I saw this attack in the day job’s web server logs today. From IP address 188.8.131.52, which appears to point back to Alibaba.
This doesn’t mean anything in and of itself, until we look at the payload.
This appears to be an attempt to exploit a bash hole. What is interesting is the IP address to pull the second stage payload from.
Run a whois against that … I’ll wait.
In the records we see a number of things:
inetnum 184.108.40.206 - 220.127.116.11 netname ALISOFT descr Aliyun Computing Co., LTD descr 5F, Builing D, the West Lake International Plaza of S&T descr No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099 country CN ... phone +86-[redacted] e-mail [redacted]@alibaba-inc.com nic-hdl ZM1015-AP mnt-by MAINT-CNNIC-AP changed email@example.com 20130730 source APNIC ...
Where I hand redacted the name/email/phone from the information. Easy enough to find, but note the email address.
Who is Alisoft?
Well, according to Crunchbase …
Alisoft develops, markets and delivers Internet-based business management software targeting Small and Medium Enterprises (SMEs) in China. Founded by parent Alibaba Group, Alisoft is currently offering five different services: Customer relationship management (CRM), Inventory management, Sales force management, Financial tools,and Marketing information
This could be simply one compromised machine. Never attribute to malice that which may be better explained by incompetence. They wouldn’t leave a machine wide open, right?
landman@lightning:~$ nmap 18.104.22.168 Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-11 19:30 EDT Nmap scan report for 22.214.171.124 Host is up (0.26s latency). Not shown: 985 closed ports PORT STATE SERVICE 42/tcp filtered nameserver 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 999/tcp open garcon 1023/tcp filtered netvenuechat 1025/tcp filtered NFS-or-IIS 1068/tcp filtered instl_bootc 1434/tcp filtered ms-sql-m 3389/tcp open ms-wbt-server 4444/tcp filtered krb524 5800/tcp filtered vnc-http 5900/tcp filtered vnc 6669/tcp filtered irc
oh … well … maybe …
Ok, but this wouldn’t be conspicuously serving and easily accessible on that port 999, right? So lets fire up links and see what we see …
Oh … my.
Ok, for laughs, let me pull down the payload. And look at it with strings. See if I see anything in there.
strings /tmp/evil ... $Info: This file is packed with the UPX executable packer http://upx.sf.net $ $Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $ PROT_EXEC|PROT_WRITE failed.
Ok, its UPX compressed. Lets look into it some more.
landman@lightning:/tmp$ upx-3.91-amd64_linux/upx -l evil Ultimate Packer for eXecutables Copyright (C) 1996 - 2013 UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013 File size Ratio Format Name -------------------- ------ ----------- ----------- 1513570 -> 416596 27.52% netbsd/elf386 evil
and sure enough
landman@lightning:/tmp$ ls -al evil -rw-r--r-- 1 landman landman 1513570 Mar 11 19:36 evil landman@lightning:/tmp$ file evil evil: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
Again, run strings and … whoa! Someone used a -g when compiling, there are a metric butt-load of symbols in there. Seriously … Its obviously c++ source as it turns out, and its been internationalized.
And there are misspellings …
It seems to want to play with TLS. I am guessing not in a good way.
But this said, I was looking for another address, either IP address or web address, or something.
Sure enough, strings found this
www.baidu.com ... 126.96.36.199
In the end I did this
landman@lightning:/tmp$ rm -f evil
Were it really so simple.
Next up, I may send them an email point out the … er… badly misconfigured unit, and the attack server set up on it. And the attack coming from their site at a different address.
This reminds me of the Moscow rules. Once is an accident, twice is coincidence. Three times is enemy action.