Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Bots: They are not just for Windows anymore. InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bots: They are not just for Windows anymore.

Published: 2005-12-23
Last Updated: 2005-12-23 22:59:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Couple readers noted the use of the "kaiten" bot in some of the recent php exploits. The php vulnerability is used to install kaiten, which like all well behaved bots will connect to an IRC channel and do its master's bidding.

We kind of have come used to seeing "bots" as a Windows issue. But to be fair: Kaiten probably pre-dates a lot of the Windows worms and bot. IMHO: its so much easier to write a bot for Linux. You got perl after all. I wouldn't be surprised to find one written in bash.

On realy quick and dirty way to fool bots in Linux: make 'tmp' its own partition and mount it as non-executable. This will fool probably 80% of the bots, as they start out by writing themselves to /tmp. Don't forget to make /usr/tmp and /var/tmp symlinks. If you don't want to repartition: use a loopback file. Most Linux malware will compile itself on the target system. So removing development tools is always an option but a bit painful for many. And you may not be able to do without perl. I wouldn't be able to make coffee in the morning without it, and without coffee not much would be happening here.

We do get LOTS AND LOTS of reports about various php exploit attempts. Its one of these things where you are probably already long exploited if you are vulnerable. The exploit attempts target a long list of vulnerable php applications. Nothing particular fancy, just more and more of it.

0 comment(s)
Diary Archives