cracked box (anyone know the name of this worm?)

From: Peter Moody (peter.moodyat_private)
Date: Wed Apr 25 2001 - 10:56:45 PDT

Next message: Scott Nursten: "Re: scan for 109, new worm-variant or simple scan?"

Previous message: buschermannat_private: "scan for 109, new worm-variant or simple scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I recently had what I believe is a wom, gain access to a redhat6.2 box.
the worm created
===
/dev/ptyxx/
.list (apparently a list of files a modified ls is supposed to ignore)
.proc (apparently a list of proccess a modified ps is supposed to
ignore)
===
/var/run/...xl/
-rwxr-xr-x      19659 Feb 20 01:49 bind8x
-rwxr-xr-x      1365 Feb 23 17:53 bindme
-rwxr-xr-x      15657 Feb 20 01:48 bindscan
-rw-r--r--     7108 Apr  8  2000 cl.sh
-rwxr-xr-x      1345 Mar 27  2005 clean
-rw-r--r--     0 Apr 24 00:05 last.log
-rwx------   8268 Sep 25  1983 lf
-rwxr-xr-x      2853 Mar 30  2005 psg
-rwxr-xr-x      839 Mar 31  2005 rdx
-rwxr-xr-x      4060 Sep 25  1983 read
-rwxr-xr-x    16035 Mar 28  2005 sc
-rwxr-xr-x    140 Mar 28  2005 scan
-rwxr-xr-x    239 Mar 24 02:50 secure
-rwxr-xr-x    21149 Mar 27  2005 sx
-rwxr-xr-x    22582 Feb 11 12:20 va
-rwx------    7165 Sep 25  1983 write
-rwxr-xr-x    37760 Feb 11 07:57 wu
-rwxr-xr-x    205 Mar 30  2005 xdr
-rwxr-xr-x    652190 Mar 24 02:45 xl
===
#!/bin/sh
cd /var/run/.".."xl/

./secure
./xl -p 951 -q
./xl -p 436 -q
./write >> ./last.log &

cd /
===
/lib/.so
3 write
3 lf
3 xl
3 mh
3 xbnc
3 cl.sh
===
/lib/.sso  (apparently the results from a scan?)
1 194.153.237
1 193.226
1 193.254.34
1 terrasat.ro
1 europa.oltenia.ro
1 193.230
3 951
3 981
3 436
4 436
4 951
4 981

it appeared to replace these system binaries.

/bin/ls
/bin/netstat
/usr/bin/crontab
/usr/bin/pstree
/usr/sbin/tcpd
/usr/sbin/atd
/usr/sbin/sshd2

there was also some crap in /dev/rd/lm  /dev/rd/ps  /dev/rd/usr  and
/dev/rd/rsha

lm contained copies of scan-a and statdx a script called lamer which
appears to compile those programs,and then scan/exploit machines using
those programs.

ps contained a copy of psybnc, an irc bot.

usr contained a copy of emech, another irc bot.

rsha contained a copy of what I think is a modified version of ssh.  I
haven't had much of a chance to go over that directory, so I'm not
really sure if it was modified, or how (backdoors, etc.).


I think that's everything.  I'm wondering if anyone has seen this
before.  searching on "xl" (which appears to be the common theme of this
kit) turns up way too much information to be useful.

thanks for any help.

-Peter

--
Peter Moody           Systems Administrator
Lutris Technologies  peter.moodyat_private
:wq

Next message: Scott Nursten: "Re: scan for 109, new worm-variant or simple scan?"
Previous message: buschermannat_private: "scan for 109, new worm-variant or simple scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 11:32:35 PDT