as the gate file

GET /login.txt HTTP/1.0
Host: google-analytics.pw.
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

HTTP/1.1 200 OK
Date: Sun, 08 Sep 2013 18:59:06 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Sep 2013 21:47:35 GMT
ETag: "a0434-ab-4e595c0dfad70"
Accept-Ranges: bytes
Content-Length: 171
Connection: close
Content-Type: text/plain; charset=UTF-8

Administrator
admin
adm
system
service
user
user1
user2
user3
temp
tester
office
director
manager
test
support
root
..........................
..........

The pcap file from malwr.com is here, if anyone wants a more detailed look.

Hosting infos: http://whois.domaintools.com/89.45.14.74

Related md5s (Search on malwr.com to download samples)
Wordpress bruteforcer: 2fd2ac4dc99709fbac3fee09a9e92178

EDIT: This is apparently part of the “Fort Disco” campaign.

Categories: Uncategorized