Thursday, March 30, 2006

I have been tracking since early last week a large amount of web hosts that have been compromised by some web worm. I don't have the details of the worm but I do have a list of machines that have been compromised since the 24th March. Most are running one of the following;


I became aware of the worm when someone informed me that they thought a file on my homepage might be in use by attackers. The files in question were made available from a write up I did about a compromised host earlier this year (available from The file that was being targeted was a perl script DDoS tool that had been recovered from the compromised host.
Following the tip off I grepped the web server logs for hosts accessing that file using wget, and there were lots, however I couldn't be sure that these were genuine requests or a worm.
So I decided that I would switch the script for something a little different, I knew from experience that worms like these will be downloading files in an automated fashion and won't check the content. So rather than a DDoS tool I changed the contents of for;
#!/usr/bin/perl -w
use strict;
use IO::Socket;
my $host = '';
my $path = '/~cet/';
my $dst_port = '80';
my $file = 'gotcha.txt';
my $url = $host.$path.$file;
my $sock = new IO::Socket::INET(PeerAddr => $host,
PeerPort => $dst_port,
Proto => 'tcp');
print $sock 'GET '.$url." HTTP/1.0\n";
print $sock "Host: ".$host."\n\n";

When executed the script will just try and get a file from
The web server is well monitored using snort + sguil so I also wrote a snort rule to alert me to anyone trying to access the file, (which doesn't actually exist).
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:" execution"; flow: to_server,established; uricontent:"~cet/gotcha.txt"; nocase; sid: 999666999;)
Since the rule went up over 50 IP's have tried to access gotcha.txt.


Post a Comment

<< Home