Hi, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskploity and chat in txt file
Hi, Habr!
Finally, I added the continuation of my story .
Again I remind you:
So ... I finished the story on the spot where google turned my attention to the fact that there is a way to upload the web .
')
So I followed the link and read a mini article on how to get access to the admin panel of Zeus.
The main points in the admin hack process were to have:
The last two things were kindly provided by the author of the article, and the already mentioned Wireshark sniffer helped me with the first two points. It was caught as I mentioned the GET request to the config file and POST on the gate.
The article stated that usually the admin panel file is called in.php and lies next to the gate, but I was not lucky and there was no admin next to the gate next to the gate :( It didn’t upset me because the exploit to the admin panel filled in and executed the php code, I’m probably embellished a little :) when describing what an exploit (and the article about pouring the shell) allowed to fill up the web, in fact, initially exploit using a vulnerability in the gate and flooded the php code that received the connection data to the mysql database and retrieved the login and password user (s). Well, since I had nowhere to enter all this stuff, I modified the code of the exploit so that it would flood the web shell and send me mail where it lies and the actual logins and passwords.
The web shell is flooded, in the mail a letter with login \ pass from users and naturally a link to go. We go ... rubbed traces of my exploit (php script that sent user data).
And then I liked that the owner of the botnenta was not particularly worried and everything was with root rights.
In total, I had access to a bulletproof server (in China) and to all of its resources and contents (including the base because I found the root user to mysql again in the admin panel config).
Polaziv on a server (if the memory does not change the P4 (1.8) \ 1024 \ 200gb \ 100mbit), cleaning the logs and other pleasures of life, I useful to study further that lives on a web server. Unfortunately, there was only Zeus and there was: (nothing else to disassemble there was 1 virtual host to which 6 domains were associated with aliases.
Okay, we climb into the admin panel ...
~ 2000 bots from CIS countries, ~ 2000 Great Britain and ~ 1000 United States appeared in the admin area.
The admin said that in the last 24 hours about ~ 40% of bots were tapped to it.
In online there were ~ 900 bots, most of all in the UK.
Looked at the logs, the bot as it was seen did its job perfectly well. The stolen data was a lot.
Well, especially there is nothing more to tell. About admin, bot, its work and functionality, I will describe in a separate article.
Then I got the idea that we must somehow spoil the raspberries so to speak.
Having created a new user in the system with root rights, I sat down to think about what to do.
The first idea was to notify the protruded users that they are infected (I lie ... first I wanted to enslave the world with this bot army and then save the poor protruded users).
A simple .bat file (such as hello world) was written in which there was something "You are infected with a virus, please download and install an antivirus, preferably ESET NOD32" (then I was bursting with pride that maybe I brought ESET hundreds of new clients) 2 files were downloaded for download, in Russian for the CIS and in English for others, respectively.
After sitting, I also thought I realized that I would not leave it without a mega-twisted message mesage and I created the site owned.txt at the root
the content of which was:
...
The next day I returned to look at the stat of tasks for uploading my inform .bat file, I was not particularly surprised that the tasks were deleted, but I was pleased that the number of active bots dropped from ~ 40% to ~ 28% (or 25%, I don’t remember).
Then, for the sake of interest, I looked into the place of harenia owned.txt and saw there:
Then I checked access to root users of the system and mysql they were changed.
I couldn’t conceive anything more than that, and I didn’t want to.
I registered in the console rm -rf /
and deleted from the server.
That's all :)
I will be glad to answer your questions and wishes about what else to write from the topic of Malvari.
One of these days will be an article about Zeus in detail.
Finally, I added the continuation of my story .
Again I remind you:
All information in this article is provided purely for information and is designed primarily to indicate errors in security systems.
So ... I finished the story on the spot where google turned my attention to the fact that there is a way to upload the web .
')
So I followed the link and read a mini article on how to get access to the admin panel of Zeus.
Breaking - do not build
The main points in the admin hack process were to have:
- Bot configuration file
- Path to bot gate
- Config decryptor
- Exploit for admin
The last two things were kindly provided by the author of the article, and the already mentioned Wireshark sniffer helped me with the first two points. It was caught as I mentioned the GET request to the config file and POST on the gate.
The article stated that usually the admin panel file is called in.php and lies next to the gate, but I was not lucky and there was no admin next to the gate next to the gate :( It didn’t upset me because the exploit to the admin panel filled in and executed the php code, I’m probably embellished a little :) when describing what an exploit (and the article about pouring the shell) allowed to fill up the web, in fact, initially exploit using a vulnerability in the gate and flooded the php code that received the connection data to the mysql database and retrieved the login and password user (s). Well, since I had nowhere to enter all this stuff, I modified the code of the exploit so that it would flood the web shell and send me mail where it lies and the actual logins and passwords.
OWNED!
The web shell is flooded, in the mail a letter with login \ pass from users and naturally a link to go. We go ... rubbed traces of my exploit (php script that sent user data).
OWNED part 2!
And then I liked that the owner of the botnenta was not particularly worried and everything was with root rights.
In total, I had access to a bulletproof server (in China) and to all of its resources and contents (including the base because I found the root user to mysql again in the admin panel config).
Sister, scalpel!
Polaziv on a server (if the memory does not change the P4 (1.8) \ 1024 \ 200gb \ 100mbit), cleaning the logs and other pleasures of life, I useful to study further that lives on a web server. Unfortunately, there was only Zeus and there was: (nothing else to disassemble there was 1 virtual host to which 6 domains were associated with aliases.
Okay, we climb into the admin panel ...
~ 2000 bots from CIS countries, ~ 2000 Great Britain and ~ 1000 United States appeared in the admin area.
The admin said that in the last 24 hours about ~ 40% of bots were tapped to it.
In online there were ~ 900 bots, most of all in the UK.
Looked at the logs, the bot as it was seen did its job perfectly well. The stolen data was a lot.
Well, especially there is nothing more to tell. About admin, bot, its work and functionality, I will describe in a separate article.
O_o who are you and what have you forgotten here !?
Then I got the idea that we must somehow spoil the raspberries so to speak.
Having created a new user in the system with root rights, I sat down to think about what to do.
The first idea was to notify the protruded users that they are infected (I lie ... first I wanted to enslave the world with this bot army and then save the poor protruded users).
A simple .bat file (such as hello world) was written in which there was something "You are infected with a virus, please download and install an antivirus, preferably ESET NOD32" (then I was bursting with pride that maybe I brought ESET hundreds of new clients) 2 files were downloaded for download, in Russian for the CIS and in English for others, respectively.
After sitting, I also thought I realized that I would not leave it without a mega-twisted message mesage and I created the site owned.txt at the root
the content of which was:
owned.
form .ru with love
...
The next day I returned to look at the stat of tasks for uploading my inform .bat file, I was not particularly surprised that the tasks were deleted, but I was pleased that the number of active bots dropped from ~ 40% to ~ 28% (or 25%, I don’t remember).
Then, for the sake of interest, I looked into the place of harenia owned.txt and saw there:
owned.
form .ru with love
mate, mate, mate from here
Then I checked access to root users of the system and mysql they were changed.
I couldn’t conceive anything more than that, and I didn’t want to.
I registered in the console rm -rf /
and deleted from the server.
That's all :)
I will be glad to answer your questions and wishes about what else to write from the topic of Malvari.
One of these days will be an article about Zeus in detail.
Source: https://habr.com/ru/post/87217/
All Articles