Re: Systems compromised with ShellBOT perl script - part 2

[Shashank Rai <shashrai () emirates net ae>]

Hi Kirby,

great work!! is it possible to get the gzipped files? BTW as for doze4
... a scan with f-prot (linux cmd line edition) identifies it as 
"Infection: Unix/RST.B". An online scan on
http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
Linux.RST.b
Here is Spohos description of RST.B (from
http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
------
Linux/Rst-B will attempt to infect all ELF executables in the current
working directory and the directory /bin 

If Linux/Rst-B is executed by a privileged user then it may attempt to
create a backdoor on the system. This is achieved by opening a socket
and listening for a particular packet containing details about the
origin of the attacker and the command the attacker would like to
execute on the system.
-----------

There was a discussion on FD recently, where the original poster had
started a Debian machine with port 22 open and a non-priv user id of
guest/guest .... in order to be a victim of the recent SSH scans. The
crackers who got into this system had also downloaded RST.B infected
binary.

cheers,
-- 
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523   Office
    +971-50-6670648  Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5


On Sat, 2004-09-04 at 03:37, Kirby Angell wrote:
snip...

> doze4
> - ------------
> I downloaded the "doze4" program and found it to be an elf binary.
> Google didn't turn up the source code, but I have disassmbled it.  I'm
> not one with Linux assembly language but its not terribly long and seems
> to be a pretty basic DOS app.  Not terribly sure why they didn't just
> use the one built into the script, but there is probably a good reason.
> ~ doze4 identifies itself as:
>
> * * doze4 - written by phyton
> * * doze4 rOckz! evite hosts.. use ips!
> Usage: %s <ip> <porta> <spoof>
> <ip>     : endereço que deseja f***r. (address that it desires to f***r)
> <porta>  : porta aperta  (coloque 0, que é rOckz) (door presses (places
> 0, that he is rOckz))
> <spoof>  : um ip para ser spoofado (sua mascara). (a to be spoofado IP
> (its masks))
>
> doze4 as well as .egg2 was written by someone who speeks Portugese.
>
> Summary
> - -------------
> The same IP was used to initiate the attack both times.  I notified the
> owner of that IP yesterday, but never received a response.  Tonight I
> will be going through the list of compromised machines and notifying as
> many as possible of the problem.
>
> The files:
>
> doze4         elf binary of DOS tool
> doze4.asm     disassembled version of doze4
> wget-doze4.cap        tcpdump capture of IRC session
> egg2-live     dangerous version of IRC bot
> egg2-neutered egg2 with portscan and DOS disabled
>               (but SHELL access is still live)
> hkz.txt               PHP injection script
> irclog.txt    text output of IRC connection
> readme.txt      this file
>
> are available in a .tar.gz file for anyone who requests it.  Tuesday
> night my test server was attacked with a SYN flood; I expect worse this
> time so I've locked it down so it will just log everything.  We don't
> put this kind of thing on our production web servers, so  just shoot me
> an email at kangell () alertra com if you want the archive.
>
> - --
> Thank you,
>
> Kirby Angell