Security Incidents mailing list archives
Re: cancerserver
From: dor <dor () VIRTUALMYSTIC COM>
Date: Mon, 19 Mar 2001 07:37:10 -0800
Hi, this is a rootkit used by the groups dua and MnM operating on ircnet dua.mf is a copy of the well known mirkforce tool, for loading clones onto an irc network.. it works by grabbing as many ip`s as it can from your C-class, and making connections to irc from them. dua.ethclean is a tool to remove the alias interfaces, since mirkforce`s own removing code fails on 2.2.x kernels. dua.glox is a ddos tool, either the gl0xx control agent, or a "cancerserver" login will be a trojanised /bin/login, loginpass will be a plaintext password. it is used by setting your $DISPLAY environment variable and connecting to the telnet port. portmap is a backdoored rpc.portmap, which just loads up its other trojans. ps/ls will also be backdoored, ps.hidden and ls.hidden are a list of files to hide, the ps/ls trojans are very poorly coded in this rootkit, and simply call an untrojanised copy of ps and parsing the output using grep -v the dir sploits will contain exploits used for breaking into more systems dua.udp is a udp backdoor, if i remember correctly.. it connects to a host under utwente.nl dua.synscan is a precompiled copy of synscan (http://www.psychoid.lam3rz.de) -- Support your government, give Echelon / Carnivore something to parse -- classified top-secret government restricted data information project CIA KGB GRU DISA DoD defense systems military systems spy steal terrorist Allah Natasha Gregori destroy destruct attack democracy will send Russia bank system compromise international own rule the world ATSC RTEM warmod ATMD force power enforce sensitive directorate TSP NSTD ORD DD2-N AMTAS STRAP warrior-T presidental elections policital foreign embassy takeover -------------------------------------------------------------------------- On Mon, 19 Mar 2001, Burak DAYIOGLU wrote:
Hello, We have had found out that, at least one box hereabouts running RedHat 6.2 has been compromised by some kind of a worm. This quick writeup is to share our initial findings with the community and ask for any previous information regarding the issue. The attackers have installed a tarball named duarawkz.tgz on the victim box under /usr/bin. This tarball contains some software to connect to IRC and get commands from it. There is one other binary to become a CancerServer (not yet sure what it does), sauber (to clean up log files) and some others. The full list of the tarball is below: -rw-r--r-- 1 XXXXX XXXXXX 20 Feb 19 02:58 autoexec -rwx------ 1 XXXXX XXXXXX 3232 Feb 19 02:58 dua.ethclean -rwx------ 1 XXXXX XXXXXX 15324 Feb 19 02:58 dua.glox -rwx------ 1 XXXXX XXXXXX 102400 Feb 19 02:58 dua.mf -rwx------ 1 XXXXX XXXXXX 10796 Feb 19 02:58 dua.strobe -rwx------ 1 XXXXX XXXXXX 28572 Feb 19 02:58 dua.synscan -rwx------ 1 XXXXX XXXXXX 6547 Feb 19 02:58 dua.udp -rwxr-xr-x 1 XXXXX XXXXXX 20132 Feb 19 02:58 login -rw-r--r-- 1 XXXXX XXXXXX 8 Feb 19 02:58 loginpass -rwxr-xr-x 1 XXXXX XXXXXX 49844 Feb 19 02:58 ls -rw-r--r-- 1 XXXXX XXXXXX 20 Feb 19 02:58 ls.hidden -rwxr-xr-x 1 XXXXX XXXXXX 29608 Feb 19 02:58 portmap -rwxr-xr-x 1 XXXXX XXXXXX 54196 Feb 19 02:58 ps -rw-r--r-- 1 XXXXX XXXXXX 61 Feb 19 02:58 ps.hidden -rwx------ 1 XXXXX XXXXXX 1345 Feb 19 02:58 sauber drwx------ 2 XXXXX XXXXXX 4096 Feb 19 02:58 sploits Strings from the binaries contain tHE mIRKfORCE and CancerServer. We are going to investigate the compomised box as well as the found binaries further. Before digging in any deeper, does anybody have any experiences to share with us? I have found some messages regarding CancerServer in some mid-20 INCIDENT messages but they were just notifications of early findings are this msg is. All vulnerable software on the box seem to be fixed up as well. :) They've done a good job... cheers, Burak DAYIOGLU / Ahmet Burak CAN
Current thread:
- cancerserver Burak DAYIOGLU (Mar 19)
- Re: cancerserver dor (Mar 19)