lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <42812E54.1080304@senn.ch>
Date: Tue May 10 22:57:57 2005
From: adrian at senn.ch (Adrian Senn)
Subject: Another exploit against apache or kernel

Hello together
Since some weeks we have an intruder which is exploiting us and poisoning us
with the Virus Unix/RST.A
I found now how it happens at it isn't clear to me what he is doing.

I found in the apache log file some interesting strings.

Repeating entries as this
ip-hide - - [10/May/2005:19:58:00 +0200] "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"

and sometimes this one
ip-hide - - [10/May/2005:19:58:20 +0200] 
"f\x0e\xbcQ\xc4k\x01\xe4l\x02]\xbe\xbaye\x96\x87\xa5\xfc#\xc5\x17f\x0e\xbcQ\xc4k\x01\xe4l\x02]\xbe\xbaye\x96\x87\xa5\xfc#\xc5\x17" 
200 11466 "-" "-"

I had the possibility to made a tcpdump of this session of the cracker.

It doesn't initiate a normal http session. After the treeway handshake
he is sending (HTTP: Continuation or non-HTTP traffic")

0000:  0B A5 E5 29 28 DD B7 7C D5 AD 26 D7 39 00 7E E1  ...)(..|..&.9.~.
0010:  D7 CE 46 BA C5 11                                ..F...

After this, our server is also initiating a session from an non privileged Port
to an unprivileged port on the other side.

He is also sending this string

0000:  66 0E BC 51 C4 6B 01 E4 6C 02 5D BE BA 79 65 96  f..Q.k..l.]..ye.
0010:  87 A5 FC 23 C5 17                                ...#..

after this the server is answering with a 200 message.

I don't have any idea why our server is opening a separate session to the crackers ip.
Could this to be an exploit against the kernel or php?
I made last week a change from the older apache 1.3.26 to 1.3.33 but the problem remains.
Could this also probably be an rootkit which is answering?

Kind regards Adrian Senn


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ