Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: Shashank Rai <shashrai () emirates net ae>
Date: Wed, 08 Sep 2004 12:30:32 +0400
Hi Kirby, great work!! is it possible to get the gzipped files? BTW as for doze4 ... a scan with f-prot (linux cmd line edition) identifies it as "Infection: Unix/RST.B". An online scan on http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as Linux.RST.b Here is Spohos description of RST.B (from http://www.sophos.com/virusinfo/analyses/linuxrstb.html): ------ Linux/Rst-B will attempt to infect all ELF executables in the current working directory and the directory /bin If Linux/Rst-B is executed by a privileged user then it may attempt to create a backdoor on the system. This is achieved by opening a socket and listening for a particular packet containing details about the origin of the attacker and the command the attacker would like to execute on the system. ----------- There was a discussion on FD recently, where the original poster had started a Debian machine with port 22 open and a non-priv user id of guest/guest .... in order to be a victim of the recent SSH scans. The crackers who got into this system had also downloaded RST.B infected binary. cheers, -- Shashank Rai ------------ Network and Information Security Team, Emirates Telecommunication Corporation, Abu Dhabi, U.A.E. Ph: +971-2-6182523 Office +971-50-6670648 Cell GPG key: http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5 On Sat, 2004-09-04 at 03:37, Kirby Angell wrote: snip...
doze4 - ------------ I downloaded the "doze4" program and found it to be an elf binary. Google didn't turn up the source code, but I have disassmbled it. I'm not one with Linux assembly language but its not terribly long and seems to be a pretty basic DOS app. Not terribly sure why they didn't just use the one built into the script, but there is probably a good reason. ~ doze4 identifies itself as: * * doze4 - written by phyton * * doze4 rOckz! evite hosts.. use ips! Usage: %s <ip> <porta> <spoof> <ip> : endereço que deseja f***r. (address that it desires to f***r) <porta> : porta aperta (coloque 0, que é rOckz) (door presses (places 0, that he is rOckz)) <spoof> : um ip para ser spoofado (sua mascara). (a to be spoofado IP (its masks)) doze4 as well as .egg2 was written by someone who speeks Portugese. Summary - ------------- The same IP was used to initiate the attack both times. I notified the owner of that IP yesterday, but never received a response. Tonight I will be going through the list of compromised machines and notifying as many as possible of the problem. The files: doze4 elf binary of DOS tool doze4.asm disassembled version of doze4 wget-doze4.cap tcpdump capture of IRC session egg2-live dangerous version of IRC bot egg2-neutered egg2 with portscan and DOS disabled (but SHELL access is still live) hkz.txt PHP injection script irclog.txt text output of IRC connection readme.txt this file are available in a .tar.gz file for anyone who requests it. Tuesday night my test server was attacked with a SYN flood; I expect worse this time so I've locked it down so it will just log everything. We don't put this kind of thing on our production web servers, so just shoot me an email at kangell () alertra com if you want the archive. - -- Thank you, Kirby Angell
Current thread:
- Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Andreia Gaita (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 14)
- Re: Systems compromised with ShellBOT perl script - part 2 Kirby Angell (Sep 08)
- Re: Systems compromised with ShellBOT perl script - part 2 Shashank Rai (Sep 09)
- Re: Systems compromised with ShellBOT perl script - part 2 ASI (Sep 10)
- Re: Systems compromised with ShellBOT perl script - part 2 nathan c. dickerson (Sep 19)