Security Incidents mailing list archives
Re: Port 10008
From: <jlewis () lewis org>
Date: Mon, 21 May 2001 12:48:13 -0400 (EDT)
On Tue, 15 May 2001 jlewis () lewis org wrote:
I got some scans on port 10008 as well. The really odd thing is this. If you port scan them back, you'll find that on some high TCP port, if you connect and send a few newlines, it'll reply with a uuencoded cheese.tgz file. I took a very brief look at the contents of cheese.tgz. The comments say it's a cleaner, written to remove root shells from inetd.conf. There's alot more than that in the code though. Looks like a trojan that's really a scanner.
I got a bunch of requests "please send me the file" and felt kind of silly having said "looks like a trojan" without really taking a close look at it...so I just did take a few minutes to take a closer look. This thing is pretty funny. It's not really a trojan. I don't think they expect anyone to download and run this willingly. I'm not sure what the best term for it is. Maybe a parasitic worm. It's a scanner that looks for systems already broken into by someone else using a package that put a root shell on port 10008. When it finds a host with a root shell on 10008/tcp, it forks a server that serves cheese.uue, connects to the remote host, has that host download cheese.uue from the host that's infecting it, uudecodes and untars the file, sets mtimes on its own files on the new host to that of the local /bin/sh, perhaps to evade "find new files" security scripts, tries to remove the root shell from inetd.conf, then starts up a new scanner scanning a randomly selected /16 from a predetermined range, and sets the process name to httpd. The comment is kind of funny: # removes rootshells running from /etc/inetd.conf # after a l10n infection... (to stop pesky haqz0rs # messing up your box even worse than it is already) # This code was not written with malicious intent. # Infact, it was written to try and do some good. The funny thing is that unless there's code hidden in the scanner binary (a Linux ELF binary that relies on libc version 6), that does some sort of back door, I think the comment above is actually true. This thing just uses hacked boxes to look for other hacked boxes, undoes the root shell via inetd backdoor someone else left, and spreads. It's a kind of pointless noble effort since those systems that were hacked will likely be re-hacked...but I don't see anything really mailicious in cheese. -- ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Port 10008 Joerg Weber (May 15)
- Re: Port 10008 jlewis (May 15)
- Re: Port 10008 jlewis (May 22)
- Re: Port 10008 Tracey Losco (May 15)
- Re: Port 10008 Tim Brown (May 15)
- Re: Port 10008 Mike Scott (May 15)
- Re: Port 10008 Crist Clark (May 15)
- Re: Port 10008 Rob Lindenbusch (May 15)
- Re: Port 10008 Bryan Andersen (May 15)
- Cheese Worm - Port 10008 HyunWoo Lee (May 16)
- Re: Port 10008 jlewis (May 15)