From: lists (justinfinnocence-lost.net)
Date: Fri Aug 06 2004 - 18:47:33 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi et al,

over the last week or two it has come to my attention at least 2 of our
boxes were hacked- these boxes are shared servers for web hosting for the
company i work for. It appears that weak passwords were the cause and
several accounts were compromised. The attacker(s) get the passwords,
upload some cgi's, run them, then delete them (my guess here is because
ftp is chrooted they do this to run as the www user), they download
.htaccess/.htpasswd files, and also upload:

fake usbank login pages, they are done via meta tags that load the real
page but use javascript to catch the login info.

then email lists of people to spam with requests for them to login to
their usbank account, fake link to usbank, you know the drill.

the hosts come across lots of various domains, but not all of them seem to
be interactive logins- or at least that is my guess.

on this particular server they uploaded a file named bangbrosdat.exe ,
most of the logins just download the file and close their connection- a
few others grab .htaccess/.htpasswd files, upload cgi's and actually do
the deleteing of things.

I believe the bangbrosdat.exe file has some relation to bangbus.com
because in the logs ive seen other files named like bangbus.txt, on one
server i found 4.4MB's of lists of email addresses that were zipped up-
they were seperated into different directories all named like foo.com or
whatever.net, etc- none of these sites we host, so it appears they steal
user email address lists also.

another interesting thing is these people never attempt to actually root
the box, they are happy w/ ftp access and being able to execute cgi's.

I've only found 1 cgi, it was named u.pl and it grabbed the system time,
path then did a crypt with the results of both and printed out the system
time, path and the length of the encryption- my guess here is for later
cracking of the .htpasswd files.

I still have yet to figure out how exactly they are sending the spam
through our servers, there are a lot of vuln formmail program on the box,
but the server logs dont reflect their usage (keep in mind root was not
obtained and there are no signs to make one think that it was). Watching
network traffic I don't see anything other than a lot of outbound smtp
traffic and the normal stuff. I don't see any unusual processes, or cron
jobs so my only guess is that its done through a custom cgi they upload
and execute then delete.

why i am writing this is because with as many hosts as they come from, i
cannot be the only person who has encountered them, they also do ebay
spam/scams and yahoo finances spam/scams, and because they've missed one
cgi here and there, and they leave such an audit trail I'm looking for
cgi's uploaded by them to other servers.

has anyone encountered this? does anyone have anymore of their mo?
etc.

jnf

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]