Background..
Not so long ago I received this attack came into our web server:
#MalwareMustDie! 1st attack attempt came into our new server is by "Romanian AntiSec" from China IP < BIG #FAIL! :-) pic.twitter.com/vy043MD2UO
— MalwareMustDie, NPO (@MalwareMustDie) October 5, 2013
That was actually the first time of attack series we received as per listed here-->PASTEBIN
Had it enough, so I started to investigate this matter thoroughly. With the help from @malm0u53 I was lead to the source of attack, and start digging deeper over there to find stuffs that are malicious enough to make good person got shocked.
This report actually contains many way to mitigate the similar attack in the future, and also for understanding the source and nature of the current threat. For the Firewall/IPS/IDS filtration research, maybe this poor English writing can be used as reference. I will share the samples upon ready, contains very dangerous tool-kits & packages found.
Following is the report in details..
Tracking..
First I made classification of the IP addresses:
Seeing the details of each IP..to prioritize the examination:
Using lynx to check the validity of HTTP status in each server...
Leaving me the two suspected IP of:
The first IP: 212.227.251.6 was ending up into a cleaned up site..
While 211.162.16.164 (thank's to MalMouse for noticing this!) lead us into the source of attack:
In the source:
Let's enlarge the point that described the source: 
Well, this is what the source of the attack, a hacked site, I marked in green color the hack files..the site itself is full of the URL redirection that I can not comment as clean site itself, but I will focus to the w00tw00t attack component only:
And yes, I grab them all..
Threat Components..
The below files is the list and log used for the w00tw00t attack:
And the below file is the w00tw00t attack script itself:
These files are the set of the hacking tools injected to this site:
PS: the blackcat.jpg is actually a GZIP:
Peeling the Code: w00tw00t Attack Script - x.pl
Was written in pure Perl, the script is used to pwned the web server which having the vulnerable PHP, with injecting thus extracting all of the "package" files injected to the compromised server, and start to connect the server to the "master" via IRC channel. Below is the breakdown of the codes for the image: Using these Perl modules:
How they define the User-Agent, Time Out, Payload & shell:
This is where the exploitation & its component was defined:
The ATTACK logic of #w00tw00t used in this attack is very simple...
With some error trapping and.. they're not very friendly to their users...
Here's the main exploit function, noted: the extracting the PMA hacking tools to pwn the server:
Finally the scan wit activating PMA toolkit..and deletion of the toolkit extracted components..
Post #w00tw00t pwned..(1) The Evil Redirection Service
This is the main concept of the attack, explaining WHY this server has so many "weird" redirections.
This server itself was pawned and becoming host of evil redirection service, as per one of some dir below:
Inside the session or redirection:
Format of the redirection itself:
A simple grep to extract all redirection:
If you se the inside of CGP.PHP file itself is a PHPSHEL v1.7:
Post #w00tw00t pwned..(2) The Network Attack Tool (Portscnner, DDoS, etc)
Not a surprise anymore to find an attack tool in the case like this, it seems like is the part of the package actually. Below is the snippet code used for the attack (the snipped codes was cut and modified, so it is "neutralized"). File:
Below are the evil code snippets for the PoC purpose:
The Port Scanner:
The "Nmap"(?)
UDP For Flood:
Backdoor, the "BackConnect"
Shell..
Preview Video for the etc Hack Toolkit packages used (is an evidence of crime)
I can not discuss the other tool kits found for I am running out of time to write..there are so many of them!
But those tools really explain us a lot of details on what MO if the hack action is, you will see many tool-set with the ELF binaries insides, some are Open Source software that being mis-used for this malicious purpose. To make a good overview of the other tools used, I tried to open the archive of those hack-tools package one by one and recorded it in a video for you to view safely:
Who is the attacker?
The attack itself is controlled by a bad actor hidden behind an IRC connectivity , below I disclose the configuration for the attacker, contains the source of the moronz IP, User's ID, IRC channel used for the attack, is a check-mate:
Moral of the story
1. Attacks that seems coming from AAA country might not really coming from AAA, be careful about this.
2. What stated as Romanian Hacker, was actually has a taste of Skids from OTHER territory to me, by analyzing some keywords that was modified in the source code of the attacker script and other attack tools.
3. Hardening your web server and if you use old PHP... #PatchNow!
Kudoz The Team Work!
MalMouse is explaining in his blog about HOW WIDE the target of these attack:
Thank you my friend @MalwareMustDie Here is one, just like the other one!
http://t.co/52gI3NcSaT
#malwaremustdie.
— MalMouse (@malm0u53) October 20, 2013
Samples
The file size was huge, can not upload to our mediafire.. so below is the alternative:
#MalwareMustDie - The #w00tw00t scripts are still available in the source,if you want to grab, be #quick b4 we #Tango http://t.co/4lz0pq13gu
— MalwareMustDie, NPO (@MalwareMustDie) October 20, 2013
#MalwareMustDie!