Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

[Warren Petrofsky <petrofsk () SAS UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are seeing an alarming attack trend on the Penn campus.  Please find
below a summary and preliminary conclusions, followed by some details.
I apologize in advance for the length of this report.  We are very
interested in receiving suggestions and comments from the group, as well
as getting the warning out there, as we have yet to find any reports of
this trend, though as a colleague pointed out, the ISC Storm Center does
show a significant spike in both sources and targets for port 6000
between Dec. 11th and 14th 2006.

Summary and Conclusion:

We have seen a series of single user accounts compromised, with users
using unique, complex (sometimes > 14char) passwords, that are only sent
over encrypted channels.  In most cases, these users were running an
X-server application on their Windows machine, connecting to a linux or
Solaris server, using ssh tunneling.

Our current working assumption is that there is an active compromise
being spread via vulnerable Xserver installations on port 6000.  After
privilege escalation is achieved, keyloggers are being installed on the
system in general, or all transmissions to the xsession are being logged.

Today, 1/24/07, we have received notice from an administrator at another
university that one of their compromised machines contained full-text
logs of entire xsessions from machines on our campus and others.  These
sessions included texts of emails, root passwords (when su - was
issued), etc.  They are in the process of notifying security/abuse at
each organization for which they have logs.  They also have the shell
script and binary presumably used during this attack, but have not yet
had time for a full analysis.

Details:

Beginning 1/6/07 we received several abuse reports of systems on campus
attacking other .edu machines.  In some cases these were ssh dictionary
attacks against a wide range of external subnets, in at least one case
we found evidence of a compromised account widely probing systems for
the Horde Help Viewer Vulnerability
(http://www.securityfocus.com/bid/17292).

The primary complaint, however, was of our compromised accounts probing
port 6000 on multiple machines across multiple networks.

On several of our machines we found scripts and IRC bots installed in
obfuscated directories like /dev/shm/ /someDirName or
/var/samba/ /samba/.. /someDirName.  (note the spaces and dots).  We
have yet to find a sample of the binary or script attacking port 6000.

In at least one case, a user changed his password from a secured
machine, and within a week, a successful first-attempt login was made
using his new password, from an IP address in Romania.

We discovered that three of the most popular Windows Xserver
applications, Exceed, WinAXE, and Cygwin's Xwin, all silently open port
6000 in the Windows firewall, despite the fact that this is unnecessary
when using ssh port forwarding.  We verified that our users were, in
fact, configured to connect over ssh, and that this was working properly.

A SecurityFocus search turned up at least 3 privilege-escalation
vulnerabilities in the Xorg and XFree86 libraries since August 2006
(links provided at end of message), which these products _may_ be
vulnerable to, though we have no way of knowing which implementation of
X11 they are using (except Cygwin, which is using Xorg).  As far as I
can determine, none of these Windows apps has had a patch or update
after these vulnerabilities were discovered.  Even if they were updated,
as standalone applications, end-users are very unlikely to have applied
any such patches.

Given that in one user's case the plaintext of two, new, very
complicated passwords were apparently known to a remote attacker within
a week of generation, our current assumption is that a software
keylogger was installed on one or both of his Windows machines or that
compromise of the Xserver allowed logging of all data sent to the local
xsession.

Our desktop group is currently examining these machines, but in general,
they were properly updated Windows XP machines, with the Windows
firewall enabled (with port 6000 opened), with SAV installed and
updated.  During one of the first compromises, the local support
provider noted 3 connections to port 6000 on one of these Windows
machines, from three different edu's, to which the user had no
affiliation.

This seems to us to be an expanding network of compromised and attacking
machines, putting significant amounts of sensitive data at risk.  I am
hoping that members of this list can help us determine the mechanism of
this attack, and that this notification helps others identify
compromised machines on their network.

Sincerely,

- --
Warren Petrofsky
petrofsk () sas upenn edu
Information Security Specialist
SAS Computing - University of Pennsylvania
215-573-0999


Please find below a list of X exploits and IP addresses of attacking
machines.

X exploits:
http://www.securityfocus.com/archive/1/456429
http://www.securityfocus.com/archive/1/445812/30/0/threaded
http://www.securityfocus.com/archive/1/444269

General search:
http://www.securityfocus.com/swsearch?query=x11&sbm=%2F&submit=Search%21&metaname=alldoc&sort=swishlastmodified


IP addresses of attacking machines:
81.196.68.48
86.125.106.199
85.120.71.66
80.55.98.90
86.34.211.118



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFt9LM3SthtV8kjpARAvVbAJ9WrJXQLfHPcRdfe2OVF9lkzI5rFQCfckW6
ZqYzqV+euq1+eDfNGBLWuSE=
=4XS/
-----END PGP SIGNATURE-----