Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

interesting backdoor

From: Matthew Rich <matthew () chicagointernet com>
Date: Thu, 11 Jul 2002 15:15:26 -0500
My company's webserver began attacking our firewall yesterday; upon
close inspection I discovered a daemon running on it that definitely
shouldn't have been there, and I'm curious if anyone has seen it
before or can provide any info on it.

Disclaimer: I'm just a web programmer, not a security expert. The
server it was on is my responsibility, but it hasn't been locked
down very tightly. It's running Apache 1.3.12 and BIND 8.2.3, among
other services. It is a cobalt raq4, pretty much unpatched.

The daemon can be downloaded from my personal web server:
http://orbistertius.net/sd.tar.gz
(I'm going to take this down in a day or so.)

It was installed to /usr/local/sd. Inside that directory were two
files, 'sd' (the daemon) and 'pass'. Running "strings sd" produces
some interesting output, including:
Access Denied
/usr/local/sd/shadow.bak
/etc/shadow
admin
root
echo -n `/sbin/ifconfig eth0 | /bin/grep 'inet addr' | /usr/bin/cut
-f 2 -d':' | /usr/bin/cut -f 1 -d' '` > /tmp/ipfile
/tmp/ipfile
socket
bind
listen
connected
Challenge: 
send
Access Denied
failed to authenticate
authenticated
Access Granted
/usr/local/sd/shadow.bak
Password reset
You have 10 seconds to access the server
Password restored

When it is started, it immediately forks and binds itself to port
7001. When connected to via nc, it opens up /usr/local/sd/pass (this
is hard coded it seems) and prints out some sort of challenge with a
random string, like:
Challenge: FX 7d9af5627d1fb4d80b5f4803d2e61bf1 FX

I then guess a password, and it prints "Access Denied" and closes
the connection. My guess is that if I got the password right it
would place a backup /etc/shadow on the system and allow me to log
in as root. I tried changing the contents of the "pass" file to see
if I could log in with it on my own workstation but had no success.

I read through the last month or so of this list's traffic, and saw
nothing about this, so I figured I'd go ahead and ask. 

I'm still not sure how the intruder got into the system and placed
this there, so any pointers would be appreciated.

Thanks,
Matthew


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: