Security Incidents mailing list archives
RE: More /sumthin
From: "Jonathan A. Zdziarski" <jonathan () networkdweebs com>
Date: Wed, 26 Feb 2003 16:14:37 -0500
Well whatever bugs this exploits, it seems that from the source code, it is more related to the version of Apache than it is the version of SSL; perhaps something to do with the way they interact. It doesn't even use port 443. Also being that ./openssl was called and not just plain old openssl, and that -a doesn't appear to be a valid openssl command, it's probably calling a script of sorts and we have no idea what that script does.
-----Original Message----- From: Philipp Hug [mailto:securityfocus () hugit ch] Sent: Wednesday, February 26, 2003 9:23 AM To: Sverre H. Huseby; incidents () securityfocus com Subject: Re: More /sumthin I found the root of all evil ;-) the /sumthin tool is attached. I got it from an "owned" server. Philipp ----- Original Message ----- From: "Sverre H. Huseby" <shh () thathost com> To: <incidents () securityfocus com> Sent: Monday, February 03, 2003 9:52 AM Subject: More /sumthin, maybeI got a couple of E-mails from a guy that _may_ have more info on the /sumthin case. One of his servers was "owned", and he _thinks_ the /sumthin request was the start of the attack. His E-mails follow: ================================================================== I got hit with the same thing. /sumthin is exactly what everyone thinks it is - a probe. Someone used my version info to exploit a bug in SSL. I still don't know what the bugs are yet, but it's really evident. From there, he looged in as my webserver, and totally F$%^&D my server. He set up some kind of irc server, and compromised so much of my server I'm having to rebuild from the ground up. He redirected the root .bash_history to /dev/nul and redirected the mail logs and he set up an account called tcp so he could log in through ssh. Most of the services were shut down (that's how I figured something was up - I couldn't get my mail). even though he did wipe the root history, he forgot to wipe wwwrun's history, it's too long to post, but it will be up for a short while at http://XXX [Sverre sais: URL removed. log file attached.] He also replaced bash and set the default runlevel to halt, so when I restarted the system just stopped (what a pisser). When I went back and grepped all the logs, the /sumthin only shows up in the logs of one domain (despite the fact we host around [N]) and starts sometime around mid October as everyone else has noticed. ================================================================== I found things like this in /tmp and /var/tmp: drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1 -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2 -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz after that I did a find / -user wwwrun and found a bunch of stuff and then discovered several other uids involved. ================================================================== The attached shell history file shows what appears to be a manual attacker downloading and installing several files using wget. Some of the files are no longer available, but the few I managed to download seem to be either related to IRC (server and bot), or to Linux local exploits. (I only spent a couple of minutes downloading and glancing at the files.) Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/-------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ --This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: More /sumthin Philipp Hug (Feb 26)
- RE: More /sumthin Jonathan A. Zdziarski (Feb 26)
- Re: More /sumthin D.C. van Moolenbroek (Feb 27)
- RE: More /sumthin Jonathan A. Zdziarski (Feb 26)