OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mike Grantham (mikegros.co.nz)
Date: Tue Nov 13 2001 - 17:28:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus

    ======================================
    ==================================
      SSH v1 Trojan Exploit, Nov 14, 2001
    ======================================
    ==================================

    Victim:
      RH Linux 6.0, ssh1 v1.2.26

    Incident:
      4:23am Nov 12, 2001 (NZDT)
      Using method described in
    http://www.securityfocus.com/archive/1/225543
      "SSH crc32 compensation attack detector exploit"
      Machine was compromised at 4:52am Nov 12.
      At this point syslog stopped logging attack, last entry
    in log was
      Nov 12 04:52:18 sshd[10659]: connect from x.x.x.x
      Nov 12 04:52:18 sshd[10659]: log: Connection from
    x.x.x.x port 2564
      Nov 12 04:52:21 sshd[10659]: fatal: Local: crc32
    compensation attack: network attack detected
      
    Analysis:
      Source:
      Machine x.x.x.x was used in the attack, I have
    notified the owner of this machine, but due to it having
    a legitimate
      DNS record and belonging to a registered US
    company I suspect this machine is a victim too.
      
      Activity:
      At the exact time that syslogd stopped logging the
    following file was altered
       /etc/rc.d/rc.sysinit:
       Two lines added to the bottom.
       ---
       # Xntps (NTPv3 daemon) startup..
       /usr/sbin/xntps
       ---

      The following system files were added or replaced
    with hacked versions
      /bin/ps
      /bin/ls
      /bin/netstat
      /usr/sbin/xntps
      /lib/libproc.so.2.0.0
      /sbin/syslogd

      The following files/directories were added
      Trojan sshd setup to listen on port 33221
      /lib/liblip.so/con (ssh config file)
      /lib/liblip.so/hk (ssh private key)
      /lib/liblip.so/hk.pub (ssh public key)
      /lib/liblip.so/sd (binary)
      
      /lib/ldd.so/tkp (perl script, looks like a sorter for
    LinSniffer)
      /lib/ldd.so/tks (binary)
      /lib/ldd.so/tksb (sauber, looks like a log cleaner)

      /usr/man/man11/carko (ddos agent, binary)
      /usr/man/man11/cf (binary)
      /usr/man/man11/nc (binary)
      /usr/man/man11/sshd-etc (binary)
      /usr/man/man11/sshd-etc-ssh (binary)

      /dev/ttyy11 (binary)
      /dev/srd0 (text, but looks encrypted)

    Conclusion:
      While I have not had time to disassemble these
    binaries or test to see what they do
      I suspect someone is setting up a DDos network, I
    also suspect that a script has done this
      due to the file times being all within the same minute.

    If anyone would like to have a look at these files
    please email me and I will send them to you.

    Regards, Mike
    -----------------------------------------
    Search Engineer, S.L.I. Systems, Inc

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com