Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

[Thierry Haven <thierry.haven () xmcopartners com>]

Hi,
It appears that the signature is

00000000 C6C22C                  mov dl, 2C
00000003 37                      aaa
00000004 60                      pushad
00000005 C1EFD4                  shr edi, D4
00000008 C4922264C66A            les edx, dword ptr [edx+6AC66422]
0000000E E10D                    loopz 0000001D
00000010 8A6A5F                  mov ch, byte ptr [edx+5F]
00000013 D44E                    aam (base78)
00000015 91                      xchg eax,ecx
00000016 10044D00000000          adc byte ptr [2*ecx+104D044D], al

The beginning & the end of the disassembly may be wrong if the signature 
is not complete. However it doesn't make much sense globally and this 
code is too short to see a potential attack : no memory is written here. 
By the way, where is this signature from ?

_______________________________________
Thierry Haven - Xmco Partners
Consultant Sécurité / Test d'intrusion

tel  : 33 1 53 45 28 63
web  : http://www.xmcopartners.com
16 place Vendome 75001 PARIS



Elia Florio wrote:

> Hi list,
> I'm fighting again against an hackers crew
> (I suppose the same mentioned in this link:
> http://seclists.org/lists/incidents/2004/Jul/0056.html  )
> which is installing various malware on many
> compromised box to get group of zombies ready-to-run.
> (follow my previous mail on "xpire.info" and "splitinfinity.info")
>
> I've found in some logs that they use different exploits on port 80
> but one exploit is specific for Apache 1.3.27 (with PHP/Perl
> and other module installed).
>
> It looks like an overflow, I know that 1.3.27 is a bugged version,
> but I would to know if anyone have seen this code before:
> Extracted from error log of Apache :
>
> 216.40.203.9 - - [28/Oct/2004:10:54:37 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd8(xcbtxa6xba"
> 400 299
>
> 140.105.55.159 - - [08/Oct/2004:15:55:35 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
> -
>
> 195.140.140.122 - - [11/Oct/2004:03:58:05 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xc3x8cx8czxcfx19"
> 400 -
>
> 212.78.145.16 - - [13/Oct/2004:20:48:23 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
> -
>
> 65.125.235.250 - - [28/Oct/2004:09:55:02 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe5"
> 400 - "-" "-"
>
> 65.125.235.250 - - [28/Oct/2004:09:55:58 +0200]
> "xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe8"
> 400 - "-" "-"
>
> I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
> from their hosts, cause all attacks are coming from these machines :
>
> 216.40.203.*,
> 140.105.55.*,
> 195.140.140.*,
> 212.78.145.*,
> 65.125.235.*
> (...and obvious "xpire.info")
>
> Someone suggests to me that they are related to :
>
> Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1)
> 65.112.0.0 - 65.127.255.255
> EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
> 65.125.224.0 - 65.125.239.255
>
> The exploits left this signatures (i have to translate the opcodes into asm)
> :
>
> xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
> x6A x5F xD4 x4E x91 x10 x04 4D
>
> The last bytes are changing in every attempt, so this seems to be a
> bruteforce attempt to get a valid return address to execute the exploit.
>
> Probably the exploit works for a specific version of Apache/Linux Kernel,
> so the hacker have to try many times with different ret. address to
> find the right way to execute it.
>
> Any comments?
>
> EF
>
> ________________________________________________
> Messaggio inviato da
> Edizioni Master Webmail
> http://mbox.edmaster.it
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html