Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Two-Headed Worm - ChinaWorm (analysis)

From: Dave Dittrich <dittrich () cac washington edu>
Date: Mon, 5 Nov 2001 10:42:29 -0800 (PST)
Sheib,


Since Bugtraq, nor CERT haven't mentionted anything about it,
it appears that there is another worm spreading on the loose.
. . .
file index in /dev/cuc:

drwxr-xr-x    2 root     bin           632 Apr 29  2001 ./
drwxr-xr-x    3 root     bin            72 Nov  4 17:11 ../
-rwxr-xr-x    1 root     bin          6556 Apr 26  2001 brute*
-rw-r--r--    1 root     bin        701440 May  8 23:31 chinaworm.tar
-rw-r--r--    1 root     bin            86 Apr 26  2001 cmd1.txt
-rw-r--r--    1 root     bin           655 Apr 29  2001 cmd2.txt
-rw-r--r--    1 root     root       349712 Apr 29  2001 core
-rwxr-xr-x    1 root     bin         11828 Apr 25  2001 grabbb*
-rwxr-xr-x    1 root     root        66164 Apr 29  2001 gzip*
-rw-r--r--    1 root     bin           413 Apr 26  2001 index.html
-rw-r--r--    1 root     root       349696 May  6 04:42 junk.tar
-rwxr-xr-x    1 root     bin         28620 Apr 26  2001 nc*
-rwxr-xr-x    1 root     bin        222608 May  7 21:01 pico*
-rw-r--r--    1 root     root           10 Apr 29  2001 pkgadd.txt
-rw-r--r--    1 root     bin           151 Apr 26  2001 ranip.pl
-rwxr-xr-x    1 root     bin          1591 Apr 27  2001 sadmin.sh*
-rwxr-xr-x    1 root     bin         14644 Apr 25  2001 sadmindex-sparc*
-rwxr-xr-x    1 root     bin           217 Apr 26  2001 start.sh*
-rw-r--r--    1 root     bin          6387 May 24 00:48 test
-rwxr-xr-x    1 root     bin           566 Apr 27  2001 time.sh*
-rw-r--r--    1 root     bin        350208 May  7 21:22 uni.tar
-rw-r--r--    1 root     bin         67798 Apr 26  2001 uniattack.pl
-rwxr-xr-x    1 root     bin           645 Apr 26  2001 uniattack.sh*
-rwxr-xr-x    1 root     root       136288 Apr 29  2001 wget*


The sadmind-IIS worm struck in April/May of 2001.  Dates on the files
you show are the same (although I can't tell if this is because they
came from a tar file, or they have really been there since April/May
-- you need to use "stat", TCT, or something else to see access and
change times as well.)

Let me know if any of the MD5 checksums vary from what is below.
If not, this is just the April/May sadmind-iis worm (not sure how it
got started again on your system):

47681bd7a3b182193e571496cd7504e8  ./from_dev_cuc/disable.grabbb
47681bd7a3b182193e571496cd7504e8  ./cuc_hacked/grabbb

32d2add374805cc0271df4941e806601  ./from_dev_cuc/cmd1.txt
32d2add374805cc0271df4941e806601  ./cuc_hacked/cmd1.txt

361b435850409f4e4ce40e0977da27a1  ./from_dev_cuc/disable.brute
361b435850409f4e4ce40e0977da27a1  ./cuc_hacked/brute

86eec91c0ae47898849199d79f3f6029  ./from_dev_cuc/cmd2.txt
86eec91c0ae47898849199d79f3f6029  ./cuc_hacked/cmd2.txt

6a8fa2d69ca88de03444596a1c6a483d  ./from_dev_cuc/disable.nc
6a8fa2d69ca88de03444596a1c6a483d  ./cuc_hacked/nc

c021d0e98a109b46befeabb6a19e5fb3  ./from_dev_cuc/disable.time.sh
c021d0e98a109b46befeabb6a19e5fb3  ./cuc_hacked/time.sh

26ef6bf087fae515cb941bbef33cfd3d  ./from_dev_cuc/disable.ranip.pl
26ef6bf087fae515cb941bbef33cfd3d  ./cuc_hacked/ranip.pl

0bce385b2341cbeeedf4e368ede0b522  ./from_dev_cuc/disable.sadmin.sh
0bce385b2341cbeeedf4e368ede0b522  ./cuc_hacked/sadmin.sh

2f8c8eaaefa1f31fd9a82c97eb33c848  ./from_dev_cuc/disable.start.sh
2f8c8eaaefa1f31fd9a82c97eb33c848  ./cuc_hacked/start.sh

c1eee44cfc83616b05fd3536d74b4821  ./from_dev_cuc/disable.uniattack.pl
c1eee44cfc83616b05fd3536d74b4821  ./cuc_hacked/uniattack.pl

01d63117ee997e5edcdcc67350dba18a  ./from_dev_cuc/disable.uniattack.sh
01d63117ee997e5edcdcc67350dba18a  ./cuc_hacked/uniattack.sh

170de5f27e42e8e88bbe409a891ac5fb  ./from_dev_cuc/gzip
170de5f27e42e8e88bbe409a891ac5fb  ./cuc_hacked/gzip

db48cf6e1c02add9bdf45664c3baf72e  ./from_dev_cuc/index.html
db48cf6e1c02add9bdf45664c3baf72e  ./cuc_hacked/index.html

a57c106e45616f6a9ce88efa2f5368c2  ./from_dev_cuc/pkgadd.txt
a57c106e45616f6a9ce88efa2f5368c2  ./cuc_hacked/pkgadd.txt

a23d13f298a52bd121293d8250ad90f4  ./from_dev_cuc/wget
a23d13f298a52bd121293d8250ad90f4  ./cuc_hacked/wget

4b159275deb309fb148d741a94b25fad  ./from_dev_cuc/sadmindex-sparc
4b159275deb309fb148d741a94b25fad  ./cuc_hacked/sadmindex-sparc

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: