Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

["James J. Barlow" <jbarlow () NCSA UIUC EDU>]

Warren,

Good writeup and thanks for the info.  I just have a couple things to
add since what Brian Smith-Sweeney from NYU replied with is spot on to
what we have seen here at NCSA.

As for the sample binary or script that attacks port 6000, we caught
one of these scanning out of our network with a compromised account.
The malware that they were using was pretty basic (this may or may not be
similar to what was on your network).  A script runs a binary which would
do a scan given a network block and port then would put the open IP's
into a file.  Script then feeds those IP addresses into another binary
that would attach to port 6000 of the remote host and start keystroke
logging to a file.  The last script would check the keystroke files for
ssh, telnet, and rlogin attempts.

We have this package if you are interested, and have used it to scan
our network on occassion to see if there are open X-servers (and it's
amazing how many one can actually find).  We were just surprised that
they were not looking for more juicy stuff like SSH RSA passphrases,
PGP passphrases, or grid cert passphrases.


On Wed, Jan 24, 2007 at 04:42:36PM -0500, Warren Petrofsky wrote:
> On several of our machines we found scripts and IRC bots installed in
> obfuscated directories like /dev/shm/ /someDirName or
> /var/samba/ /samba/.. /someDirName.  (note the spaces and dots).  We
> have yet to find a sample of the binary or script attacking port 6000.

--
James J. Barlow   <jbarlow () ncsa uiuc edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications    Voice : (217)244-6403
1205 West Clark Street, Urbana, IL  61801           Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987