Re: FTP and RPC based worms [was anyone else ...]

["Jeremy L. Gaddis" <jeremy () EPICENTER DNSQ ORG>]

Hello Luc de Louw, meet t0rnkit.  http://torn.kaapeli.net/

Don't forget to search securityfocus.com's archives also,
there's been much traffic regarding t0rnkit.

-jg

At 1/24/01 11:44 PM +0000, delouw () BIGFOOT COM wrote:
> Hi!
>
> Its the same here, but the stuff is installed
> in /usr/src/.puta
>
> logfiles seems to be proper wiped, I could not
> found any hint from where the tools are installed
>
> It opens port 47017 waiting for connection
> and watch this:
>
> color:/usr/src # telnet 0 47017
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> SSH-1.5-1.2.27
>
> the process itself:
>
> root      3454  0.2  0.4  1260  592 ttya0    S
> Jan24   1:28 ./t0rnscan 64 named.txt eth0 0 53
>
> Anybody knows where this stuff is comming from?
>
> regards
>
> Luc de Louw
>
>
>
> > Hi Russell,
> >
> > Were you running version 2.6.0 of wu-ftp ?
> >
> > looks like this worm has exploit for 2.6.0
> > here is a string dump from various tools in the
> worm.
> > It installs in rc.sysinit and startup with the
> system.
> > /usr/src/.poop/ is where the stuff is kept...
> >
> > FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from
> packages
> > FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from
> ports
> > FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
> packages
> > FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
> ports
> > RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
> (test)
> > SuSe 6.4 with wuftpd 2.6.0(1) from rpm
> > SuSe 6.3 with wuftpd 2.6.0(1) from rpm
> > RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
> > RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
> > Redhat 6.0 (knfsd-1.2.2-4)
> > Redhat 6.1 (knfsd-1.4.7-7)
> > Redhat 6.2 (nfs-utils-0.1.6-2)
> > RedHat 7.0 - Guinesss-dev
> > RedHat 7.0 - Guinesss
> >
> >
> > regards,
> > Royans
> >
> >
> >
> > On Tue, 16 Jan 2001, Russell Fulton wrote:
> >
> > > On Mon, 15 Jan 2001 14:40:16 +0200 Mihai
> Moldovanu <mihaim () PROFM RO>
> > > wrote:
> > >
> > > > Yes . The same problem here . But not only
> 111 . 21 also.
> > > > We deployed a honnypot and waited to be
> compromised. It took 12 hours to be
> > > > compromised. I took it out of the network
> > > > and this is what i found on it :
> > > > It seemns like a worm that installs
> StatDXscan  ( Class B rpc.statd scanner) ,
> > > > wu-ftpd scanner , a modified t0rn rootkit
> along with Adore LKM rootkit , and
> > > > flood
> > > > tools : Sl2 , smurf5 , tojaned sshd running
> on port 48480 )
> > > > t0rnscan  has inside it the following
> string:  irc.webbernet.net:6667
> > > >
> > >
> > > We had a machine compromised in the early
> hours of this morning via
> > > wu-ftpd.
> > >
> > > Here are the network traffic logs as generated
> by argus interleaved with
> > > my interpetation:
> > >
> > > initial FIN/SYN scan packet
> > > 16 Jan 01 01:06:48    tcp
> 194.163.254.235.21    <o>     130.216.7.109.21
> 2        1         0            0           FSR_SA
> > > Grab ftp banner:
> > > 16 Jan 01 01:06:49    tcp
> 194.163.254.235.1239   ->     130.216.7.109.21
> 6        5         0            95
> FSRA_FSPA
> > > compromise via site exec (recorded
> independently by snort)
> > > 16 Jan 01 01:08:00    tcp
> 194.163.254.235.1255   o>     130.216.7.109.21
> 19       17        1678         2051
> SRPA_SPA
> > > get tools to install from 'home'
> > > 16 Jan 01 01:08:15    tcp
> 130.216.7.109.2846   ->   194.163.254.235.27374
> 39       69        545          95282
> FSPA_FSPA
> > > launch scanner on 156.82.0.0/8
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.1.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.2.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.3.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.4.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.5.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.6.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.7.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.8.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>        156.82.0.9.21
> 1        0         0            0           FS_
> > > 16 Jan 01 01:08:22    tcp
> 130.216.7.109.21     o>       156.82.0.10.21
> 1        0         0            0           FS_
> > > All fairly standard stuff except that the
> whole process took under 2
> > > minutes from initial probe to launching the
> scanner.
> > > I conclude that what we have here is a worm
> spreading via ftp.
> > > I have port scanned the compromised system and
> it is listening on port
> > > 27374, the same as the one on 194.163.254.235
> where it got its tools
> > > from.  When I connected to this port via
> telnet I got a large amount
> > > of binary data dumped to the terminal.  No
> other unusual ports open.
> > > I have not examined the compromised system
> myself yet, its in another
> > > department across campus.
> > >
> > > I scanned our network traffic for the last
> couple of days looking for
> > > traffic to tcp 27374 and found a very slow
> scans going from one address.
> > > 194.163.254.235 also probed tcp 111 on
> machines that responded to
> > > the ftp scan but were not vulnerable to their
> ftp exploit.
> > > Cheers, Russell.
> > >
> > > Russell Fulton, Computer and Network Security
> Officer
> > > The University of Auckland, New Zealand.
> >
> > --
> > --Royans K Tharakan------------
> > --http://security.royans.net/--
> > -------------------------------

--
Jeremy L. Gaddis     <jeremy () epicenter dnsq org>