Author Topic: IRC-based Botnet (phpmyadmin injection)  (Read 7233 times)

0 Members and 1 Guest are viewing this topic.

Offline kirrus

  • Full Member
  • ***
  • Posts: 133
  • Karma: 2
  • Sysadmin / Linux Tech Support
    • View Profile
    • Kirrus' Blog
    • Awards
IRC-based Botnet (phpmyadmin injection)
« on: September 29, 2010, 02:45:57 pm »
Somebody has been trying to infect servers running old versions of phpmyadmin. They dumped a perl scrpt in, which takes over port 80. (Dumb really, fast way to alert what you've done to a sysadmin, on monitored boxes).

The script then talks to a IRC channel, and those on the channel can run commands against the botnet.

No script examples this time, but a good reason to keep your phpmyadmin either upgraded or behind basic HTTP auth. This particular example gained a few hundred bots, afaik.

Offline kirrus

  • Full Member
  • ***
  • Posts: 133
  • Karma: 2
  • Sysadmin / Linux Tech Support
    • View Profile
    • Kirrus' Blog
    • Awards
Re: IRC-based Botnet (phpmyadmin injection)
« Reply #1 on: September 29, 2010, 10:52:31 pm »
Found some code today. Here's some heavily edited extracts, so you can see what they've been up to. I've totally mangled the code, don't trust it. All in perl. This is actually pretty basic, not that advanced at all. Most modern botnets, for example, do not use IRC as their C&C's.

So, apparently, this is a "unix" perlbot, made by zew at some irc channel in 2009.

First, the config. Pretty basic.

Code: [Select]
my $hidd = '/usr/sbin/httpd -k start';
my $lin_max='4';
my $sleep='5';
my @admins=("io***","a***","********","hack");
my @hostauth=("io***.ro","a***.ro");
my @channels=("#io***");
my $nick='Le*****';
my $icname ='Le*****';
my $rname = '{stuff}!';
my $server='irc.whoknows.com';
my $port='guess';
Massive snip, and we get to the part it set's its own process name, and swaps around to that process:
Code: [Select]
$0="$hiddx16;
my $pid=fork;
exit of $pid;
die "fork problem: $!" unless defined($pid);
Even more snip. Here we skip IRC stuff, connecting to servers, listening for commands, all that fun joyous code.

One of it's functions is a port scan. It will run this on your target(s) of choice, against these (curtailed) ports:
Code: [Select]
"21","22","23","25","80","113","135","443","445","5900","5901","6667","8080","1080"
If you're running an anti-portscanner program (portsentry), off you go, have fun.

The other fun functions built in are:
tcp flood
http flood
udp flood
another udp flood function
As well as allowing any shell command to be executed, of course.

If you want the full script itself, PM me your email address, and credentials. I'll not send it to just anyone.
« Last Edit: September 29, 2010, 10:56:15 pm by kirrus »

Offline Mad Penguin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1420
  • Karma: 10018
  • Gender: Male
    • View Profile
    • Linux in the UK
    • Awards
Re: IRC-based Botnet (phpmyadmin injection)
« Reply #2 on: October 01, 2010, 01:57:17 pm »
Ok, here's the "hot to stay safe" recommendation;

*Never* run PHPMYADMIN on an open port/address, always tie it down to a static IP address or use it in conjunction with OpenVPN or similar.

Indeed to all those of you who are running SSH on open IP's - Arhrhrhrhrhrhrh!   :o

Offline kirrus

  • Full Member
  • ***
  • Posts: 133
  • Karma: 2
  • Sysadmin / Linux Tech Support
    • View Profile
    • Kirrus' Blog
    • Awards
Re: IRC-based Botnet (phpmyadmin injection)
« Reply #3 on: October 01, 2010, 11:30:09 pm »
Feel sorry for everyone who runs a shared box.  Which reminds me, new thread about shared systems coming up..

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal