|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re[2]: Rooted, .haos on system
From: Oliver.C.Rochford CFH <bugtraq(at)cfh.com>
Date: Tue Dec 17 2002 - 03:36:28 EST
Date: Tue Dec 17 2002 - 03:36:28 EST
Hello Damian,
it was rooted via a linuxconf exploit
presumably
http://www.packetstormsecurity.com/0209-exploits/nslconf.c
or similar. as this is a local exploit, it means they probably got on
a different way, i assume mod_ssl
The stuff you found was probably an autorooter, so they probably
intended (or did) use the rooted host to scan from.
regards
Oliver Rochford
Monday, December 16, 2002, 5:38:33 PM, you wrote:
DG> On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
>> I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?
DG> Just a quick update to this...
DG> It looks like it was an IRC bot. I found these interesting tidbits DG> throughout the various source trees left on the system (definitely a DG> script kiddie hack):
DG> " /.../ /m/src/Makefile":
DG> # DG> # Starglider Class EnergyMech, IRC bot software DG> # Copyright (c) 1997-2000 proton DG> # DG> # This program is free software; you can redistribute it and/or modify DG> # it under the terms of the GNU General Public License as published by DG> # the Free Software Foundation; either version 2 of the License, or DG> # (at your option) any later version.
DG> " /.../ /m/emech.users":
DG> handle Silviu DG> mask *!*@Scoobyy.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Malice DG> mask *!*@malice.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Mihai DG> mask *!*@p00f.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Doggy DG> mask *!*@Catelushu.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle mortu DG> mask *!*@mortux.users.undernet.org DG> prot 4 DG> aop DG> channel #DhT DG> access 100
DG> ".../[wxz].users":
DG> handle dxd DG> mask *!*dxd@*.* DG> pass nI-duWuaJw DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle kappy DG> mask *!*kappy@*.* DG> pass 0jgmlVQspb DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle essence DG> mask *!*essence@*.* DG> pass wHC0Pmbfux DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle karamel DG> mask *!*KarameL@*.* DG> pass kdiF0eQFYv DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle DJcontact DG> mask *!*anathema@*.* DG> pass uSfKIJhaCS DG> prot 4 DG> aop DG> channel * DG> access 100
DG> Other notes:
DG> - a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files DG> kicking around DG> - a couple of binaries called 'httpd' DG> - an empty file called DG> "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng" DG> - a couple of other system binaries (i.e. bash) DG> I still have the original 'haos' and 'haos2' tarballs, if anyone is DG> interested in looking at them. They both contain libpcap, and look toDG> be some sort of an automated SSH exploiter, given by the contents of the DG> files "targets" and 'targets.txt":
DG>DG> came from, but here's a quick quote from one of the shell scripts DG> ("haosx"), and I'll leave you all at that:DG> Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0 DG> Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> DG> If anyone wants more info, I'm willing to pass it on. But I'm going to DG> guess they got in via OpenSSH, given the nature of the scanners and the DG> version of the daemon running on the box. I'm not sure where the group
DG> echo "$rver haosx for Linuxz" DG> else DG> echo "" DG> echo "$rver Asteapta cateva secunde sa ma linistesc.." DG> echo "Ia o pauza de o laba pana scanam ceva." DG> echo "www.haos2.com" DG> echo "Thanks 2 friends : in #haos channel." DG> ---------------------------------------------------------------------------- DG> This list is provided by the SecurityFocus ARIS analyzer service.DG> For more information on this free incident handling, management DG> and tracking system please see: http://aris.securityfocus.com
-- Best regards, Oliver.C.Rochford mailto:bugtraq@cfh.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.comReceived on Tue Dec 17 12:34:35 2002
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |