Security Incidents mailing list archives
Re: FTP and RPC based worms [was anyone else ...]
From: slim bones <slim () io com>
Date: Tue, 16 Jan 2001 04:20:24 -0600
thanks for the prior info y'all. a summary of what's inside that tgz coming out of tcp 27374. s.b --[ overview Initial analysis of "Ramen" worm. Basic but apparantly somewhat effective lpd/ftp/statd worm. Lives in /usr/src/.poop/, opens tcp 27374 for propogation. Keep in mind some of this is guesswork, and I stand to be corrected. File ramen.tgz was obtained from 4 different IP addresses with: lynx -source http://IP:27374 > ramen.tgz All downloads ended up being the same file. --[ contents 95282 Jan 15 22:22 ramen.tgz ramen.tgz: gzip compressed data, deflated, original filename, last modified: Sat Jan 13 14:35:18 2001, os: Unix 26 files. Many modification times afternoon of Jan 13. 434 Jan 11 22:49 start.sh start.sh: Bourne shell script text initial startup. script replaces any index.html file on the system with its own. remove /etc/hosts.deny. differentiate between rh62 and rh7, and copy approrpiate binaries in place for: synscan [scanner], w [ftpd exploit], l [lpd exploit], s [statd exploit], randb [class B net generator]. append start62.sh or start7.sh to /etc/rc.d/rc.sysinit. run bd62.sh / bd7.sh, and start62.sh / start7.sh. 373 Jan 13 13:10 index.html -- cheesy signature 285 Jan 13 13:40 bd62.sh bd62.sh: Bourne shell script text 213 Jan 11 22:25 bd7.sh bd7.sh: Bourne shell script text install trojan asp service (tcp 27374) and add it to inetd, restart inetd. "secure" the host: include 'ftp' and 'anonymous' in /etc/ftpusers, kill rpc.statd and rpc.rstatd, remove their binaries. 112 Jan 13 13:24 start62.sh start62.sh: Bourne shell script text 112 Jan 13 13:24 start7.sh start7.sh: Bourne shell script text initialize scanning / rooting engine - erase and touch .l & .w, future lists of IPs to try. start scan.sh, hackl.sh, and hackw.sh. 216 Jan 11 22:26 scan.sh scan.sh: Bourne shell script text determine whether the system is using a ppp or ethernet interface, start synscan at the appropriate speed. scans IPs produced by ./randb, port 21. may output results to .l and/or .w, or .heh 67 Jan 13 14:34 hackl.sh hackl.sh: Bourne shell script text attempt lpd exploit. as IP entries are added to .l, run lh.sh against them. 210 Jan 13 13:26 lh.sh lh.sh: Bourne shell script text runs ./l against an IP addr specifying varying return addresses and options 19632 Jan 13 14:05 l62 l62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 21358 Jan 13 15:10 l7 l7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped probably lpd exploit. 67 Jan 13 13:28 hackw.sh hackw.sh: Bourne shell script text attempt ftpd and statd exploits. as IP entries are added to .w, run wh.sh against them. 35 Jan 13 13:27 wh.sh wh.sh: Bourne shell script text run ./w and ./s against the IP 34620 Jan 13 14:05 w62 w62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 36706 Jan 13 15:13 w7 w7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped probably wuftpd exploit 19619 Jan 13 14:05 s62 s62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 21721 Jan 13 15:13 s7 s7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped probably statd exploit --[ remaining files 267 Jan 12 18:47 asp asp: ASCII text trojan asp service config file. not referenced. 12546 Jan 11 22:34 asp62 asp62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 14180 Jan 11 22:58 asp7 asp7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped trojan asp daemon that serves up ramen.tgz. 553 Jan 11 22:26 getip.sh getip.sh: Bourne shell script text IP address > ./myip 12331 Jan 11 22:34 randb62 randb62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped 13973 Jan 11 22:58 randb7 randb7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped spits out random class B network addresses 25888 Jan 11 22:37 synscan62 synscan62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped 27076 Jan 11 22:58 synscan7 synscan7: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped synscan 34588 Jan 11 22:28 wu62 wu62: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped perhaps another wu-ftpd rh62 exploit / replication code. not referenced.
Current thread:
- sunrpc / wu-ftpd worm ?, (continued)
- sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
- Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)