Re: awstats holes being exploited in the wild

[Skip Carter <skip () mira taygeta com>]

> I did a find on 's', and it turned up a new directory:  /var/tmp/.cache
> this directory had the following files:
>
> -rwxr-xr-x  1 apache apache 433332 Mar 13 10:12 0*
> -rwxr-xr-x  1 apache apache    147 Jul 29  2004 clear.sh*
> -rw-r--r--  1 apache apache    253 Mar 14 08:22 ftp
> -rw-r--r--  1 apache apache      0 Mar 14 08:22 Garion.seen
> -rwxr-xr-x  1 apache apache 160867 Mar 21  2005 httpd*
> -rwxr-xr-x  1 apache apache  24747 Mar 13 10:12 j*
> -rwxr-xr-x  1 apache apache  31757 Mar 13 10:12 k*
> -rw-r--r--  1 apache apache  22983 Jul 29  2004 mech.help
> -rw-r--r--  1 apache apache   1064 Mar 14 08:22 mech.levels
> -rw-r--r--  1 apache apache   6734 Mar 13 10:12 mech.pid
> -rw-r--r--  1 apache apache    522 Mar 14 08:22 mech.session
> -rw-r--r--  1 apache apache    827 Mar 21  2005 mech.set
> -rwxr-xr-x  1 apache apache  22158 Mar 13 09:42 s*
> -rwxr-xr-x  1 apache apache     61 Mar 21  2005 start.sh*
> -rwxr-xr-x  1 apache apache  22446 Mar 13 10:12 v1*
> -rwxr-xr-x  1 apache apache  23414 Mar 13 10:12 v2*
> -rwxr-xr-x  1 apache apache  26958 Mar 13 10:12 x*

> j is juno.c by Sorceror of DALnet
> k is the ptrace program by anszom () v-lo krakow pl
> v1 is vadim v.Ibeta
> v2 is vadim v.IIbeta
> x is apparently a ptrace program by Wojciech Purcynski (referenced at 
> http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-03/0201.html )


I recently tracked down a phishing site to a compromised server
in Japan.  Interestingly, several of the above files
(in particular the mech files and the ptrace program)
were installed there; it also had the tuxkit rootkit installed
on it.  That system appears to have been compromised by a
vulnerable sshd.




-- 
 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Network Security Services   email: skip () taygeta net
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940

Attachment: _bin
Description: