Full Disclosure mailing list archives

Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

From: "Elia Florio" <eflorio () edmaster it>
Date: Fri, 29 Oct 2004 12:37:10 +0200

Hi,
It appears that the signature is

00000000 C6C22C                  mov dl, 2C
00000003 37                      aaa
00000004 60                      pushad
00000005 C1EFD4                  shr edi, D4
00000008 C4922264C66A            les edx, dword ptr [edx+6AC66422]
0000000E E10D                    loopz 0000001D
00000010 8A6A5F                  mov ch, byte ptr [edx+5F]
00000013 D44E                    aam (base78)
00000015 91                      xchg eax,ecx
00000016 10044D00000000          adc byte ptr [2*ecx+104D044D], al

The beginning & the end of the disassembly may be wrong if the signature
is not complete. However it doesn't make much sense globally and this
code is too short to see a potential attack : no memory is written here.
By the way, where is this signature from ?


Someon (Peter Kosinar) suggests to me that this bytes pattern
is a potential command directed to "suckit" rootkit over port 80;
the firs bytes are a kind of autentication hash and the final bytes
are changing cause it's a port number....Still investigating on this...

Your work is great, but maybe this isn't an attack
pattern, so the bytes are not asm inscrutions! Thank you anyway...

The signature comes from different compromised
error logs of Apache 1.3.27 with PHP4.2.3.

I've contacted the sysadmins of IP originating this attacks,
cause someone else suggests to me that also the attacking hosts
are compromised boxes used by this hacker crew....
They own a lot of Apache *nix server worldwide :((((((

216.40.203.9 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor
security.
OrgName: Everyones Internet, Inc.
Country: US
-----
140.105.55.159 : dschrahm3.univ.trieste.it .
netname: TRIESTE-NET
descr: Universita' degli Studi di Trieste
-----
195.140.140.122 : from France :
netname: CTN-1
-----
212.78.145.16 : Another old Cobalt server from Spain :
Hostname : 16.red-212-78-145.user.auna.net
netname: MENTA-ECOM
descr: Cable i Televisio de Catalunya
descr: Internet de Banda Ampla
-----
65.125.235.250 :
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Elia Florio (Oct 28)
- Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Thierry Haven (Oct 29)
- <Possible follow-ups>
- Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? Elia Florio (Oct 29)