Thursday, March 30, 2006

I have been tracking since early last week a large amount of web hosts that have been compromised by some web worm. I don't have the details of the worm but I do have a list of machines that have been compromised since the 24th March. Most are running one of the following;


I became aware of the worm when someone informed me that they thought a file on my homepage might be in use by attackers. The files in question were made available from a write up I did about a compromised host earlier this year (available from The file that was being targeted was a perl script DDoS tool that had been recovered from the compromised host.
Following the tip off I grepped the web server logs for hosts accessing that file using wget, and there were lots, however I couldn't be sure that these were genuine requests or a worm.
So I decided that I would switch the script for something a little different, I knew from experience that worms like these will be downloading files in an automated fashion and won't check the content. So rather than a DDoS tool I changed the contents of for;
#!/usr/bin/perl -w
use strict;
use IO::Socket;
my $host = '';
my $path = '/~cet/';
my $dst_port = '80';
my $file = 'gotcha.txt';
my $url = $host.$path.$file;
my $sock = new IO::Socket::INET(PeerAddr => $host,
PeerPort => $dst_port,
Proto => 'tcp');
print $sock 'GET '.$url." HTTP/1.0\n";
print $sock "Host: ".$host."\n\n";

When executed the script will just try and get a file from
The web server is well monitored using snort + sguil so I also wrote a snort rule to alert me to anyone trying to access the file, (which doesn't actually exist).
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:" execution"; flow: to_server,established; uricontent:"~cet/gotcha.txt"; nocase; sid: 999666999;)
Since the rule went up over 50 IP's have tried to access gotcha.txt.

Wednesday, March 22, 2006

Last night I watched Lance James's excellent presentation Trojans and Botnets and Malware, Oh My!

During the presentation I learned of a sandnet tool called truman being distributed for free by, so I downloaded the tools, when I unpacked the PXE client to my surprise the software looked very familiar. It was my PXE Windows Image Using Linux client that I build and distribute.
I searched through all the documentation for acknowledgement but turned up nothing. So I emailed the 'author' Joe Stewart and he sent a response back pretty quick;

Hey Chas,
Sorry for the oversight - I built my original sandnet system over a year ago, not intending to make it a public project. When I did decide to release it, I cobbled up the various sources on the production machine, but had since deleted and forgotten where I obtained the original ramdisk image that I built on top of. I'll make sure you get credited on the website and in the distribution for your part.


Joe Stewart, GCIH
Senior Security Researcher

Well I'm glad its being used. If you wanna check out the sandnet tool kit go grab it from

Saturday, February 25, 2006

First post! This morning saw a new turn in the Linux worm, a new script is being distributed via; This uses a pre compiled binary backdoor, a perl backdoor and also a scanning engine (which is compiled).

The scanning engine is called httpd as in previous versions;

Report on httpd -********************************************
MD5: f06095d0fe7cfa389fc4aece9d2afb13
BitDefender: Worm.Linux.Mare.B
ClamAV: No Virus Found
F-Prot: No Virus Found

It seems to have some UDP communications channel to IP addresses;