[iwar] [fc:*MAJOR.SECURITY.BREACH.AT.CCBILL**]

From: Fred Cohen (fc@all.net)
Date: 2001-12-19 21:19:03
Next message: Fred Cohen: "[iwar] [fc:Experts.Warn.of.Christmas.Computer.Worm]"
Previous message: Fred Cohen: "[iwar] [fc:Update.on.MAJOR.SECURITY.BREACH.AT.CCBILL]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200112200519.fBK5J3n30403@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Wed, 19 Dec 2001 21:19:03 -0800 (PST)
Subject: [iwar] [fc:*MAJOR.SECURITY.BREACH.AT.CCBILL**]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

It appears that perhaps tens of thousands of username/passwords for valid
shell logins ALL ACROSS THE NET may have been compromised at CCBILL,
a large internet credit card/check processor used for e-commerce and
adult sites, read carefully!!

Well, after the user complaint below, we began some investigation
and found about 6 of these IRC bots running on our network as well.
All with a fartone.conf and fartone eggdrop irc daemon listening
on port 9872... this is across 6 different machines alone in our
server farm, so far that we have found, we are scanning right now
to find out if there are more listening on port 9872 in our address
spaces.

Interestingly enough, the common tie between all these compromised
accounts is that they are ALL CCBILL customers. Being CCBILL customers,
they have all their userid and password information to ssh to their
website(s)/server(s) to update scripts and databases as required.
Was CCBILL hacked? OR do they have someone inside who has released
the user information abroad? We called a couple other hosts whom
we communicate with and voila.. they have boxes with IRC bots 
running on port 9872 as well... also CCBILL clients.

It appears whomever has obtained the CCBILL list of usernames/passwords
systematically SSH's into their customers server, installs the irc
eggdrop bot and leaves.

I have found no instances of root kits, or anything else malicious
being performed or installed. In fact, in all 6 instances they left
all their .tar and config files, AND their .history files intact.
Looking thru normal daily log files would not tip you off to any sort
of compromise at all -No multiple password failures, etc etc because
they already have the correct password to login :)

It is my opinion that Cavecreek/CCBILL has had a breach of security
thus releasing user ids and logins on various servers around the
internet. CCBILLS customer base is in the tens of thousands.

It appears the bots are merely sitting and listening waiting for
commands for perhaps a large distributed DoS attack, it does not
appear that they are logging any sensitive data transmitted thru
the server(s). I tcpdumped the port and logged in and out of the
server to make sure it wasnt transmitting any data elsewhere. I
also confirmed that the bots were not logging anything locally
either.

I have attached a sample output of strings on the binary file
called 'fartone' for your review, please note there are *several*
cavecreek machines who are listed as well as many others.
ALL these machines below have been verified to have port 9872 open
and listening with perhaps this same type IRC Eggdrop bot running.
Also please note, all these servers/domains listed below are
current CCBILL subscribers:

[FC - supressed for my protection]
...

Please note the .history file just from this one account,
and this is merely a small sample, please note, these are
all CCBILL accounts:

ssh -l f215109 www.extremeteens.net
telnet www.extremeteens.net
...
ssh -l nudistphotogallery www.nudistphotogallery.net


... 
 
 Here is a message regarding a hack attempt. They have stated that the
 hack was also from our server 216.226.xxx.xxx. How can we check who/what
 happened from that server. The details from there logs are below.
 
... 
 One of your users illegally accessed a server I own and illegally
 installed and ran software on it. The hacker gained access to the
 system using a hacked or stolen password and installed "eggdrop"
 an IRC bot with the capability of launching distributed denial
 of service attacks.
 
 This hacker accessed my system from cc118955-a.groni1.gr.nl.home.com
 by FTP as per the following entry in my system FTP logs. All times
 are Mountain Standard Time (Arizona, USA).
 
 Dec 18 11:48:04 gelt ftpd[23349]: connection from
 cc118955-a.groni1.gr.nl.home.com (213.51.147.235)
 
 The user also accessed the system using interactive SSH from
 216.226.xxx.xxx
 according to the following entries in syslog
 
 Dec 18 11:37:51 gelt sshd2[16845]: DNS lookup failed for
 "216.226.xxx.xxx".
 Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor's local password
 accepted.
 Dec 18 11:38:02 gelt sshd2[16845]: Password authentication for user
 gtdfor accepted.
 Dec 18 11:38:02 gelt sshd2[16845]: User gtdfor, coming from
 216.226.xxx.xxx, authenticated.
 
 This is a private server and the gtdfor user ID is used only by myself,
 the system administrator. This is a unix-level login, not a web site
 account. This(these) user(s) therefore gained access illegally.
...

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Experts.Warn.of.Christmas.Computer.Worm]"
Previous message: Fred Cohen: "[iwar] [fc:Update.on.MAJOR.SECURITY.BREACH.AT.CCBILL]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST