What happens when your Managed Hosting Server Gets "Owned"?

Interesting question. Today I'll try to shed some light on this, as I think I’ve found a pretty decent example of what happens when your dedicated hosting box gets hacked. Lately there have been many high profile websites serving out malicious Iframes and infecting people. Today we found an interesting sample that has been going under the radar for a couple of weeks it appears. From the stats we can see available to us, there has been roughly 49600 machines infected by this specific infection. Although the counter does not count unique infections (ie. if you keep refreshing it will go up) we believe that there has not been much visibility of this infection elsewhere so the number is "fairly" accurate. So let’s have a look at what the setup of this infection looks like.

Firstly, they have a master server that they use to push out updates to their "micro" sites. These updates would be new, revised Trojan code. The micro sites being smaller websites that have been compromised using mass auto rooters etc. Usually vulnerabilities in web apps that can be exploited in an automated fashion.

From what we are seeing here is they have targeted websites with weak security and writable open directories and various other security no no's. One of them being the website for the Town of Grimsby, in the UK. As we can see from the above mentioned SANS posting, thousands of sites can be targeted in this manner, and the infection reach becomes very large indeed. What’s interesting in this case is the fact that we can have a peak into their backend processes and see what they use to manage hacked machines, efficiently.

Ladies and Gentleman, I bring you .. V1.0 pre-release build #16 :) *drum roll*

Now this has been around for awhile, yet still working like a charm. First things first, I analyzed the malware based on all the data we have for it and saw it made connections out to a server in the US hitting a count.php page.

On this server there are around 230 sites hosted, according to domaintools Tracking. For example.. When you go to the Grimsby website you will get infected with a couple of exploits that will bring down "mywork.exe" and "svc_alc.exe" these files will then hit the counter and wait for further instructions. In this case the Trojan installs a Zlob variant and a password stealer for Eve online and World of Warcraft.

So now for some screenshots of the control interface that we could access.

Here is the interface of the C99Shell, showing you in short what its capable of.

This shows the commands and various pre packed exploits you can run from the interface provided.

This shows how you can run commands from the web interface on the host.

Can anyone guess what that is?

Of course the authors of C99 want to get YOUR valuable feedback. Or own the box you owned? Hmm, I’m undecided on this one. Also, I'm quite dissapointed that they don't understand Swahili.

Having a look in our database I found something really interesting regarding C99Shell. Who would have thought that the Turkish Government's Metropolitan Transport website would actually be owned by evil hackers ? :) We'll it is.

The website of the Istanbul Metro. Owned. By Hax0rs. Below are some screenshots of the Turkish Gov Metro Hacked C99Shell running on their web server.

Above you can browse the entire hard drive of the web server, issue commands to it and various other things, all point and click. I'm sure my mother would be able to operate this with ease.

So in summary, there are various tools available to attackers to manage their new found servers efficiently, C99Shell being one of them. some suggestions to stop these things from happening to you would be to lock down directory security in IIS and Apache. Don’t allow for 777 permissions to directories, and make sure the 3rd party web apps are up to date and running with least privileges needed.

There are many other things to look at when securing a Web application, but the above certainly are the basics. Also, if you do believe you might have something like this on your web server, have a look for a file called c99bypass.php as this is the current name the auto rooters are using to drop it.

I've found a couple more sites of interest running this particular script, which I still need to report to the hosters. One site had over 370gb bandwidth usage in the last 24 hours. All sites in question have been informed, however even after calling the support centers, there seems to be a uniform "we don't understand, or care about what you are trying to tell us". Oh well, at least I can sleep well :)

Leave a reply