Security Incidents mailing list archives

Re[2]: Rooted, .haos on system

From: "Oliver.C.Rochford CFH" <bugtraq () cfh com>
Date: Tue, 17 Dec 2002 08:36:28 +0000

Hello Damian,

it was rooted via a linuxconf exploit

presumably
http://www.packetstormsecurity.com/0209-exploits/nslconf.c
or similar. as this is a local exploit, it means they probably got on
a different way, i assume mod_ssl
The stuff you found was probably an autorooter, so they probably
intended (or did) use the rooted host to scan from.


regards
Oliver Rochford

Monday, December 16, 2002, 5:38:33 PM, you wrote:

DG> On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:

I've just received word that one of our customers was rooted, and he's asking about the file ".haos".  Nothing rings 
any bells, has anyone heard of it?


DG> Just a quick update to this...

DG> It looks like it was an IRC bot.  I found these interesting tidbits
DG> throughout the various source trees left on the system (definitely a
DG> script kiddie hack):

DG> "   /.../    /m/src/Makefile":

DG>         #
DG>         #   Starglider Class EnergyMech, IRC bot software
DG>         #   Copyright (c) 1997-2000  proton
DG>         #
DG>         #   This program is free software; you can redistribute it and/or modify
DG>         #   it under the terms of the GNU General Public License as published by
DG>         #   the Free Software Foundation; either version 2 of the License, or
DG>         #   (at your option) any later version.

DG> "   /.../    /m/emech.users":

DG>         handle          Silviu
DG>         mask            *!*@Scoobyy.users.undernet.org
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          Malice
DG>         mask            *!*@malice.users.undernet.org
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          Mihai
DG>         mask            *!*@p00f.users.undernet.org
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          Doggy
DG>         mask            *!*@Catelushu.users.undernet.org
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          mortu
DG>         mask            *!*@mortux.users.undernet.org
DG>         prot            4
DG>         aop
DG>         channel         #DhT
DG>         access          100

DG> ".../[wxz].users":


DG>         handle          dxd
DG>         mask            *!*dxd@*.*
DG>         pass            nI-duWuaJw
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          kappy
DG>         mask            *!*kappy@*.*
DG>         pass            0jgmlVQspb
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          essence
DG>         mask            *!*essence@*.*
DG>         pass            wHC0Pmbfux
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          karamel
DG>         mask            *!*KarameL@*.*
DG>         pass            kdiF0eQFYv
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG>         handle          DJcontact
DG>         mask            *!*anathema@*.*
DG>         pass            uSfKIJhaCS
DG>         prot            4
DG>         aop
DG>         channel         *
DG>         access          100

DG> Other notes:

DG> - a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files
DG> kicking around
DG> - a couple of binaries called 'httpd'
DG> - an empty file called
DG> "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
DG> - a couple of other system binaries (i.e. bash)


DG> I still have the original 'haos' and 'haos2' tarballs, if anyone is
DG> interested in looking at them.  They both contain libpcap, and look to
DG> be some sort of an automated SSH exploiter, given by the contents of the
DG> files "targets" and 'targets.txt":

DG> <snip>
DG> Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
DG> Small -  SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
DG> Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
DG> Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
DG> Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
DG> Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
DG> Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
DG> Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
DG> Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
DG> Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
DG> Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
DG> </snip>


DG> If anyone wants more info, I'm willing to pass it on.  But I'm going to
DG> guess they got in via OpenSSH, given the nature of the scanners and the
DG> version of the daemon running on the box.  I'm not sure where the group
DG> came from, but here's a quick quote from one of the shell scripts
DG> ("haosx"), and I'll leave you all at that:


DG>    echo "$rver haosx for Linuxz"
DG>    else
DG>    echo ""
DG>    echo "$rver Asteapta cateva secunde sa ma linistesc.."
DG>    echo "Ia o pauza de o laba pana scanam ceva."
DG>    echo "www.haos2.com"
DG>    echo "Thanks 2 friends : in #haos channel."

DG> ----------------------------------------------------------------------------
DG> This list is provided by the SecurityFocus ARIS analyzer service.
DG> For more information on this free incident handling, management 
DG> and tracking system please see: http://aris.securityfocus.com



-- 
Best regards,
 Oliver.C.Rochford                            mailto:bugtraq () cfh com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
  - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Re: Rooted, .haos on system Mike Katz (Dec 16)
    - Re: Rooted, .haos on system zeno (Dec 16)
    - Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
    - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Message not available
    - Re: Rooted, .haos on system Julian Young (Dec 17)
    - New CIFS (port 445) worm? David Gillett (Dec 17)
    - Re: New CIFS (port 445) worm? Zen (Dec 17)
  - Re[2]: Rooted, .haos on system Oliver.C.Rochford CFH (Dec 17)
- Re: Rooted, .haos on system Mattias Hedenskog (Dec 16)
  - Re: Rooted, .haos on system zeno (Dec 16)