Sign in to follow this  
Followers 0
bilone

Interesting perl scri_pt to from a compromised host

4 posts in this topic

Apologies for my english. I've found an interesting perl scri_pt on a compromised host.

These funny guys:

  1. generate pseudo-random hostnames of fixed lenght with a rand function starting from a fixed seed
  2. register RANDOMSEQUENCE.TLD (in this case .TLD=.in)
  3. associate a valid IP to the *.RANDOMSEQUENCE.TLD and load their databases and some php code on that host which they access via https
  4. upload their perl code to compromised hosts. This code does not cointain any readable hostname. It downloads an (encoded) address list and encoded message bodies and starts spamming around
  5. when a hostname is removed, they register another one, without having to change their scri_pt

at the moment the firs five hostnames are valid and active:

any.qlwiysjfav.in has address 94.23.208.20

any.amhrixwypu.in has address 205.186.146.54

any.xgvneqdwbn.in has address 81.95.146.21

any.tmdnzapomk.in has address 76.76.5.59

any.puvvgprgaq.in has address 69.59.17.81

Host any.fitguatpgm.in not found: 3(NXDOMAIN)

...

The following code just dumps the hosnames. The rest of the original scri_pt checks host capabilities and uses them.

Question: who I should ask to report this issue, together with the complete scri_pt?

my $domains_count = 100;
my [at]domains = ();
my $random_state;

sub my_srand{
	my $seed = shift || time || 4357;
	my [at]a = ();
	for (1..10000){
		use integer;
		push [at]a, $seed & 0x7fffffff;
		$seed *= 69069;
	}
	$random_state = {
		offset => 0,
		array => \[at]a
	}
}
sub my_rand{
	my $range = shift || 1.0;

	my_srand() unless defined $random_state;

	$random_state->{offset} = ($random_state->{offset} + 1) % 10000;
	my $off = $random_state->{offset};
	my $a = $random_state->{array};

	$$a[$off] = ($$a[($off -  471) % 10000] ^
				 $$a[($off - 1586) % 10000] ^
				 $$a[($off - 6988) % 10000] ^
				 $$a[($off - 9689) % 10000]);
	return $$a[$off] * $range / (2**31);
}

sub generate_domains {
		my $length_of_randomstring=10;
		my [at]chars=('a'..'z');
		my_srand(123987);
		my $random_string;
		for(my $i=0; $i<$domains_count; $i++) {
				$random_string = "";
				foreach (1..$length_of_randomstring) {

$random_string.=$chars[int(my_rand(scalar([at]chars)))];
				}
				my $domain = $random_string.".in";
				push [at]domains, $domain;
		}
}


# Added by me
generate_domains();

for (my $i = 0; $i < $domains_count; $i++) {
		print "any." . $domains[$i] . "\n";
} 

Share this post


Link to post
Share on other sites
Apologies for my english.
...If you hadn't written that, I'd have no idea whatsoever that English is not your native language (I wish my English were as good -- and I was born and raised in the USA)!
<snip>

Question: who I should ask to report this issue, together with the complete scri_pt?

<snip>

...First and foremost the abuse e-mail address of the host on which you found this scri_pt (you may wish to consider using a throw-away e-mail address for this purpose, so you do not risk receiving spam at an e-mail address you regularly use). After that, the major security players -- Microsoft, Symantec and any others you know.

Share this post


Link to post
Share on other sites
First and foremost the abuse e-mail address of the host on which you found this scri_pt

Well, this is the simple part: that's me! The problem was a ssh account with an actually not so weak password: incidentally, my brother's account :-(

I haven't a clue how they could have got it. I suggested him to thoroughly check his PC, but it looks clean. The linux host has also been sanitized but actually it wasn't heavily compromised (they could't gain root access). They're still trying to log in.

After that, the major security players -- Microsoft, Symantec and any others you know.

Ok. Maybe I should also write to the registars of those domains (even if I don't trust to much people allowing the registration of a clearly random domain name) and to the admin-c of those IPs.

...If you hadn't written that, I'd have no idea whatsoever that English is not your native language

Thanks! :-)

Share this post


Link to post
Share on other sites

They all have the same nameservers of course - you might try reporting there all well - abuse[at]orderbox-dns.com and upstream from there would be abuse[at]theplanet.com.

Might not seem a very promising line of attack but orderbox-dns.com appears to have a heap of legitimate clients. Robtex reports at least 178 domains sharing nameservers with xgvneqdwbn.in (the most "service enabled" of the domains you show) and most of those look to be quite "normal". orderbox-dns.com may be receptive to complaints, if/once they understand the problem.

I tried having the URLs for any.xgvneqdwbn.in and www.any.xgvneqdwbn.in scanned by virustotal but nothing found. Those domains/addresses seem a little "fragile", sometimes failing to connect. That might have been a factor but processing seemed normal. I see different addresses for any.xgvneqdwbn.in (81.95.146.21) and www.any.xgvneqdwbn.in (81.95.146.20), might just be temporary, I know next to nothing about this stuff.

[edit - corrected URLs]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0