Security Incidents mailing list archives
Re: FTP and RPC based worms [was anyone else ...]
From: delouw () BIGFOOT COM
Date: Wed, 24 Jan 2001 23:44:40 -0000
Hi! Its the same here, but the stuff is installed in /usr/src/.puta logfiles seems to be proper wiped, I could not found any hint from where the tools are installed It opens port 47017 waiting for connection and watch this: color:/usr/src # telnet 0 47017 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. SSH-1.5-1.2.27 the process itself: root 3454 0.2 0.4 1260 592 ttya0 S Jan24 1:28 ./t0rnscan 64 named.txt eth0 0 53 Anybody knows where this stuff is comming from? regards Luc de Louw
Hi Russell, Were you running version 2.6.0 of wu-ftp ? looks like this worm has exploit for 2.6.0 here is a string dump from various tools in the
worm.
It installs in rc.sysinit and startup with the
system.
/usr/src/.poop/ is where the stuff is kept... FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from
packages
FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from
ports
FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
packages
FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
ports
RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
(test)
SuSe 6.4 with wuftpd 2.6.0(1) from rpm SuSe 6.3 with wuftpd 2.6.0(1) from rpm RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm Redhat 6.0 (knfsd-1.2.2-4) Redhat 6.1 (knfsd-1.4.7-7) Redhat 6.2 (nfs-utils-0.1.6-2) RedHat 7.0 - Guinesss-dev RedHat 7.0 - Guinesss regards, Royans On Tue, 16 Jan 2001, Russell Fulton wrote:On Mon, 15 Jan 2001 14:40:16 +0200 Mihai
Moldovanu <mihaim () PROFM RO>
wrote:Yes . The same problem here . But not only
111 . 21 also.
We deployed a honnypot and waited to be
compromised. It took 12 hours to be
compromised. I took it out of the network and this is what i found on it : It seemns like a worm that installs
StatDXscan ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit
along with Adore LKM rootkit , and
flood tools : Sl2 , smurf5 , tojaned sshd running
on port 48480 )
t0rnscan has inside it the following
string: irc.webbernet.net:6667
We had a machine compromised in the early
hours of this morning via
wu-ftpd. Here are the network traffic logs as generated
by argus interleaved with
my interpetation: initial FIN/SYN scan packet 16 Jan 01 01:06:48 tcp
194.163.254.235.21 <o> 130.216.7.109.21 2 1 0 0 FSR_SA
Grab ftp banner: 16 Jan 01 01:06:49 tcp
194.163.254.235.1239 -> 130.216.7.109.21 6 5 0 95 FSRA_FSPA
compromise via site exec (recorded
independently by snort)
16 Jan 01 01:08:00 tcp
194.163.254.235.1255 o> 130.216.7.109.21 19 17 1678 2051 SRPA_SPA
get tools to install from 'home' 16 Jan 01 01:08:15 tcp
130.216.7.109.2846 -> 194.163.254.235.27374 39 69 545 95282 FSPA_FSPA
launch scanner on 156.82.0.0/8 16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.1.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.2.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.3.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.4.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.5.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.6.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.7.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.8.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.9.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp
130.216.7.109.21 o> 156.82.0.10.21 1 0 0 0 FS_
All fairly standard stuff except that the
whole process took under 2
minutes from initial probe to launching the
scanner.
I conclude that what we have here is a worm
spreading via ftp.
I have port scanned the compromised system and
it is listening on port
27374, the same as the one on 194.163.254.235
where it got its tools
from. When I connected to this port via
telnet I got a large amount
of binary data dumped to the terminal. No
other unusual ports open.
I have not examined the compromised system
myself yet, its in another
department across campus. I scanned our network traffic for the last
couple of days looking for
traffic to tcp 27374 and found a very slow
scans going from one address.
194.163.254.235 also probed tcp 111 on
machines that responded to
the ftp scan but were not vulnerable to their
ftp exploit.
Cheers, Russell. Russell Fulton, Computer and Network Security
Officer
The University of Auckland, New Zealand.-- --Royans K Tharakan------------ --http://security.royans.net/-- -------------------------------
Current thread:
- Re: FTP and RPC based worms [was anyone else ...] Roberto (Jan 15)
- <Possible follow-ups>
- Re: FTP and RPC based worms [was anyone else ...] Magnus Ullberg (Jan 16)
- Re: FTP and RPC based worms [was anyone else ...] Sean Brown (Jan 17)
- Re: FTP and RPC based worms [was anyone else ...] delouw (Jan 24)
- Re: FTP and RPC based worms [was anyone else ...] dor (Jan 25)
- Re: FTP and RPC based worms [was anyone else ...] Jeremy L. Gaddis (Jan 25)