A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29014  by benkow_
 Sat Aug 13, 2016 2:53 am
Original sotry:
http://news.softpedia.com/news/crooks-u ... 4300.shtml

Since May 21, 2016 I can't find any sample so I've retrives one on an infected Drupal (attached)
ELF compress with UPX.
https://www.virustotal.com/file/762a4f2 ... 471054395/
I do not have look deep yet but after a quick look it's seems this bot use RCP, have WP exploit + ssh scanner and has some DDoS features.
Code: Select all
/home/user/src/rex/nmap/tcpsyn.go
/home/user/src/rex/nmap/quickack.go
/home/user/src/rex/nmap/connect.go
/home/user/src/rex/packet/ip.go
/home/user/src/rex/packet/dns.go
/home/user/src/rex/rpc/server.go
/home/user/src/rex/rpc/ipc.go
/home/user/src/rex/rpc/client.go
/home/user/src/rex/scanner/scanner.go
/home/user/src/rex/scanner/target.go
/home/user/src/rex/scanner/strategy.go
/home/user/src/rex/scanner/ssh.go
/home/user/src/rex/scanner/rpc.go
/home/user/src/rex/scanner/ransom.go
/home/user/src/rex/scanner/rand.go
/home/user/src/rex/scanner/php.go
/home/user/src/rex/scanner/kerner.go
/home/user/src/rex/scanner/jetspeed.go
/home/user/src/rex/scanner/http_scanner.go
/home/user/src/rex/scanner/http.go
/home/user/src/rex/scanner/wordpress.go
/home/user/src/rex/scanner/form.go
/home/user/src/rex/scanner/exagrid.go
/home/user/src/rex/scanner/drupal_hash.go
/home/user/src/rex/scanner/drupal.go
/home/user/src/rex/scanner/conn.go
/home/user/src/rex/scanner/cmd.go
/home/user/src/rex/node/rand.go
/home/user/src/rex/node/rpc.go
/home/user/src/rex/node/node.go
/home/user/src/rex/node/myip.go
/home/user/src/rex/node/metrics.go
/home/user/src/rex/node/ddos.go
/home/user/src/rex/node/blacklist_filter.go
/home/user/src/rex/dht/value.go
/home/user/src/rex/dht/store.go
/home/user/src/rex/dht/rpc.go
/home/user/src/rex/dht/node.go
/home/user/src/rex/dht/dht.go
/home/user/src/rex/dht/contact.go
/home/user/src/rex/log/log.go
/home/user/src/rex/sync.go
/home/user/src/rex/dialer_linux.go
/home/user/src/rex/dialer.go
/home/user/src/rex/elevate.go
/home/user/src/rex/binary.go
/home/user/src/rex/cmd/node/main.go
a ransom note:
Code: Select all
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvCbCNyK0QqSmJi9mblI
8PJB+oM8gFzhoP7ZEcwWB/EIH06EtRvv/v1JuCIWp+zITF2plviD33TcnXXQNmDJ
GRwXPoAla6rtkP3AorLgcOceK9kY4UtRlfVxH5F2HffyETS/7kvN7n+FOBAVu1qb
RGG5ejVkTqYrU30/ZWeTPXueduWoL8GbiIqK2fmB7/ug7N+mgp4xtbCK2SPknnH/
7BZQ0OfXuLi4AFeQ9L4YFcO7DMYbXb6SIuwgVqj9zzRMyvP0gWRpm4KCTFh0bJds
xb0gSCGtzzsIVTDM0viJ/iM/O6lUfh3wwQL7Qd+QcCdoCjgmk0T8DlteFdyy2qhw
6wIDAQAB
-----END PUBLIC KEY-----FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFFFORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Code: Select all
rex/rpc.NewClient
rex/rpc.(*Client).Call
rex/rpc.init.1
rex/rpc.(*ServeMux).Register
rex/rpc.(*ServeMux).HandleReadWriter
rex/rpc.(*ServeMux).HandleRequest
rex/rpc.Handler
rex/rpc.NewClient.func1
rex/rpc.(*Client).Call.func1
rex/rpc.init
rex/scanner.(*WoocommerceProductOptions).NewRequest
rex/scanner.(*WoocommerceProductOptions).Do
rex/scanner.(*WoocommerceProductOptions).Get
rex/scanner.(*WordpressRevslider).NewRequest
rex/scanner.(*WordpressRevslider).Do
rex/scanner.(*WordpressRevslider).Get
rex/scanner.(*RansomScanner).NewRequest
rex/scanner.RansomScanner.NewRequest
rex/scanner.(*RansomScanner).Do
rex/scanner.RansomScanner.Do
rex/scanner.(*RansomScanner).Get
rex/scanner.RansomScanner.Get
rex/scanner.(*Drupal).NewRequest
rex/scanner.(*Drupal).Do
rex/scanner.(*Drupal).Get
rex/node.(*NodeScanResult).Addr
rex/node.(*NodeScanResult).BaseURL
rex/node.(*NodeScanResult).HostPort
rex/node.(*NodeScanResult).String
rex/node.(*NodeScanResult).URL
rex/scanner.Run
rex/scanner.worker
rex/scanner.worker1
rex/scanner.NewConnScanner
rex/scanner.(*ConnScanner).NewServeMux
rex/scanner.(*ConnScanner).Payload
rex/scanner.(*ConnScanner).SetBinary
rex/scanner.(*ConnScanner).AddScanner
rex/scanner.(*ConnScanner).Dial
rex/scanner.(*ConnScanner).isPortOpen
rex/scanner.(*ConnScanner).Scan
rex/scanner.NewDrupalModule
rex/scanner.(*Drupal).CanExecute
rex/scanner.(*Drupal).HavocIsRunning
rex/scanner.(*Drupal).Validate
rex/scanner.(*Drupal).docImportsMiscDrupalJS
rex/scanner.(*Drupal).validateFrontpage
rex/scanner.(*Drupal).validateChangelog
rex/scanner.(*Drupal).GetForm
rex/scanner.(*Drupal).SubmitForm
rex/scanner.(*Drupal).loginPageTargets
rex/scanner.(*Drupal).lookupLoginPage
rex/scanner.(*Drupal).Login
rex/scanner.(*Drupal).SetUP
rex/scanner.(*Drupal).lookupUserEditPage
rex/scanner.(*Drupal).SetEmail
rex/scanner.(*Drupal).lookupAdminPeoplePage
rex/scanner.(*Drupal).DeleteOtherPeople
rex/scanner.(*Drupal).lookupAdminConfigSystemSiteinformationPage
rex/scanner.(*Drupal).SetFrontpage
rex/scanner.(*Drupal).lookupAdminContentPage
rex/scanner.(*Drupal).DeleteAllContent
rex/scanner.(*Drupal).EnableModule
rex/scanner.(*Drupal).lookupFilterAdminFormatForm
rex/scanner.(*Drupal).ContentFormatAddOrUpdate
rex/scanner.(*Drupal).ContentFormatAdd
rex/scanner.(*Drupal).ContentFormatUpdate
rex/scanner.(*Drupal).lookupNodeAddPage
rex/scanner.(*Drupal).PostBasicPage
rex/scanner.(*Drupal).EnablePreview
rex/scanner.(*Drupal).StructureTypeAdd
rex/scanner.(*Drupal).StructureTypeUpdate
rex/scanner.(*Drupal).SetDefaultTheme
rex/scanner.(*Drupal).DoBatch
rex/scanner.(*Drupal).CompleteBatch
rex/scanner.(*Drupal).getMetaRefresh
rex/scanner.(*Drupal).ExecSQL
rex/scanner.(*Drupal).ExecPHP
rex/scanner.NewDrupalHash
rex/scanner.(*DrupalHash).Hash
rex/scanner.(*DrupalHash).rehash
rex/scanner.(*DrupalHash).passwordCrypt
rex/scanner.(*DrupalHash).passwordCountLog2
rex/scanner.(*DrupalHash).custom64
rex/scanner.NewExagridScanner
rex/scanner.(*exagrid).Scan
rex/scanner.FormParseNode
rex/scanner.(*Form).Get
rex/scanner.(*Form).Set
rex/scanner.(*Form).UrlValues
rex/scanner.(*Form).Body
rex/scanner.(*formValue).Disabled
rex/scanner.(*formValue).SetDisabled
rex/scanner.(*formValue).Name
rex/scanner.(*formValue).SetName
rex/scanner.(*formValue).Value
rex/scanner.(*formValue).SetValue
rex/scanner.(*formValue).IsPosted
rex/scanner.(*FormSelect).IsPosted
rex/scanner.(*formValueChecked).Checked
rex/scanner.(*formValueChecked).SetChecked
rex/scanner.(*formValueChecked).IsPosted
rex/scanner.(*FormFile).Filename
rex/scanner.NewHTTP
rex/scanner.(*TransportHTTPSVerify).RoundTrip
rex/scanner.(*HTTP).NewRequest
rex/scanner.(*HTTP).Do
rex/scanner.(*HTTP).Get
rex/scanner.RandomUserAgent
rex/scanner.NewHttpScanner
rex/scanner.(*HttpScanner).AddScanner
rex/scanner.(*HttpScanner).Scan
rex/scanner.(*HttpScanner).SetPayloadFn
rex/scanner.(*HttpScanner).Payload
rex/scanner.(*HttpScanner).Dial
rex/scanner.(*HttpScanner).isHTTP
rex/scanner.(*HttpScanner).isHTTPS
rex/scanner.isConnHTTP
rex/scanner.NewJetspeedModule
rex/scanner.(*Jetspeed).Validate
rex/scanner.(*Jetspeed).Scan
rex/scanner.NewKernerScanner
rex/scanner.(*kerner).exec
rex/scanner.(*kerner).Scan
rex/scanner.(*PHP).Scan
rex/scanner.(*PHP).Exec
rex/scanner.(*PHP).Upload
rex/scanner.(*PHP).uploadPHP
rex/scanner.(*PHP).uploadNC
rex/scanner.(*PHP).upload
rex/scanner.(*PHP).fileWriteAt
rex/scanner.(*PHP).Chmod
rex/scanner.randString
rex/scanner.NewRansomScanner
rex/scanner.(*RansomScanner).Scan
rex/scanner.(*RansomScanner).doScan
rex/scanner.(*RansomScanner).makeNote
rex/scanner.(*RansomScanner).lookupContacts
rex/scanner.(*RansomScanner).extractMailto
rex/scanner.(*RansomScanner).lookupMX
rex/scanner.(*RansomScanner).mailNote
rex/scanner.(*ConnClient).call
rex/scanner.(*ConnClient).Ping
rex/scanner.(*ConnClient).SetBinary
rex/scanner.init.1
rex/scanner.(*Service).Ping
rex/scanner.init.2
rex/scanner.(*Service).SetBinary
rex/scanner.(*SSHScanner).isSSH
rex/scanner.(*SSHScanner).Scan
rex/scanner.NewSequentialStrategy
rex/scanner.(*SequentialStrategy).NextTarget
rex/scanner.NewRandomStrategy
rex/scanner.(*RandomStrategy).NextTarget
rex/scanner.init.3
rex/scanner.(*Target).String
rex/scanner.(*Target).HostPort
rex/scanner.(*Target).Addr
rex/scanner.(*Target).BaseURL
rex/scanner.(*Target).URL
rex/scanner.NewWordpressModule
rex/scanner.(*Wordpress).Validate
rex/scanner.(*Wordpress).validateGenerator
rex/scanner.(*Wordpress).validateReadme
rex/scanner.(*Wordpress).PageStyles
rex/scanner.(*Wordpress).Scan
rex/scanner.(*Wordpress).uploadWPUF
rex/scanner.(*WoocommerceProductOptions).ExecPHP
rex/scanner.(*WordpressRevslider).ExecPHP
rex/scanner.(*Wordpress).scanRoboGallery
rex/scanner.Run.func1
rex/scanner.Run.func2
rex/scanner.Run.func3
rex/scanner.Run.func4
rex/scanner.worker1.func1
rex/scanner.(*ConnScanner).Payload-fm
rex/scanner.(Dialer).Dial-fm
rex/scanner.NewHTTP.func1
rex/scanner.(*PHP).Upload.func1
rex/scanner.(*PHP).Upload.func2
rex/scanner.(*PHP).(rex/scanner.uploadPHP)-fm
rex/scanner.(*PHP).(rex/scanner.upload)-fm
rex/scanner.(*SSHScanner).isSSH.func1
rex/scanner.(*SSHScanner).isSSH.func2
rex/scanner.(*SSHScanner).Scan.func1
rex/scanner.(*SSHScanner).Scan.func2
rex/scanner.init

"Armada Collective" email was quoted by cloudflare in this article https://blog.cloudflare.com/empty-ddos- ... ollective/
It seems that this payload is the missing piece in the jigsaw puzzle of "Armada Collective" fake DDoS Ransom :)


After Drupal infection, they upload some mailer and some webshell in sites/default/files/
Mailer ex:
Code: Select all
http://www.c1entertainment.com/sites/default/files/InboxMailerMgad.php
http://www.c1entertainment.com/sites/default/files/Mailer.php
webshell (pwd:Mehdi123):
Code: Select all
http://www.c1entertainment.com/sites/default/files/MehdiAbenhazou.php
Attachments
infected
(2.62 MiB) Downloaded 107 times
 #29025  by benkow_
 Sat Aug 13, 2016 12:15 pm
After a quick look it seems that there is a lot of variant of this crap.
14 Variants attached
https://www.virustotal.com/fr/file/a051 ... 471089685/
https://www.virustotal.com/fr/file/0793 ... 471089687/
https://www.virustotal.com/fr/file/a360 ... 471089792/
https://www.virustotal.com/fr/file/790c ... 467040161/
https://www.virustotal.com/fr/file/5163 ... 471089879/
https://www.virustotal.com/fr/file/f953 ... 471089975/
https://www.virustotal.com/fr/file/b350 ... 471089604/
https://www.virustotal.com/fr/file/4bb8 ... 471089901/
https://www.virustotal.com/fr/file/bf7a ... 467003146/
https://www.virustotal.com/fr/file/9bd1 ... 471089907/
https://www.virustotal.com/fr/file/99e5 ... 471089304/
https://www.virustotal.com/fr/file/0689 ... 471089305/
https://www.virustotal.com/fr/file/cb5e ... 471089304/
https://www.virustotal.com/fr/file/762a ... 471054395/
https://www.virustotal.com/fr/file/ad62 ... 471054221/



Ex of command line:
Code: Select all
www-data  5856  0.0  0.0   4440   652 ?        S    17:28   0:00 /bin/sh -c nohup /tmp/.G2eCM9jUiz -elevate.skip -wait 20619 2>/tmp/l
output:
Code: Select all
*node.Node.Run "random" 8184 0.0.0.0/0
we're super, not starting scanner!
serving 0.0.0.0:5099

LoadBalance: no peers
new neighbor 85.158.48.35:5099
new neighbor 147.96.81.44:5099
new neighbor 95.163.88.253:5099
new neighbor 91.121.144.123:5099
new neighbor 121.42.178.179:5099
new neighbor 198.61.229.62:5099
new neighbor 52.67.0.61:5099
new neighbor 173.201.183.16:5099
new neighbor 208.109.86.217:5099
new neighbor 80.255.185.21:5099
new neighbor 188.64.222.101:5099
new neighbor 95.59.136.118:5099
new neighbor 193.9.245.64:5099
new neighbor 109.228.9.219:5099
new neighbor 14.139.155.118:5099
new neighbor 195.20.133.161:5099
new neighbor 184.168.85.229:5099
new neighbor 188.130.150.3:5099
new neighbor 192.167.9.33:5099
new neighbor 178.217.169.13:5099
new neighbor 40.68.209.235:5099
new neighbor 95.211.144.96:5099
new neighbor 213.155.96.200:5099
new neighbor 37.187.165.74:5099
new neighbor 195.154.14.134:5099
new neighbor 81.202.121.192:5099
new neighbor 78.46.209.162:5099
new neighbor 45.55.6.174:5099
new neighbor 193.200.160.156:5099
2016/08/13 17:43:38 http: TLS handshake error from 93.115.95.204:33810: EOF
2016/08/13 17:43:38 http: TLS handshake error from 93.115.95.204:33106: EOF
reviving 46.252.202.32:81
reviving 188.40.92.142:80
reviving 104.238.118.249:80
2016/08/13 18:22:39 http: TLS handshake error from 197.231.221.211:3735: EOF
new neighbor 188.121.60.212:5099
reviving 173.201.26.143:80
reviving 107.170.74.206:80
reviving 165.196.130.5:80
reviving 50.63.129.208:80
*node.NodeMonitor.revive 78.46.209.162:5099


sample:
https://1fichier.com/?wp3aami062 (infected) (too big for here, sorry)
 #29034  by p1nk
 Sun Aug 14, 2016 3:13 pm
So, Communication looks to be through a Kademlia P2P network setup. The Go source references in the file make me think they are using:
https://github.com/nictuku/dht
(haven't validated yet)

POST /rpc HTTP/1.1
Host: 213.155.96.200:5099
User-Agent: Go-http-client/1.1
Content-Length: 60
Content-Type: application/json
X-Contact: ["aadf6194f4b0189fcca97679f9dcc6fe87413d44",""]
Accept-Encoding: gzip

{"method":"DHT.Ping","params":[{}],"id":4627907777588803205}


HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sun, 14 Aug 2016 15:10:07 GMT
Content-Length: 155

{"result":{"Contact":["102fe67594e1e49ff04ccf7af73ec6c344c402be","95.163.88.253:5099"],"RequestorIP":"<My IP address ;) >"},"error":null,"id":4627907777588803205}
 #29042  by p1nk
 Mon Aug 15, 2016 2:17 pm
Retrohunt data:
Code: Select all
rex:4bb85c32a5a25ff1626a973ebcc6c5fec7b065907eea84fba304b5e775adc545/subfile
rex:ad625f0b837db71c1c9795507b6043141a2c194af8df7f23354762cd8ffff879/subfile
rex:99e53326644bb664e0fe8356faffe26fc87b106f84746b445d9d89bced55a55c/subfile
rex:a360639017f300ea273c680fef64b3516dde1f654747c4a878dbaf45bc99f4ad/subfile
rex:5163a4cda16d888b3fc782b53c6e452124ce23792f5cb7a3ab649179574dafe1/subfile
rex:09fd47864ee5a05ca59b245bc78da17ee13a5a6228159f9e6da7e7cb19d03386/subfile
rex:fe6a71f2165302ce3189d4557d7600a2de7758ce0b898b04fabea1b5f9e9517d/subfile
rex:a0514c4f6f96c31bd96a05f6fde1e4573c9933059fc165807f6f5d81614a2083/subfile
rex:8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293
rex:790cecf1968ee9762b81634d65ec58b57117bc1a8e523382a8692d412d48df13/subfile
rex:762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514
rex:9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96
rex:f953e91e4b97f367e523b932bd93cdb3dd6b6bb5d845081dc6e0eb130bc09509/subfile
rex:bf7a47ab636040ec4b4654a67746ce2574e64f70bd98eb83109d0788b4ddd93c/subfile
rex:677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405
rex:0793ae61c0c5803869a63dd03370eb93a725c301c857aedf671f92a84be85991/subfile
 #29060  by benkow_
 Wed Aug 17, 2016 11:22 am
After a quick look:

CMS exploit are used to build a P2P botnet.
In different variant I've found:
Drupal:
CVE-2014-3404
Wordpress:
Plugin Revslider RCE – https://www.exploit-db.com/exploits/35385/
Plugin Woocommerce RCE – https://cxsecurity.com/issue/WLB-2016040066
Plugin Robo Gallery RCE – http://www.vulnerability-lab.com/get_co ... hp?id=1822
Plugin WP-squirrel RCE – https://packetstormsecurity.com/files/1 ... el-rfi.txt
Plugin Gwolle Guestbook RCE – https://www.htbridge.com/advisory/HTB23275
Plugin Site Import 1.0.1 LFI – https://www.exploit-db.com/exploits/39558/
Plugin Brandfolder 3.0 LFI/RFI – https://www.exploit-db.com/exploits/39591/
Plugin Issuu Panel 1.6 RFI & LFI – https://packetstormsecurity.com/files/1 ... rfilfi.txt
Magento
ShopLift RCE – https://www.exploit-db.com/exploits/37977/
AirOs
AirOS RCE – https://github.com/rapid7/metasploit-fr ... _upload.rb
ExaGrid
Exagrid – CVE-2016-1560 – https://github.com/rapid7/metasploit-fr ... privkey.rb
JetSPeed
Apache Jetspeed – CVE-2016-0710 http://haxx.ml/post/140552592371/remote ... ed-230-and

In the latest version, the bot has DDoS feature, I've seen some attacks:
Code: Select all
root     12906 69.1 13.7 801860 277952 ?       Rl   Jun29 48363:52 /tmp/.eLBaxwiu2d stress 216.92.1.92
Some of the variant have BTC mining feature too.
sample:
Code: Select all
9070f56651f44ec722e17df67b8a954888e387a8f2574594c80937d0f39c471a  .0LD5dVbuo9
bf211d46551079e7f7646ffd6bfda065f1307ea81508d1625b5c65005d929cb3  .0OHjeERDbv
550b9b4c5b2dbe83fa3e227cca65b9b9768e2ea597c2e109205dba51faee5869  .0OhoU6US1m
677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405  .0r4mKMUlJ6
69402f4bd7718a3403f1caaaa387edc70b299f6aecc06de39e3a9ac28873a184  .0rqNlrPujv
32c921dd4b755af519f648102098735a569a0326a79a911eb47174bd058e5c43  .0YOtp0GQMk
52bf6ae8fe7a0a59ca8d089444207c173e20a7a11c8b5e815b937e2f4224da4f  .1ZRhWKqTlY
950cd068d9c51b941bdfe4721a3156af15dc408d2df23c1f2bc41b87159b109e  .3v0UwARWmv
1f4d876b17a6d786aa793b9c529235f9f9e164d70a74d8d26ca850d18f1329a7  .3weUyhjJZe
09f1967e97a97a1d0963a84823fa2611b9555866f09d7a04bb69bc4d877f9631  .42wVPcdaFD
3e4cebd60a1d6a6b29bac68ace2547c2e3894a0e5865dd90aff5764f8e7dc16d  .4JkeqTzZSX
dcd0e1586630bc8c50fe600899bee76b853057fd9158ed541d7ddec53c8f2186  .5Ygi9nGrHn
cb42573e36fb148bc1109229a1025cdcb375c166361605f0681da9e54e3ef81d  .5ZFxAbOeBY
08ab4abd017568142d061ffd5a2592a491730dddb4485211fda53f39d43e3efb  .7RCBTpSOUh
ac36c87cacbe1b8327fae3084ebd1740a3a5c6c6f208c1c77da56932a9ca3be6  .7tsPagH3FM
d67ae5639618a3409711377e124ef2c6293200aa3026b8b2996654db63645481  .9bKas738kc
a1610e735042ce0197859e6fd7772039e63efce78d6c9cf642492d1c8f1d7540  .9G97ZhwNer
07dd2c7be7a0becb178967c43684c1a687deb217e87575d18fd6b73dc988bd78  .9MgvdLBtL0
dbc3f96fcbbfd90f877dc11fcdedca1c1e574b951ac70edc3160ed9f389c3fd3  .aH7HRrz554
8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293  .bM04ITZnuq
97c1ed3d52d663f9bad2eef716169f06053dc2bcf8e3d857b0a702e8fae546c9  .C91EZKVz6Q
a1000d4cb81cfb7dfac660722938f3d9c7cb6e36c33e129097ddd29f3dfd1890  .cOVyPvf01L
9f568df46838872b389628b665940415d897823b2e1804e2625c3dfb0b6850b4  .D90yb8KdDV
cc01ba0825208402b0fc2eb62146e856f69d1e9f53b745d8f068f0d09e6170c0  .E61NBnYjak
40c882738ea1e01cc4e8027dd6ce5d55552e5630c8f65e86db630fca09d85fa9  .EETl2pJOf9
0e6c53797964b611c867cb5e5b492d45edf5472924c9a60a99433240f1712f15  .eLBaxwiu2d
c79d7b2a8caf5cc19a019772053c54d1ec02f8ae15b577bbbbd9bf82f19caedb  .fkmJQOIqYB
d097f55f82e88a32b057010c96f553aa7c8ccef12c2a8484aab0fb3dab9d4a0f  .H4g8bASf8Y
c058d576a108bdcf637a6ed399b4d9a1e3bbb6f194882ffada01b85e79109f65  .HdUykUNGy8
339eaabda43fbf0ee0caa6021a999d383713498911523d2b21e2ee2f1541f78f  .Ju7XqX36yy
3dee377037f7fcfd6539c23bb1cdc6eda46680c8773525b784150c1237788965  .KDnA4yWrGc
9d41dc182dee0690e5c5f08f9276548a85f4b986478fd30ec4208d95d54cffeb  .KzmJO5vHRQ
b30dfa13f8dc7162f3edb43dff8507f82c01bd5bd6e5a1ae2e3b2e55dd6b10c0  .LqZzmAJcjo
f7bc5d56312ae6205b21aa4c72708383716907754b037013f47bc88203fbb450  .Oer60jCsoB
9909910d6e008e15c98d26e214f619a7a82787137158784998d99b5c03cbe8f2  .OiZhEG9cEu
2549560970bb8ebca0136f7d6c8111196295d083c6fd6101a7f9178089502cc0  .q7hsioOPWv
fe2c837d1662ca47ebd86c0cf0a3a382ee589bce6b77dabae30801d71a7d280f  .rG47yPBz5p
67a3b5d1fb946daccd7f3562e35b90537f9032184a0605cc9b8613c91a4ea1be  .RnKtruJM9f
22a578f2d30f316d441b73efbeaa0b53641686d2fa75ad44d4d3992da9ceaf5f  .SzIYofKRTz
0723de24bc86eedde149c53e0f93a18596bed424e823f1b46c2f97e358931b83  .YPuels1RDm
6b46b6eff4be06d47284492fed7f71c53103bfaa610952151bddebb8046a34f1  .yYRSdRs6kH
9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96  .Zw64nQ52IX
 #29123  by benkow_
 Sun Aug 28, 2016 11:28 am
Update from 26/08 seems include new features:
Code: Select all
Www-AuthenticateX-Instagram-AJAXX-Requested-With
instagram.AccountCreate
https://www.instagram.com/accounts/web_create_ajax/
rex/instagram.CSRFToken
rex/instagram.AccountCreate
rex/instagram.init
type..hash.rex/instagram.Account
type..eq.rex/instagram.Account
/home/user/src/rex/instagram/rand.go
/home/user/src/rex/instagram/instagram.go
attached
Attachments
infected
(3.8 MiB) Downloaded 69 times
 #29150  by nl3dee
 Wed Aug 31, 2016 9:59 am
Following p1nk leads on P2P communication, it confirms that it uses Kademlia DHT. Nevertheless it's over HTTPS so it's not BitTorrent implementation and therefore not using https://github.com/nictuku/dht.

Supported commands are:
Code: Select all
DHT.Store
DHT.Ping
DHT.FindValue
DHT.FindNode
DHT.Neighbors
Building a crawler based on DHT.Neighbors command we can find 58 nodes (with 21 down).
 #29151  by nl3dee
 Wed Aug 31, 2016 11:38 am
There is a man page for it:
Code: Select all
./nA6pdsMXxg --help
Usage of ./nA6pdsMXxg:
  -debug
    	enable debugging
  -elevate.ignore string
    	credentials to ignore during elevation (default "root")
  -elevate.skip
    	skip elevation (default true)
  -ipc
    	enable stdio ipc
  -log.dht
    	log DHT requests
  -log.http
    	log HTTP requests
  -socks string
    	SOCKS5 proxy address
  -strategy string
    	scan strategy [random, sequential] (default "random")
  -target string
    	target(s) (default "0.0.0.0/0")
  -wait int
    	wait for PID to exit before starting (0: disable)
  -wordpress.pingback
    	enable WordPress Pingback