Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Possible DDOS network being built through ssh1 crc compromised hosts

From: "William Salusky" <change () dmzs com>
Date: Mon, 12 Nov 2001 16:20:29 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am making this notification to assist in determining whether other
folks have been affected by this attack.

An associate's home NAT gateway linux box was hacked by what I am
guessing was the ssh1 crc bug (ssh1 was the only exposed service). 
This
machine looks to have been compromised on Nov 2nd at 1:15pm PST, I
won't know for certain until I obtain his hard disk later today, and
provided that /var logging is recoverable.  This machine was running
redhat 6.2, reasonably patched except for the fact that he was still
running ssh1.

It appears that someone may be building up a network of (potentially)
DDOS hosts.  I have done some quick research and found no matches for
the signatures I have been able to identify so far.

Using the Chkrootkit (www.chkrootkit.org) utilities did not identify
a known trojan pack, so if this isn't identified in the wild, I'm
already referring to it as the LIMPninja.

It also appears that this particular host was used as a central host
for other LIMPninja zombies.  Also, haven't been able to determine
what the command structure it is that the remote bots act upon.

The following is by no means complete, even after a full examination
of the drive has been completed, as there was never any file
integrity base line completed(a shame).

The attack appears to be scripted as all changes happened within a
minute, except for the IRC server which was not installed until 2
days later (and manually).  When I found this particular irc net
there were over 120 hosts all communicating via IRC.  This host was
found to be running an unrealircd daemon from /usr/bin/bin/u/src/ircd
listening at port 6669.

All other compromised hosts were joining this irc network
(ircd.hola.mx  holad) on channel #kujikiri with a channel key of
'ninehandscutting'.  All bots joined as the nick ninjaXXXX where XXXX
is some RANDOM? selection of 4 upper case letters.  


Several ports were listening
3879    term (this port had an ipchains rule blocking all external
traffic - placed by the attacker's script)
6669    ircd
9706    term
42121   inetd spawned in.telnetd


Logs were wiped, and couldn't find a wiping utility so I'm thinking a
simple rm or unlink was used, so I'm hoping to find more details when
the disk is in hand.  File modifications that were made follow:(not
necessarily a complete analysis yet)

clearly Trojaned binaries (probably others)
/bin/ps
/bin/netstat
/bin/ls  (this ls binary was hiding several things, directory
structures named /u/, mysqld klogd ...)
/usr/local/bin/sshd1  (the file was just several hundred bytes larger
than previously)


Binary file/directory additions
/usr/bin/bin/u/         An entire directory structure containing the ircd
server source 
/usr/bin/share/mysqld   (looks like some type of irc spoofing proxy)
/bin/klogd              (almost looks like an ftp proxy)
/bin/term               (A bindshell of some sort)
/usr/sbin/init.d        was added and is exactly the same file size as term

System configuration files that were modified/added
/etc/hosts.allow        made specific allowances for the .dk domain, as well
as .cais.net .cais.com
/etc/passwd     two new accounts were added with the same password (des
hashes -NOT MD5)
/etc/shadow     The added accounts were lpd 1212:1212, and admin 0:0
/etc/inetd.conf 200+ lines of whitespace added, and then the single
telnet entry
/etc/services   was modified for telnet to start on port 42121
/etc/resolv.conf a new nameserver was added... 
/etc/psdevtab   haven't examined closely yet
/etc/rc.sysinit  a line was added to start the /usr/sbin/init.d  
trojan/backdoor
/etc/rc.local   after much whitespace was added.... following lines at
the bottom of the rc.local file

        killall -9 rpc.statd
        killall -9 gdm
        killall -9 gpm
        killall -9 lpd
        term
        klogd
        "/usr/bin/share/mysqld"
        /sbin/ipchains -I input -p tcp -d 0/0 3879 -j DENY


Hope this helps other folks who will or have already encountered this
attack.

sorry for the ramble... It's been a long night

- - -- 
William Salusky
Manager: Security Services
DMZ Services
change () dmzs com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBO+/3KQCUWsrXYo1REQJl9ACfW+0jF0t4u3fLqRGnlhAImy1nAhoAn3Hr
oI9jc5XUZq/GOvz4MKqsnrKP
=RFnF
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: