Threat Intel | PHP Brute Forcer

26 February 2015

Following up with my last post about trying to identify/elaborate on the actors targeting my honeypot, I wanted to write another quick post about some new activity I discovered today. This wasn't as exciting as I hoped, but, for the sake of writing, and improving my skills, I wanted to put something up about this guy.

The actor in question came from, 41.138.184.73 based out of Nigeria.

"

When the actor gets on the box he uses wget to grab the file http://mrunix.free.fr/ssh1.tar (md5: ac6833938336d19e57082a8bdc444fb4)

Inside the folder that gets extracted (/scanbun) there are 64 files that get extracted.

Starting with pass_file (a1e42df1eb77ac9e2be81c287f9fab15):
This file containts 12,921 different usernames and password combinations

Next up, is a linux executable called ps (a7001e857219d7cc063f670f2f8f7195), which is a POP3 scanner/brute forcer.

root@kali:/tmp# ./ps
Port Scanu Se Foloseste: ./ps <b-block> <port> [c-block]

With this file, there is another file called start, (1b9fc10b4bf6417606c61e5ef30669f1) which is a shell script that calls the ps executable to run. Looking at the code for it, it's a POP3 Bruteforcer, by (val) Rsx200

#!/bin/bash
echo "POP3 BruteForce"
echo "By(val) Rsx200"
./ps $1 25
sleep5
echo "Doing BruteForce..."

cat $1.pscan.25 | sort | uniq > mfu.txt
CONTOR=0
for i in `cat mfu.txt`
do
CONTOR=`ps aux | grep -c php`

while [ $CONTOR -ge 150 ];do
CONTOR=`ps aux | grep -c php`
echo "Sleeping"
sleep 5
done

if [ $CONTOR -le 150 ]; then
php sesion.php $i > /dev/null &
fi

done

The file will run the ps executable on a variable and on Port 25. It will print the contents of a file which contains IP addresses to a new file, mfu.txt (d41d8cd98f00b204e9800998ecf8427e). It will then try to run a php script (sesion.php, 6eaeebe9dc22593ad11946fc600973cc) against each IP. The file imposes some sort of rate limiting by counting the number of occurrences of php running. This limit is set to 150 instances of php at a time according to the file.

When the attacker runs the file, he needs to specify the targets, which are included in one of the many different filenames, like 166.130.pscan.25, or 24.250.pscan.25.

The sesion.php file is just a php script that attempts to log into each of the target IP's using the usernames and passwords from the pass_file. If it succeeds in logging in, then it will write the IP, username and password to a file, vuln.txt (a07be1e0c2ed3459001157f323cc1b5c). In the vuln.txt file there are already 69 vulnerable hosts in there, all appearing to have weak credentials.

So, nothing too sophisticated here...

Although the tool is automated to do the scans on the targets, there isn't any automated exfiltration of data or callbacks of any kind. The attacker would need to load this on a box, like mine, then run the 'start' file, and then copy over the contents of vuln.txt to his own machine. Once the attacker was on my box, he attempted to run ./start 208.66. but, there was no file named that, he then did ./start canal, which was listed as an example for ./start. So, I'm guessing he tried running it, and it didn't work like he wanted, so, he quit.

Lastly, I went through the files filled with target IP's and merged them into one. I then used the BulkWhois Python Module to spit out the AS and Country Code for each IP. I then did the usual awk | sort | uniq combo to print out the unique Org Names and Country Codes:

Countries:

CL
US

Org Names (Top Orgs, shortened for brevity)

92 NEXT CENTURY DESIGN LLC.
92 WIRESIX INC.
102 WEBHOSTING.NET INC.
113 HURRICANE ELECTRIC INC.
124 ACRONOC INC
153 WEBHOSTING.NET INC.
291 BANYAN POINT HOSTING INC.
322 MAINSTREETHOST.COM
588 COLOCATEUSA

So, nothing too exciting in this post, but, hopefully I can keep doing these when things pop up.