Re: Rooted, .haos on system

From: Damian Gerow <damian(at)sentex.net>
Date: Mon Dec 16 2002 - 12:38:33 EST

On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?

Just a quick update to this...

It looks like it was an IRC bot. I found these interesting tidbits throughout the various source trees left on the system (definitely a script kiddie hack):

" /.../ /m/src/Makefile":

	#
	#   Starglider Class EnergyMech, IRC bot software
	#   Copyright (c) 1997-2000  proton
	#
	#   This program is free software; you can redistribute it and/or modify
	#   it under the terms of the GNU General Public License as published by
	#   the Free Software Foundation; either version 2 of the License, or
	#   (at your option) any later version.

" /.../ /m/emech.users":

	handle          Silviu
	mask            *!*@Scoobyy.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Malice
	mask            *!*@malice.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Mihai
	mask            *!*@p00f.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Doggy
	mask            *!*@Catelushu.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          mortu
	mask            *!*@mortux.users.undernet.org
	prot            4
	aop
	channel         #DhT
	access          100

".../[wxz].users":

	handle          dxd
	mask            *!*dxd@*.*
	pass            nI-duWuaJw
	prot            4
	aop
	channel         *
	access          100

	handle          kappy
	mask            *!*kappy@*.*
	pass            0jgmlVQspb
	prot            4
	aop
	channel         *
	access          100

	handle          essence
	mask            *!*essence@*.*
	pass            wHC0Pmbfux
	prot            4
	aop
	channel         *
	access          100

	handle          karamel
	mask            *!*KarameL@*.*
	pass            kdiF0eQFYv
	prot            4
	aop
	channel         *
	access          100

	handle          DJcontact
	mask            *!*anathema@*.*
	pass            uSfKIJhaCS
	prot            4
	aop
	channel         *
	access          100

Other notes:

• a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files kicking around
• a couple of binaries called 'httpd'
• an empty file called "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
• a couple of other system binaries (i.e. bash)

I still have the original 'haos' and 'haos2' tarballs, if anyone is interested in looking at them. They both contain libpcap, and look to be some sort of an automated SSH exploiter, given by the contents of the files "targets" and 'targets.txt":

<snip>
Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0

Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1

Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 </snip>

If anyone wants more info, I'm willing to pass it on. But I'm going to guess they got in via OpenSSH, given the nature of the scanners and the version of the daemon running on the box. I'm not sure where the group came from, but here's a quick quote from one of the shell scripts ("haosx"), and I'll leave you all at that:

   echo "$rver haosx for Linuxz"
   else

   echo ""
   echo "$rver Asteapta cateva secunde sa ma linistesc.."
   echo "Ia o pauza de o laba pana scanam ceva."
   echo "www.haos2.com"
   echo "Thanks 2 friends : in #haos channel."

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 16 13:22:24 2002