Re: cancerserver

[dor <dor () VIRTUALMYSTIC COM>]

Hi,

this is a rootkit used by the groups dua and MnM operating on ircnet

dua.mf is a copy of the well known mirkforce tool, for loading clones onto
an irc network.. it works by grabbing as many ip`s as it can from your
C-class, and making connections to irc from them. dua.ethclean is a tool
to remove the alias interfaces, since mirkforce`s own removing code fails
on 2.2.x kernels.

dua.glox is a ddos tool, either the gl0xx control agent, or a
"cancerserver"

login will be a trojanised /bin/login, loginpass will be a plaintext
password. it is used by setting your $DISPLAY environment variable and
connecting to the telnet port.

portmap is a backdoored rpc.portmap, which just loads up its other
trojans.

ps/ls will also be backdoored, ps.hidden and ls.hidden are a list of files
to hide, the ps/ls trojans are very poorly coded in this rootkit, and
simply call an untrojanised copy of ps and parsing the output using grep
-v

the dir sploits will contain exploits used for breaking into more systems

dua.udp is a udp backdoor, if i remember correctly.. it connects to a host
under utwente.nl

dua.synscan is a precompiled copy of synscan
(http://www.psychoid.lam3rz.de)

-- Support your government, give Echelon / Carnivore something to parse --
classified  top-secret government  restricted data information project CIA
KGB GRU DISA  DoD  defense  systems  military  systems spy steal terrorist
Allah Natasha  Gregori destroy destruct attack  democracy will send Russia
bank system compromise international  own  rule the world ATSC RTEM warmod
ATMD force power enforce  sensitive  directorate  TSP NSTD ORD DD2-N AMTAS
STRAP warrior-T presidental  elections  policital foreign embassy takeover
--------------------------------------------------------------------------

On Mon, 19 Mar 2001, Burak DAYIOGLU wrote:

> Hello,
> We have had found out that, at least one box hereabouts running RedHat
> 6.2 has been compromised by some kind of a worm. This quick writeup is
> to share our initial findings with the community and ask for any
> previous information regarding the issue. The attackers have installed
> a tarball named duarawkz.tgz on the victim box under /usr/bin. This
> tarball contains some software to connect to IRC and get commands from
> it. There is one other binary to become a CancerServer (not yet sure
> what it does), sauber (to clean up log files) and some others. The full
> list of the tarball is below:
>
> -rw-r--r--    1 XXXXX    XXXXXX       20 Feb 19 02:58 autoexec
> -rwx------    1 XXXXX    XXXXXX     3232 Feb 19 02:58 dua.ethclean
> -rwx------    1 XXXXX    XXXXXX    15324 Feb 19 02:58 dua.glox
> -rwx------    1 XXXXX    XXXXXX   102400 Feb 19 02:58 dua.mf
> -rwx------    1 XXXXX    XXXXXX    10796 Feb 19 02:58 dua.strobe
> -rwx------    1 XXXXX    XXXXXX    28572 Feb 19 02:58 dua.synscan
> -rwx------    1 XXXXX    XXXXXX     6547 Feb 19 02:58 dua.udp
> -rwxr-xr-x    1 XXXXX    XXXXXX    20132 Feb 19 02:58 login
> -rw-r--r--    1 XXXXX    XXXXXX        8 Feb 19 02:58 loginpass
> -rwxr-xr-x    1 XXXXX    XXXXXX    49844 Feb 19 02:58 ls
> -rw-r--r--    1 XXXXX    XXXXXX       20 Feb 19 02:58 ls.hidden
> -rwxr-xr-x    1 XXXXX    XXXXXX    29608 Feb 19 02:58 portmap
> -rwxr-xr-x    1 XXXXX    XXXXXX    54196 Feb 19 02:58 ps
> -rw-r--r--    1 XXXXX    XXXXXX       61 Feb 19 02:58 ps.hidden
> -rwx------    1 XXXXX    XXXXXX     1345 Feb 19 02:58 sauber
> drwx------    2 XXXXX    XXXXXX     4096 Feb 19 02:58 sploits
>
> Strings from the binaries contain tHE mIRKfORCE and CancerServer.
>
> We are going to investigate the compomised box as well as the found
> binaries further. Before digging in any deeper, does anybody have any
> experiences to share with us? I have found some messages regarding
> CancerServer in some mid-20 INCIDENT messages but they were just
> notifications of early findings are this msg is. All vulnerable
> software on the box seem to be fixed up as well. :) They've done
> a good job...
>
> cheers,
> Burak DAYIOGLU / Ahmet Burak CAN