oss-sec mailing list archives

SEANux 1.0 remote back door

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Sat, 24 Jan 2015 15:05:26 -0500

Hello All,
I thought you might be interested in this from by blog with screen shots http://www.vapid.dhs.org/blog/01-23-2015/ :

SEANux 1.0 backdoor

Larry W. Cashdollar
1/23/2015


SEANux 1.0 is a linux distribution Available here developed by the Syrian Electronic Army. It has an apache webserver 
listening on 0.0.0.0:80
root@larry-VirtualBox:/etc/mysql# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 192.168.0.33:22         192.168.0.22:53474      ESTABLISHED
tcp6       0      0 ::1:6010                :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       1      0 ::1:57375               ::1:631                 CLOSE_WAIT 
udp        0      0 0.0.0.0:68              0.0.0.0:*                          
udp        0      0 0.0.0.0:52375           0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:41938           0.0.0.0:*                          
udp        0      0 0.0.0.0:31229           0.0.0.0:*                          
udp        0      0 127.0.1.1:53            0.0.0.0:*                          
udp6       0      0 :::37598                :::*                               
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::12590                :::*                               
udp6       0      0 :::52638                :::*                               
udp6       0      0 :::546                  :::*                               
Active UNIX domain sockets (servers and established)

This apache server is a tool server hosting web based tools by the SEA
One of the tools is a backdoor to the system

The path http://192.168.0.33/tools/sea.php is a back door for the SEA. 

Here is a screen shot after logging in: 

From lines 6-15 contain the credentials sea.php:
     6 $user = 'SEA'; ^M
     7 $pass = 'SEA'; ^M
     8 $uselogin = 1;^M
     9 $sh3llColor = "#0040FF";^M
    10 ^M
    11 # MySQL Info ---------^M
    12 $DBhost = "localhost";^M
    13 $DBuser = "root";^M
    14 $DBpass = "root";^M
    15 #---------------------^M


So I thought this backdoor might allow root access to the mysql database running on port 3306. But the credentials are 
set for mysql during setup, and I don't see any other code to run sql queries on the system. Perhaps they just default 
to root root as that's a very common password combo for mysql installs?

Current thread:

SEANux 1.0 remote back door Larry W. Cashdollar (Jan 24)
- Re: SEANux 1.0 remote back door Larry W. Cashdollar (Jan 24)
- Re: SEANux 1.0 remote back door Alexander Cherepanov (Jan 25)
  - Re: SEANux 1.0 remote back door Larry W. Cashdollar (Jan 25)
    - Re: SEANux 1.0 remote back door Alexander Cherepanov (Jan 25)