lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060306221339.M56930@ipspace.com>
Date: Mon Mar  6 22:15:03 2006
From: jsavora at ipspace.com (Jason Savora)
Subject: dikline suspected to be behind repository
	hacking. 

dikline suspected to be behind repository hacking.

Recently we have discovered a severe code modification in the Ruby 
programming language downloaded from various debian based non-official 
apt-repositories.

Ruby is the interpreted scripting language for quick and easy 
object-oriented programming available from ruby-lang . org

Please be advised the official release of ruby from ruby-lang.org is not 
hacked.

During normal application development in the ruby language at our firm 
our developers actively use Ruby as a language. We are currently developing a 
smart system for badge access scanning at door entry points in our 
building using HID cards.

In the process of development we have had to downgrade, modify, and 
remove many instances of ruby for testing (including non POSIX versions 
of Ruby for Win32API development via ruby.exe for windows system's).

Steven Colbert of HID INC. Has been working with us on various 
projects for the past year on and off, and we are now working with 
debian-sarge and ubuntu linux system's.

During a recent ritual of removal/re-installation of Ruby using debian's 
apt-get we discovered a very big flaw in the files installed for Ruby.

A hacked version of ruby is wondering around apt repositories everywhere.

The file that's infected is /usr/lib/ruby/Env.rb. This file imports 
environment variables as global variables when called. But dont plan on 
seeing 
a change in that file, for it is replaced upon trojan 
infection.

The original Env.rb file look's like:

require 'importenv'

if __FILE__ == $0 
 p $TERM 
 $TERM = nil 
 p $TERM 
 p ENV["TERM"] 
 $TERM = "foo" 
 p ENV["TERM"] 
end

Our development called for a change in the constant ENV, and we had to edit 
the file for a new declaration for our software. When we opened Env.rb (after 
the new apt-get) it was modified in 
many different ways.

The Original Env file was overwritten to install and activate a program 
called Apatch. A-Patch is software that is used to trojan the SSH daemon on a 
machine. It was set so that any time an environment variable was called for a 
ruby program in the backround a file was downloaded from a website, un 
archived and then installed to the machine. The software downloaded one time, 
and then replaced the hacked version of Env.rb back to the original. Very 
Very 
sneaky backdoor.

The machine also sent a series of packets to a remote host.

We are guessing that this was to notify the attacker that a new system has 
been compromised.

The file that was downloaded:

http://www.dikline.com/n0tm366/apd.tgz

For those of you who don't know, after a lot of searching we found out that 
dikline.com is a underground terrorist anti-security hacking group that 
haunts the "white hat" community who's target's have included Government 
Agencies, SCO Linux, Kevin Mitnick Security, FRSIRT, Packet Storm Security, 
Securina & Many other hacking groups and people.

There website is down now, we are probably not the first to expose what they 
do.

The packets were sent to the same domain but on port 56611.

>From line 26:

SET ENV $GHOSTKAT "http://dikline.com:56611"

We were able to wget apd.tgz from dikline.com and here is it's contents:

justin@...v1$ ls 
apatch-openssh-*.*.*  apatch-openssh-3.*-mod           
apatch-ssh-1.*-sure apatch-openssh-2.*-mod apatch-ruby-packetmod-dikline   
justin@...v1$

After looking into the different files we discovered that it is a 
modified version of apatch, also including the packet software to tell 
them who is infected.

We tested our development machines, and 8 out of 10 were infected with 
APATCH.

We are not sure how in god's name this has happened, or where the source is.

If you are unsure about your machines having apatch, it look's like dikline's 
default backdoor installation creates a file in /usr/lib/ called 
libdofas.so.5.4.9. If you have this file in /usr/lib backup and re-install 
your O/S RIGHT NOW.

After we ripped apart our machine that was infected with apatch, we found a 
special password that can be used for any account via ssh remote for any user 
(including root) the password dikline uses for apatch is: b0w.1z.1984&N0W

Lookz like we got you dikline!

It may be official apt repositories or non-supported UN-official, no matter 
the source we now know who is behind this scandal. How do we go after them? 
Contact the repository administrators?

Who knows how many are infected.

Any good ideas to get these guys tell me.

-Justin Savora 
Global Interaction Software System's INC. 
Office: 310-286-2013 
jsavora@...pace.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ