oss-sec mailing list archives
Re: SEANux 1.0 remote back door
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Sat, 24 Jan 2015 18:17:56 -0500
After discussing this with the SEA, we’ve determined this is a misconfiguration. They are planning on fixing it in the next release. The fix is simply modifying apache’s ports.conf to bind apache to localhost. # cat ports.conf |grep -n 127 8:NameVirtualHost 127.0.0.1:80 9:Listen 127.0.0.1:80 Actually one of the fastest vendor responses I’ve ever seen. :-)
On Jan 24, 2015, at 3:05 PM, Larry W. Cashdollar <larry0 () me com> wrote: Hello All, I thought you might be interested in this from by blog with screen shots http://www.vapid.dhs.org/blog/01-23-2015/ : SEANux 1.0 backdoor Larry W. Cashdollar 1/23/2015 SEANux 1.0 is a linux distribution Available here developed by the Syrian Electronic Army. It has an apache webserver listening on 0.0.0.0:80 root@larry-VirtualBox:/etc/mysql# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 192.168.0.33:22 192.168.0.22:53474 ESTABLISHED tcp6 0 0 ::1:6010 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN tcp6 1 0 ::1:57375 ::1:631 CLOSE_WAIT udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 0.0.0.0:52375 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp 0 0 0.0.0.0:41938 0.0.0.0:* udp 0 0 0.0.0.0:31229 0.0.0.0:* udp 0 0 127.0.1.1:53 0.0.0.0:* udp6 0 0 :::37598 :::* udp6 0 0 :::5353 :::* udp6 0 0 :::12590 :::* udp6 0 0 :::52638 :::* udp6 0 0 :::546 :::* Active UNIX domain sockets (servers and established) This apache server is a tool server hosting web based tools by the SEA One of the tools is a backdoor to the system The path http://192.168.0.33/tools/sea.php is a back door for the SEA. Here is a screen shot after logging in: From lines 6-15 contain the credentials sea.php: 6 $user = 'SEA'; ^M 7 $pass = 'SEA'; ^M 8 $uselogin = 1;^M 9 $sh3llColor = "#0040FF";^M 10 ^M 11 # MySQL Info ---------^M 12 $DBhost = "localhost";^M 13 $DBuser = "root";^M 14 $DBpass = "root";^M 15 #---------------------^M So I thought this backdoor might allow root access to the mysql database running on port 3306. But the credentials are set for mysql during setup, and I don't see any other code to run sql queries on the system. Perhaps they just default to root root as that's a very common password combo for mysql installs?
Current thread:
- SEANux 1.0 remote back door Larry W. Cashdollar (Jan 24)
- Re: SEANux 1.0 remote back door Larry W. Cashdollar (Jan 24)
- Re: SEANux 1.0 remote back door Alexander Cherepanov (Jan 25)
- Re: SEANux 1.0 remote back door Larry W. Cashdollar (Jan 25)
- Re: SEANux 1.0 remote back door Alexander Cherepanov (Jan 25)
- Re: SEANux 1.0 remote back door Larry W. Cashdollar (Jan 25)