[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060306221339.M56930@ipspace.com>
Date: Mon Mar 6 22:15:03 2006
From: jsavora at ipspace.com (Jason Savora)
Subject: dikline suspected to be behind repository
hacking.
dikline suspected to be behind repository hacking.
Recently we have discovered a severe code modification in the Ruby
programming language downloaded from various debian based non-official
apt-repositories.
Ruby is the interpreted scripting language for quick and easy
object-oriented programming available from ruby-lang . org
Please be advised the official release of ruby from ruby-lang.org is not
hacked.
During normal application development in the ruby language at our firm
our developers actively use Ruby as a language. We are currently developing a
smart system for badge access scanning at door entry points in our
building using HID cards.
In the process of development we have had to downgrade, modify, and
remove many instances of ruby for testing (including non POSIX versions
of Ruby for Win32API development via ruby.exe for windows system's).
Steven Colbert of HID INC. Has been working with us on various
projects for the past year on and off, and we are now working with
debian-sarge and ubuntu linux system's.
During a recent ritual of removal/re-installation of Ruby using debian's
apt-get we discovered a very big flaw in the files installed for Ruby.
A hacked version of ruby is wondering around apt repositories everywhere.
The file that's infected is /usr/lib/ruby/Env.rb. This file imports
environment variables as global variables when called. But dont plan on
seeing
a change in that file, for it is replaced upon trojan
infection.
The original Env.rb file look's like:
require 'importenv'
if __FILE__ == $0
p $TERM
$TERM = nil
p $TERM
p ENV["TERM"]
$TERM = "foo"
p ENV["TERM"]
end
Our development called for a change in the constant ENV, and we had to edit
the file for a new declaration for our software. When we opened Env.rb (after
the new apt-get) it was modified in
many different ways.
The Original Env file was overwritten to install and activate a program
called Apatch. A-Patch is software that is used to trojan the SSH daemon on a
machine. It was set so that any time an environment variable was called for a
ruby program in the backround a file was downloaded from a website, un
archived and then installed to the machine. The software downloaded one time,
and then replaced the hacked version of Env.rb back to the original. Very
Very
sneaky backdoor.
The machine also sent a series of packets to a remote host.
We are guessing that this was to notify the attacker that a new system has
been compromised.
The file that was downloaded:
http://www.dikline.com/n0tm366/apd.tgz
For those of you who don't know, after a lot of searching we found out that
dikline.com is a underground terrorist anti-security hacking group that
haunts the "white hat" community who's target's have included Government
Agencies, SCO Linux, Kevin Mitnick Security, FRSIRT, Packet Storm Security,
Securina & Many other hacking groups and people.
There website is down now, we are probably not the first to expose what they
do.
The packets were sent to the same domain but on port 56611.
>From line 26:
SET ENV $GHOSTKAT "http://dikline.com:56611"
We were able to wget apd.tgz from dikline.com and here is it's contents:
justin@...v1$ ls
apatch-openssh-*.*.* apatch-openssh-3.*-mod
apatch-ssh-1.*-sure apatch-openssh-2.*-mod apatch-ruby-packetmod-dikline
justin@...v1$
After looking into the different files we discovered that it is a
modified version of apatch, also including the packet software to tell
them who is infected.
We tested our development machines, and 8 out of 10 were infected with
APATCH.
We are not sure how in god's name this has happened, or where the source is.
If you are unsure about your machines having apatch, it look's like dikline's
default backdoor installation creates a file in /usr/lib/ called
libdofas.so.5.4.9. If you have this file in /usr/lib backup and re-install
your O/S RIGHT NOW.
After we ripped apart our machine that was infected with apatch, we found a
special password that can be used for any account via ssh remote for any user
(including root) the password dikline uses for apatch is: b0w.1z.1984&N0W
Lookz like we got you dikline!
It may be official apt repositories or non-supported UN-official, no matter
the source we now know who is behind this scandal. How do we go after them?
Contact the repository administrators?
Who knows how many are infected.
Any good ideas to get these guys tell me.
-Justin Savora
Global Interaction Software System's INC.
Office: 310-286-2013
jsavora@...pace.com
Powered by blists - more mailing lists