Full Disclosure mailing list archives
Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???
From: "Elia Florio" <eflorio () edmaster it>
Date: Fri, 29 Oct 2004 12:37:10 +0200
Hi, It appears that the signature is 00000000 C6C22C mov dl, 2C 00000003 37 aaa 00000004 60 pushad 00000005 C1EFD4 shr edi, D4 00000008 C4922264C66A les edx, dword ptr [edx+6AC66422] 0000000E E10D loopz 0000001D 00000010 8A6A5F mov ch, byte ptr [edx+5F] 00000013 D44E aam (base78) 00000015 91 xchg eax,ecx 00000016 10044D00000000 adc byte ptr [2*ecx+104D044D], al The beginning & the end of the disassembly may be wrong if the signature is not complete. However it doesn't make much sense globally and this code is too short to see a potential attack : no memory is written here. By the way, where is this signature from ?
Someon (Peter Kosinar) suggests to me that this bytes pattern is a potential command directed to "suckit" rootkit over port 80; the firs bytes are a kind of autentication hash and the final bytes are changing cause it's a port number....Still investigating on this... Your work is great, but maybe this isn't an attack pattern, so the bytes are not asm inscrutions! Thank you anyway... The signature comes from different compromised error logs of Apache 1.3.27 with PHP4.2.3. I've contacted the sysadmins of IP originating this attacks, cause someone else suggests to me that also the attacking hosts are compromised boxes used by this hacker crew.... They own a lot of Apache *nix server worldwide :(((((( 216.40.203.9 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor security. OrgName: Everyones Internet, Inc. Country: US ----- 140.105.55.159 : dschrahm3.univ.trieste.it . netname: TRIESTE-NET descr: Universita' degli Studi di Trieste ----- 195.140.140.122 : from France : netname: CTN-1 ----- 212.78.145.16 : Another old Cobalt server from Spain : Hostname : 16.red-212-78-145.user.auna.net netname: MENTA-ECOM descr: Cable i Televisio de Catalunya descr: Internet de Banda Ampla ----- 65.125.235.250 : EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1) 65.125.224.0 - 65.125.239.255 EF ________________________________________________ Messaggio inviato da Edizioni Master Webmail http://mbox.edmaster.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Elia Florio (Oct 28)
- Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Thierry Haven (Oct 29)
- <Possible follow-ups>
- Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Elia Florio (Oct 29)