首页 » 威胁情报 » 正文

XOR.DDoS IOC

    给某个客户做应急,发现一个木马是通过暴力猜解SSH服务root用户的密码,从而登陆服务器利用shell脚本安装XOR.DDoS木马。

    XOR.DDoS木马IOC:

    

<ioc
    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xmlns:xsd='http://www.w3.org/2001/XMLSchema'
    xmlns='http://schemas.mandiant.com/2010/ioc' id='f10bf10d-d808-46da-8c08-4743fdedf903' last-modified='2017-03-31T10:47:34.601Z'>
    <short_description>Modern Linux DDoS Bot with a Rootkit Twist</short_description>
    <description>Modern Linux DDoS Bot with a Rootkit Twist</description>
    <authored_by>XOR.DDoS_IOC</authored_by>
    <authored_date>2017-03-31T10:47:34.601Z</authored_date>
    <links/>
    <definition>
        <Indicator operator='OR' id='c6b9cb03-32fd-431c-8e24-3b913ff88f5c'>
            <IndicatorItem condition='contains' id='6450028f-76ce-47d7-af63-f2e3de59bc7e'>
                <Context document='FileItem' search='FileItem/Sha256sum' type='mir'/>
                <Content type='string'>5938fdb60b6c228d21ce2d06c4403c536991431f987a485a5f6395494bcf1ca4</Content>
            </IndicatorItem>
            <IndicatorItem condition='contains' id='e2cf84ba-a211-4ea4-9e89-17454b0bfd05'>
                <Context document='FileItem' search='FileItem/Sha256sum' type='mir'/>
                <Content type='string'>809583d45cebc830d229bb5177fccd8d46f90f073887e6090c55dc8440248220</Content>
            </IndicatorItem>
        </Indicator>
    </definition>
</ioc>

发表评论