lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1UkgSh-000DyU-Hx@internal.tormail.org>
Date: Thu, 6 Jun 2013 20:07:07 -0000
From: jtagtgc@...mail.org
To: full-disclosure@...ts.grok.org.uk
Subject: Botnet using Plesk vulnerability and takedown

Today while investigating the Plesk/Apache Remote Code Execution
vulnerability disclosed by Kingcope, we uncovered what appeared to be a
sizeable botnet leveraging this vulnerability to infect webservers with a
malicious IRC bot written in Perl; a loosely modified version of a
publicly known tool.

A sample of the aforementioned bot has been attached.

We analysed the bot sample, and we discovered it was connecting to an IRC
server at [redacted].no-ip.biz, which appeared to redirect to a
compromised host in the 118.97.x.x range.

The IRC server on this host refused our attempts to connect to it,
claiming its connection limit had been exceeded. However, the server was
vulnerable to an exploit (which Kingcope has also released a PoC for) that
has been used widely to compromise hosts in the wild.

We made use of this vulnerability to gain privileged access to the C&C
server. After doing so, we monitored attempts to connect to the IRCd for
several hours, while performing forensics.

A large list of hosts believed to be infected was generated from the data
gathered, and probed in an automated fashion for vulnerable Plesk
installations.

Over 900 hosts attempting to connect were running vulnerable Plesk
installations, confirming our suspicion that the Plesk exploit was how
this malware was spreading; based on our estimates, about 40 hosts were
being infected an hour, which we found intolerable.

A tool to disinfect the compromised hosts was then written, along with a
tool that automatically used the Plesk exploit to upload and execute the
removal script. Both of these are attached.

We ran our tools, the bots were purged from all infected hosts, and the
internet became a safer place for children.
It's likely that other, similar botnets will be developed, which is the
reason for this post; please feel free to make use out of our scripts to
handle any similar outbreaks.

Best Regards,
jtag & `0
RepoCERT, Your Botnet Repossession Agency.
Download attachment "ircbot.pl" of type "application/x-perl" (17822 bytes)

View attachment "botslayer.py" of type "text/x-python" (1642 bytes)

Download attachment "clean.pl" of type "application/x-perl" (381 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ