OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Dittrich (dittrichcac.washington.edu)
Date: Mon Nov 05 2001 - 12:42:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Sheib,

    > Since Bugtraq, nor CERT haven't mentionted anything about it,
    > it appears that there is another worm spreading on the loose.
    > . . .
    > file index in /dev/cuc:
    >
    > drwxr-xr-x 2 root bin 632 Apr 29 2001 ./
    > drwxr-xr-x 3 root bin 72 Nov 4 17:11 ../
    > -rwxr-xr-x 1 root bin 6556 Apr 26 2001 brute*
    > -rw-r--r-- 1 root bin 701440 May 8 23:31 chinaworm.tar
    > -rw-r--r-- 1 root bin 86 Apr 26 2001 cmd1.txt
    > -rw-r--r-- 1 root bin 655 Apr 29 2001 cmd2.txt
    > -rw-r--r-- 1 root root 349712 Apr 29 2001 core
    > -rwxr-xr-x 1 root bin 11828 Apr 25 2001 grabbb*
    > -rwxr-xr-x 1 root root 66164 Apr 29 2001 gzip*
    > -rw-r--r-- 1 root bin 413 Apr 26 2001 index.html
    > -rw-r--r-- 1 root root 349696 May 6 04:42 junk.tar
    > -rwxr-xr-x 1 root bin 28620 Apr 26 2001 nc*
    > -rwxr-xr-x 1 root bin 222608 May 7 21:01 pico*
    > -rw-r--r-- 1 root root 10 Apr 29 2001 pkgadd.txt
    > -rw-r--r-- 1 root bin 151 Apr 26 2001 ranip.pl
    > -rwxr-xr-x 1 root bin 1591 Apr 27 2001 sadmin.sh*
    > -rwxr-xr-x 1 root bin 14644 Apr 25 2001 sadmindex-sparc*
    > -rwxr-xr-x 1 root bin 217 Apr 26 2001 start.sh*
    > -rw-r--r-- 1 root bin 6387 May 24 00:48 test
    > -rwxr-xr-x 1 root bin 566 Apr 27 2001 time.sh*
    > -rw-r--r-- 1 root bin 350208 May 7 21:22 uni.tar
    > -rw-r--r-- 1 root bin 67798 Apr 26 2001 uniattack.pl
    > -rwxr-xr-x 1 root bin 645 Apr 26 2001 uniattack.sh*
    > -rwxr-xr-x 1 root root 136288 Apr 29 2001 wget*

    The sadmind-IIS worm struck in April/May of 2001. Dates on the files
    you show are the same (although I can't tell if this is because they
    came from a tar file, or they have really been there since April/May
    -- you need to use "stat", TCT, or something else to see access and
    change times as well.)

    Let me know if any of the MD5 checksums vary from what is below.
    If not, this is just the April/May sadmind-iis worm (not sure how it
    got started again on your system):

    47681bd7a3b182193e571496cd7504e8 ./from_dev_cuc/disable.grabbb
    47681bd7a3b182193e571496cd7504e8 ./cuc_hacked/grabbb

    32d2add374805cc0271df4941e806601 ./from_dev_cuc/cmd1.txt
    32d2add374805cc0271df4941e806601 ./cuc_hacked/cmd1.txt

    361b435850409f4e4ce40e0977da27a1 ./from_dev_cuc/disable.brute
    361b435850409f4e4ce40e0977da27a1 ./cuc_hacked/brute

    86eec91c0ae47898849199d79f3f6029 ./from_dev_cuc/cmd2.txt
    86eec91c0ae47898849199d79f3f6029 ./cuc_hacked/cmd2.txt

    6a8fa2d69ca88de03444596a1c6a483d ./from_dev_cuc/disable.nc
    6a8fa2d69ca88de03444596a1c6a483d ./cuc_hacked/nc

    c021d0e98a109b46befeabb6a19e5fb3 ./from_dev_cuc/disable.time.sh
    c021d0e98a109b46befeabb6a19e5fb3 ./cuc_hacked/time.sh

    26ef6bf087fae515cb941bbef33cfd3d ./from_dev_cuc/disable.ranip.pl
    26ef6bf087fae515cb941bbef33cfd3d ./cuc_hacked/ranip.pl

    0bce385b2341cbeeedf4e368ede0b522 ./from_dev_cuc/disable.sadmin.sh
    0bce385b2341cbeeedf4e368ede0b522 ./cuc_hacked/sadmin.sh

    2f8c8eaaefa1f31fd9a82c97eb33c848 ./from_dev_cuc/disable.start.sh
    2f8c8eaaefa1f31fd9a82c97eb33c848 ./cuc_hacked/start.sh

    c1eee44cfc83616b05fd3536d74b4821 ./from_dev_cuc/disable.uniattack.pl
    c1eee44cfc83616b05fd3536d74b4821 ./cuc_hacked/uniattack.pl

    01d63117ee997e5edcdcc67350dba18a ./from_dev_cuc/disable.uniattack.sh
    01d63117ee997e5edcdcc67350dba18a ./cuc_hacked/uniattack.sh

    170de5f27e42e8e88bbe409a891ac5fb ./from_dev_cuc/gzip
    170de5f27e42e8e88bbe409a891ac5fb ./cuc_hacked/gzip

    db48cf6e1c02add9bdf45664c3baf72e ./from_dev_cuc/index.html
    db48cf6e1c02add9bdf45664c3baf72e ./cuc_hacked/index.html

    a57c106e45616f6a9ce88efa2f5368c2 ./from_dev_cuc/pkgadd.txt
    a57c106e45616f6a9ce88efa2f5368c2 ./cuc_hacked/pkgadd.txt

    a23d13f298a52bd121293d8250ad90f4 ./from_dev_cuc/wget
    a23d13f298a52bd121293d8250ad90f4 ./cuc_hacked/wget

    4b159275deb309fb148d741a94b25fad ./from_dev_cuc/sadmindex-sparc
    4b159275deb309fb148d741a94b25fad ./cuc_hacked/sadmindex-sparc 

    --
Dave Dittrich                           Computing & Communications
dittrichcac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com