Thursday, March 30, 2006

I have been tracking since early last week a large amount of web hosts that have been compromised by some web worm. I don't have the details of the worm but I do have a list of machines that have been compromised since the 24th March. Most are running one of the following;

Wordpress
PHP-NUKE
Cpanel
XHP CMS
PHPKIT
PHPSysinfo

I became aware of the worm when someone informed me that they thought a file on my homepage might be in use by attackers. The files in question were made available from a write up I did about a compromised host earlier this year (available from http://www.ecs.soton.ac.uk/~cet/2006-01-01.html). The file that was being targeted was a perl script DDoS tool that had been recovered from the compromised host.
Following the tip off I grepped the web server logs for hosts accessing that file using wget, and there were lots, however I couldn't be sure that these were genuine requests or a worm.
So I decided that I would switch the script for something a little different, I knew from experience that worms like these will be downloading files in an automated fashion and won't check the content. So rather than a DDoS tool I changed the contents of udp.pl for;
#!/usr/bin/perl -w
use strict;
use IO::Socket;
my $host = 'www.ecs.soton.ac.uk';
my $path = '/~cet/';
my $dst_port = '80';
my $file = 'gotcha.txt';
my $url = $host.$path.$file;
my $sock = new IO::Socket::INET(PeerAddr => $host,
PeerPort => $dst_port,
Proto => 'tcp');
print $sock 'GET '.$url." HTTP/1.0\n";
print $sock "Host: ".$host."\n\n";

When executed the script will just try and get a file from www.ecs.soton.ac.uk/~cet/gotcha.txt
The web server is well monitored using snort + sguil so I also wrote a snort rule to alert me to anyone trying to access the file, (which doesn't actually exist).
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"UDP.pl execution"; flow: to_server,established; uricontent:"~cet/gotcha.txt"; nocase; sid: 999666999;)
Since the rule went up over 50 IP's have tried to access gotcha.txt.

Wednesday, March 22, 2006

Last night I watched Lance James's excellent presentation Trojans and Botnets and Malware, Oh My!

During the presentation I learned of a sandnet tool called truman being distributed for free by lurhq.com, so I downloaded the tools, when I unpacked the PXE client to my surprise the software looked very familiar. It was my PXE Windows Image Using Linux client that I build and distribute.
I searched through all the documentation for acknowledgement but turned up nothing. So I emailed the 'author' Joe Stewart and he sent a response back pretty quick;

Hey Chas,
Sorry for the oversight - I built my original sandnet system over a year ago, not intending to make it a public project. When I did decide to release it, I cobbled up the various sources on the production machine, but had since deleted and forgotten where I obtained the original ramdisk image that I built on top of. I'll make sure you get credited on the website and in the distribution for your part.

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Well I'm glad its being used. If you wanna check out the sandnet tool kit go grab it from

http://www.lurhq.com/truman/

Saturday, February 25, 2006

First post! This morning saw a new turn in the Linux worm, a new script is being distributed via; 219.84.105.36/supina. This uses a pre compiled binary backdoor, a perl backdoor and also a scanning engine (which is compiled).

The scanning engine is called httpd as in previous versions;

Report on httpd -********************************************
MD5: f06095d0fe7cfa389fc4aece9d2afb13
BitDefender: Worm.Linux.Mare.B
ClamAV: No Virus Found
F-Prot: No Virus Found

It seems to have some UDP communications channel to IP addresses;
81.223.104.152
24.224.174.18