Security Incidents mailing list archives
Re: FTP and RPC based worms [was anyone else ...]
From: "Jeremy L. Gaddis" <jeremy () EPICENTER DNSQ ORG>
Date: Wed, 24 Jan 2001 19:57:31 -0500
Hello Luc de Louw, meet t0rnkit. http://torn.kaapeli.net/ Don't forget to search securityfocus.com's archives also, there's been much traffic regarding t0rnkit. -jg At 1/24/01 11:44 PM +0000, delouw () BIGFOOT COM wrote:
Hi! Its the same here, but the stuff is installed in /usr/src/.puta logfiles seems to be proper wiped, I could not found any hint from where the tools are installed It opens port 47017 waiting for connection and watch this: color:/usr/src # telnet 0 47017 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. SSH-1.5-1.2.27 the process itself: root 3454 0.2 0.4 1260 592 ttya0 S Jan24 1:28 ./t0rnscan 64 named.txt eth0 0 53 Anybody knows where this stuff is comming from? regards Luc de LouwHi Russell, Were you running version 2.6.0 of wu-ftp ? looks like this worm has exploit for 2.6.0 here is a string dump from various tools in theworm.It installs in rc.sysinit and startup with thesystem./usr/src/.poop/ is where the stuff is kept... FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) frompackagesFreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) fromportsFreeBSD 3.4-STABLE with wuftpd 2.6.0(1) frompackagesFreeBSD 3.4-STABLE with wuftpd 2.6.0(1) fromportsRedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm(test)SuSe 6.4 with wuftpd 2.6.0(1) from rpm SuSe 6.3 with wuftpd 2.6.0(1) from rpm RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm Redhat 6.0 (knfsd-1.2.2-4) Redhat 6.1 (knfsd-1.4.7-7) Redhat 6.2 (nfs-utils-0.1.6-2) RedHat 7.0 - Guinesss-dev RedHat 7.0 - Guinesss regards, Royans On Tue, 16 Jan 2001, Russell Fulton wrote:On Mon, 15 Jan 2001 14:40:16 +0200 MihaiMoldovanu <mihaim () PROFM RO>wrote:Yes . The same problem here . But not only111 . 21 also.We deployed a honnypot and waited to becompromised. It took 12 hours to becompromised. I took it out of the network and this is what i found on it : It seemns like a worm that installsStatDXscan ( Class B rpc.statd scanner) ,wu-ftpd scanner , a modified t0rn rootkitalong with Adore LKM rootkit , andflood tools : Sl2 , smurf5 , tojaned sshd runningon port 48480 )t0rnscan has inside it the followingstring: irc.webbernet.net:6667We had a machine compromised in the earlyhours of this morning viawu-ftpd. Here are the network traffic logs as generatedby argus interleaved withmy interpetation: initial FIN/SYN scan packet 16 Jan 01 01:06:48 tcp194.163.254.235.21 <o> 130.216.7.109.21 2 1 0 0 FSR_SAGrab ftp banner: 16 Jan 01 01:06:49 tcp194.163.254.235.1239 -> 130.216.7.109.21 6 5 0 95 FSRA_FSPAcompromise via site exec (recordedindependently by snort)16 Jan 01 01:08:00 tcp194.163.254.235.1255 o> 130.216.7.109.21 19 17 1678 2051 SRPA_SPAget tools to install from 'home' 16 Jan 01 01:08:15 tcp130.216.7.109.2846 -> 194.163.254.235.27374 39 69 545 95282 FSPA_FSPAlaunch scanner on 156.82.0.0/8 16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.1.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.2.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.3.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.4.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.5.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.6.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.7.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.8.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.9.21 1 0 0 0 FS_16 Jan 01 01:08:22 tcp130.216.7.109.21 o> 156.82.0.10.21 1 0 0 0 FS_All fairly standard stuff except that thewhole process took under 2minutes from initial probe to launching thescanner.I conclude that what we have here is a wormspreading via ftp.I have port scanned the compromised system andit is listening on port27374, the same as the one on 194.163.254.235where it got its toolsfrom. When I connected to this port viatelnet I got a large amountof binary data dumped to the terminal. Noother unusual ports open.I have not examined the compromised systemmyself yet, its in anotherdepartment across campus. I scanned our network traffic for the lastcouple of days looking fortraffic to tcp 27374 and found a very slowscans going from one address.194.163.254.235 also probed tcp 111 onmachines that responded tothe ftp scan but were not vulnerable to theirftp exploit.Cheers, Russell. Russell Fulton, Computer and Network SecurityOfficerThe University of Auckland, New Zealand.-- --Royans K Tharakan------------ --http://security.royans.net/-- -------------------------------
-- Jeremy L. Gaddis <jeremy () epicenter dnsq org>
Current thread:
- Re: FTP and RPC based worms [was anyone else ...] Roberto (Jan 15)
- <Possible follow-ups>
- Re: FTP and RPC based worms [was anyone else ...] Magnus Ullberg (Jan 16)
- Re: FTP and RPC based worms [was anyone else ...] Sean Brown (Jan 17)
- Re: FTP and RPC based worms [was anyone else ...] delouw (Jan 24)
- Re: FTP and RPC based worms [was anyone else ...] dor (Jan 25)
- Re: FTP and RPC based worms [was anyone else ...] Jeremy L. Gaddis (Jan 25)