OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: david evlis reign (davidreignhotmail.com)
Date: Thu Feb 14 2002 - 03:44:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hi,
    this is my first post and i am sorry that i had to be the bearer of bad
    news.
    while doing my monthly audit today on my company's external boxes (gateways,
    external mail forwarders/...) i came across some *strang* files, which after
    inspection turned out to be source code to a new internet worm...
    the headers are as follows:

    /*** Skelleton for an INET-worm. Plug-in the exploitcode and the
    *** scan-routine and it works!
    *** You propably have to change the sleep-seconds from 10 to a higher value.
    *** Worms must be linked statically in this case.
    *** For educational purposes only! Don't use it in a bad manner.
    ***/

    in fact the exploitcode was a ssh exploit by someone going by the name of
    "zip" and inspecting the source of this "skelleton" worm it seems it is
    cross platform, harbouring shellcode for *bsd, linux and solaris. i was
    totally dismayed and i saved a copy of this and another file, then i
    reformatted...i was not going to let my mail server be used to launch
    attacks on sites.
    the other file in which i found was not a worm but a "autorooter" for ssh,
    as ssh-1.2.26 was running on a mail server out of my audit space, the
    attackers had obviously abused a trusted relationship.
    the headers are as follows:

    a kernerl module:
    //
    // (ssmod.c) by _dave
    //
    // Kernel module that bypasses the password check on the x2
    // sshd crc32 exploit.
    //
    // gcc -c -O3 ssmod.c -I/usr/src/linux/include
    // /sbin/insmod ssmod.o
    //

    a scanning module:
    /*
    ** pscan.c - Originally by Volatile
    ** modified by _dave
    **
    */

    another file, i am not sure what this does
    /* oops.c, part of the autossh package... by _dave */
    /* nodupe2.c .... by _dave */
    /* ssvuln.c */
    /* by _dave */

    as you can see this exploit is being exploited in the wild...i am too afraid
    to think of the possibilities if that "skelleton" is released.

    i just hope i have got to the public in time...

    - david evlis reign, PhD compsci, CCISP

    ps: any further details will be provided to reserachers

    _________________________________________________________________
    Join the world’s largest e-mail service with MSN Hotmail.
    http://www.hotmail.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com