Al Reaud

That is the lovely ALFA TEaM Shell you were probably infected with.
https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update-analysis.html

I’ve some scans recently originating from only four IP addresses, all apparent VM’s in the US on MSFT. Somehow they believe they dropped something on my site, or are just generically rooting around. The logs show for one probe cycle (I’ve got them blocked so they get dropped now, after establishing the pattern of the queries):

20.196.128.67 - - [18/Sep/2022:14:04:49 +0000] "POST /wp-plain.php HTTP/1.1" 404 40378 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

20.196.128.67 - - [18/Sep/2022:14:04:50 +0000] "GET /zkcqkcrr.php?Fox=d3wL7 HTTP/1.1" 404 35657 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

20.196.128.67 - - [18/Sep/2022:14:22:23 +0000] "POST /ALFA_DATA/alfacgiapi/perl.alfa HTTP/1.1" 404 40378 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

20.196.128.67 - - [18/Sep/2022:14:22:23 +0000] "POST /alfacgiapi/perl.alfa HTTP/1.1" 404 35657 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

What’s funny about this one is that it says it is a “Samsung Galaxy”, I believe, however nmap only finds port 3389 open, “Microsoft Terminal Server (RDP)”… [rolleyes]

• This reply was modified 2 years, 2 months ago by Al Reaud.
• This reply was modified 2 years, 2 months ago by Al Reaud. Reason: HTML tags don't appear to be workng
• This reply was modified 2 years, 2 months ago by Al Reaud.
• This reply was modified 2 years, 2 months ago by Al Reaud.