48

A few days ago one of my webhosting customers had their FTP login compromised, and the attacker modified his index.php file to include some extra code, and roughly twelve thousand other bots have been trying to access it via a POST operation since

I'm okay at PHP but no genius, but from what I've been able to garner it takes the (encrypted) data included in the POST, decrypts it together with the contents of another file left behind on the host, and sends a response packed into a HTTP 503 header.

From the behavior, I get the feeling this system was set up as a control host for a botnet.

I've managed to save a copy of the PHP code as well as a packet capture of one of the bots trying to POST after I'd already deactivated the site... But now what do I do with it? I don't have the time or expertise to further analyze the damn thing myself, what groups should I forward the lot to?

Shadur
  • 2,495
  • 21
  • 19

5 Answers5

38

If you want it analysed for business reasons then you need to find an appropriately skilled forensic incident response consultant (excuse the jargon: 'A log analysis guy'). These generally cost money, lots of it.

Bear in mind though that most botnet deployments aren't targeted and are very wide-spread. There probably isn't much to learn about it that isn't already well-known and which affects everyone else. Groups that deal with advanced threats won't be terribly interested in this sort of thing, but you might have luck with an AV vendor. Symantec, Sophos, etc sometimes like to collate this kind of data for their glossy white papers.

The most interesting logs are going to be the ones just before the suspicious traffic starts when the botnet actually exploits the system, since that will allow you to do a post-mortem on the attack. However I'm going to use my amazing psychic abilities to assert that something wasn't appropriately patched and that's how the bot got in.

Addendum: For the love of the Gods don't just give access to your systems (or sensitive data on your systems) to some random person on this site.

Rushyo
  • 627
  • 1
  • 5
  • 13
  • There was no exploit; the bot control node was installed using a valid FTP logon. I've already changed that customer's password and told him to check for viruses on his own system. – Shadur Feb 28 '13 at 11:00
  • 1
    if you (or the forensic consultant) can give the *deactivate* or *uninstall* command, that would be very useful – SeanC Feb 28 '13 at 13:37
  • 1
    Like I said, the whole thing's encrypted on several levels and I don't really have the time or expertise to start whacking at it. – Shadur Feb 28 '13 at 14:12
  • 1
    @SeanCheshire because major players in the security industry stop at sending "You need to clean your computer" messages instead of doing it remotely for them I believe that there are impediments standing in the way of being able to do so legally; and that your suggestion would open Shadur to being arrested or dragged into court. – Dan Is Fiddling By Firelight Feb 28 '13 at 20:27
  • 1
    yeah, listen to @DanNeely - even the FBI have to apply for court permission: http://it.slashdot.org/story/11/04/27/217221/feds-to-remotely-uninstall-bot-from-some-pcs – SeanC Feb 28 '13 at 20:54
12

Contact the FBI, or whoever has jurisdiction over this sort of computer crime where you live. What's being done on your system is a pretty serious crime, and in many places, knowingly failing to report a crime is itself a crime. The last thing you want is for the innocent victims (yourself and your client who you're hosting) to be exposed to legal liability.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
Mason Wheeler
  • 1,625
  • 1
  • 11
  • 15
  • 9
    This isn't a bad suggestion, but it is likely they won't do anything about it. It's too common place and not really serious enough. They are most likely already aware of the botnet's operation as a whole. That said, if you are in the US, the FBI does have [a nice website](http://www.ic3.gov) where you can report such activity for them to be able to have a record of it. – AJ Henderson Feb 28 '13 at 14:07
  • Not in the US, alas. – Shadur Feb 28 '13 at 14:11
  • @Shadur: Which I why I said "the FBI or whoever has jurisdiction over this sort of computer crime where you live." I'm sure someone does, unless you're in Somalia or something... – Mason Wheeler Feb 28 '13 at 14:59
  • I locked down the server the moment I became aware of the botnet and fail2ban is getting an exercise blacklisting the IP address of every bot that tries to contact the server -- looks like it's peaking out at about 14K bots. – Shadur Feb 28 '13 at 15:32
  • @MasonWheeler That would probably be http://www.govcert.nl in this instance. – Rushyo Feb 28 '13 at 17:20
  • @Shadur If you really think the data you can collect is that valuable (I suspect it's not) then then you may wish to try something like Volatility to record the current forensic state of your RAM at least. The trouble is that if you screw it up you can end up doing more harm than good. – Rushyo Feb 28 '13 at 17:25
2

First thing would be to report it to incident response team in your organisation or the relevant security team.

Secondly, You can check the web server logs . This will give you vast clues about who was accessing it and what all web requests were made (showing url paths).

If you want to capture live data, use packet analyzer/sniffer utilities such as tcpdump or ethereal and listen on the relevant interface. After that use filters to see the source/destination and it should tell you all communication happening between the remote malicious server and yours.

user20996
  • 74
  • 2
  • 2
    Given he said 'my webhosting customers' I think it's fair to assume he doesn't have a SIRT/CERT team backing him up. – Rushyo Feb 28 '13 at 10:30
  • By and large, I *am* the CERT team for the company I work for, yes. – Shadur Feb 28 '13 at 11:01
  • Also, you seem to be misunderstanding. The compromised website wasn't turned into a zombie, it was used as a *control node* for other zombies to request instructions from. I've isolated the encrypted instructions file as well. – Shadur Feb 28 '13 at 11:02
2

One of the things you might want to ask yourself is: "What's your motivation here?"

e.g. 1. Figure out how the incident happened to avoid a repeat. 2. Protect yourself for liability reasons 3. Get the bad guys punished 4. Help out Security Researchers by knowing the exploit etc.

I doubt it is #1 since you say the login password seems compromised at the client's end. #3 seems extremely remote. #4 too seems unlikely unless you've really stumbled upon something really novel.

So, I'd say file a report. Often local police departments will file one, though they probably lack the skills to investigate. Make sure you document things a leave a trail of paperwork

curious_cat
  • 1,013
  • 1
  • 11
  • 18
2

In addition to contacting law enforcement, locking down your machines, introducing controls to alert on future incidents; you may want to consider contacting/joining an org like the Red Sky Alliance. You don't want to give anyone (particularly random people on the internet which is essentially what se is) access to your system or your data - but you should share in some controlled forum if possible. Both you and other participants will benefit. Other potential places to look for 'legit' people to share with might be SANS, or maybe OSCE would be more appropriate since you appear to be in the Netherlands from your profile.

Duncan
  • 503
  • 3
  • 11