lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200410281446.i9SEkPx00571@netsys.com>
From: eflorio at edmaster.it (Elia Florio)
Subject: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

Hi list,
I'm fighting again against an hackers crew
(I suppose the same mentioned in this link:
http://seclists.org/lists/incidents/2004/Jul/0056.html  )
which is installing various malware on many
compromised box to get group of zombies ready-to-run.
(follow my previous mail on "xpire.info" and "splitinfinity.info")

I've found in some logs that they use different exploits on port 80
but one exploit is specific for Apache 1.3.27 (with PHP/Perl
and other module installed).

It looks like an overflow, I know that 1.3.27 is a bugged version,
but I would to know if anyone have seen this code before:
Extracted from error log of Apache :

216.40.203.9 - - [28/Oct/2004:10:54:37 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd8(xcbtxa6xba"
400 299

140.105.55.159 - - [08/Oct/2004:15:55:35 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
-

195.140.140.122 - - [11/Oct/2004:03:58:05 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xc3x8cx8czxcfx19"
400 -

212.78.145.16 - - [13/Oct/2004:20:48:23 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
-

65.125.235.250 - - [28/Oct/2004:09:55:02 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe5"
400 - "-" "-"

65.125.235.250 - - [28/Oct/2004:09:55:58 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe8"
400 - "-" "-"

I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
from their hosts, cause all attacks are coming from these machines :

216.40.203.*,
140.105.55.*,
195.140.140.*,
212.78.145.*,
65.125.235.*
(...and obvious "xpire.info")

Someone suggests to me that they are related to :

Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1)
65.112.0.0 - 65.127.255.255
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

The exploits left this signatures (i have to translate the opcodes into asm)
:

xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
x6A x5F xD4 x4E x91 x10 x04 4D

The last bytes are changing in every attempt, so this seems to be a
bruteforce attempt to get a valid return address to execute the exploit.

Probably the exploit works for a specific version of Apache/Linux Kernel,
so the hacker have to try many times with different ret. address to
find the right way to execute it.

Any comments?

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ