| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200410291039.i9TAdRx02626@netsys.com> From: eflorio at edmaster.it (Elia Florio) Subject: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit??? > Hi, > It appears that the signature is > > 00000000 C6C22C mov dl, 2C > 00000003 37 aaa > 00000004 60 pushad > 00000005 C1EFD4 shr edi, D4 > 00000008 C4922264C66A les edx, dword ptr [edx+6AC66422] > 0000000E E10D loopz 0000001D > 00000010 8A6A5F mov ch, byte ptr [edx+5F] > 00000013 D44E aam (base78) > 00000015 91 xchg eax,ecx > 00000016 10044D00000000 adc byte ptr [2*ecx+104D044D], al > > The beginning & the end of the disassembly may be wrong if the signature > is not complete. However it doesn't make much sense globally and this > code is too short to see a potential attack : no memory is written here. > By the way, where is this signature from ? Someon (Peter Kosinar) suggests to me that this bytes pattern is a potential command directed to "suckit" rootkit over port 80; the firs bytes are a kind of autentication hash and the final bytes are changing cause it's a port number....Still investigating on this... Your work is great, but maybe this isn't an attack pattern, so the bytes are not asm inscrutions! Thank you anyway... The signature comes from different compromised error logs of Apache 1.3.27 with PHP4.2.3. I've contacted the sysadmins of IP originating this attacks, cause someone else suggests to me that also the attacking hosts are compromised boxes used by this hacker crew.... They own a lot of Apache *nix server worldwide :(((((( 216.40.203.9 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor security. OrgName: Everyones Internet, Inc. Country: US ----- 140.105.55.159 : dschrahm3.univ.trieste.it . netname: TRIESTE-NET descr: Universita' degli Studi di Trieste ----- 195.140.140.122 : from France : netname: CTN-1 ----- 212.78.145.16 : Another old Cobalt server from Spain : Hostname : 16.red-212-78-145.user.auna.net netname: MENTA-ECOM descr: Cable i Televisio de Catalunya descr: Internet de Banda Ampla ----- 65.125.235.250 : EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1) 65.125.224.0 - 65.125.239.255 EF ________________________________________________ Messaggio inviato da Edizioni Master Webmail http://mbox.edmaster.it
Powered by blists - more mailing lists