My next class:

phpBB bots/worms

Published: 2006-04-19. Last Updated: 2006-04-19 20:58:31 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
If you run phpBB, you are probably familiar with bots attempting to attack your sites. Typically, you will find entries in your web log like the following:
viewtopic.php? [...] &highlight=%2527%252esystem(chr(99)%252echr [...]

I omited the long string of URL encoded hex characters. If you run phpBB, grep your Apache access log for 'viewtopic.php', 'highlight' and 'system':

grep viewtopic < access_log | grep highlight | grep system

Now the part you are interested in is what is attempted to be executed as part of the "system" call. In order to quickly decode it, use php's "urldecode" function. Just open a shell, and enter:

$ php -e
print urldecode(" ... [paste gibberish here ] ... ");
?>

Make sure you do not copy any quotes. This will likely reveal an ftp command and with that the location of the actual bot code. Let us know what you find. I posted a quick analysis of a typical phpBB bot here  Important: a few users reported Antivirus alerts after clicking this URL. Since it quotes parts from the bot, it likely triggers some signatures. However, the page wil not execute any malware (trust me ;-) )

These bots typically work all very much alike:

  1. search google for vulnerable systems
  2. send the exploit
  3. the exploit will trigger the download and execution of a perl script
  4. the perl script will join an IRC channel and wait for commands.
Typically, the bot is able to launch DDoS attacks, execute local system commands and infect other phpBB systems. In the particular sample analyzed above, the bot makes an attempt to fix the actual vulnerability. If this is successful or not would depend on the bots ability to write to these files (after all, the bot will run as the apache user).
Couple simple counter measures to keep in mind:
  • First of all don't forget to patch your systems. Its all too easy to forget random web applications like phpBB.
  • make /tmp a non-executable partition. (and link /usr/tmp and /var/tmp to it). Its not perfect, but most of the web based exploits need a place to write their files to, and /tmp is the most common location available.
  • block outbound ftp/web traffic from your web server. Many web servers do not need outbound traffic on port 80/21.
  • run php in "safe mode"
  • for extra credit: chroot apache (not all that easy, but very effective once it is done).
  • use mod_security (thanks to Ramon for reminding me about mod_security. its GGGrreat!)
And don't forget: These bots will run on any platform which has php and perl installed. You may see them on Linux, OS X, Solaris ... maybe even Windows if the bot gets the paths right.

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives