The Linux Community Forum

Tech Zone => Security => Topic started by: kirrus on September 29, 2010, 02:45:57 pm

Title: IRC-based Botnet (phpmyadmin injection)
Post by: kirrus on September 29, 2010, 02:45:57 pm
Somebody has been trying to infect servers running old versions of phpmyadmin. They dumped a perl scrpt in, which takes over port 80. (Dumb really, fast way to alert what you've done to a sysadmin, on monitored boxes).

The script then talks to a IRC channel, and those on the channel can run commands against the botnet.

No script examples this time, but a good reason to keep your phpmyadmin either upgraded or behind basic HTTP auth. This particular example gained a few hundred bots, afaik.
Title: Re: IRC-based Botnet (phpmyadmin injection)
Post by: kirrus on September 29, 2010, 10:52:31 pm
Found some code today. Here's some heavily edited extracts, so you can see what they've been up to. I've totally mangled the code, don't trust it. All in perl. This is actually pretty basic, not that advanced at all. Most modern botnets, for example, do not use IRC as their C&C's.

So, apparently, this is a "unix" perlbot, made by zew at some irc channel in 2009.

First, the config. Pretty basic.

Code: [Select]
my $hidd = '/usr/sbin/httpd -k start';
my $lin_max='4';
my $sleep='5';
my @admins=("io***","a***","********","hack");
my @hostauth=("io***.ro","a***.ro");
my @channels=("#io***");
my $nick='Le*****';
my $icname ='Le*****';
my $rname = '{stuff}!';
my $server='irc.whoknows.com';
my $port='guess';
Massive snip, and we get to the part it set's its own process name, and swaps around to that process:
Code: [Select]
$0="$hiddx16;
my $pid=fork;
exit of $pid;
die "fork problem: $!" unless defined($pid);
Even more snip. Here we skip IRC stuff, connecting to servers, listening for commands, all that fun joyous code.

One of it's functions is a port scan. It will run this on your target(s) of choice, against these (curtailed) ports:
Code: [Select]
"21","22","23","25","80","113","135","443","445","5900","5901","6667","8080","1080"
If you're running an anti-portscanner program (portsentry), off you go, have fun.

The other fun functions built in are:
tcp flood
http flood
udp flood
another udp flood function
As well as allowing any shell command to be executed, of course.

If you want the full script itself, PM me your email address, and credentials. I'll not send it to just anyone.
Title: Re: IRC-based Botnet (phpmyadmin injection)
Post by: Mad Penguin on October 01, 2010, 01:57:17 pm
Ok, here's the "hot to stay safe" recommendation;

*Never* run PHPMYADMIN on an open port/address, always tie it down to a static IP address or use it in conjunction with OpenVPN or similar.

Indeed to all those of you who are running SSH on open IP's - Arhrhrhrhrhrhrh!   :o
Title: Re: IRC-based Botnet (phpmyadmin injection)
Post by: kirrus on October 01, 2010, 11:30:09 pm
Feel sorry for everyone who runs a shared box.  Which reminds me, new thread about shared systems coming up..
SimplePortal 2.3.3 © 2008-2010, SimplePortal