On Tue, 15 May 2001 jlewisat_private wrote: > I got some scans on port 10008 as well. The really odd thing is this. If > you port scan them back, you'll find that on some high TCP port, if you > connect and send a few newlines, it'll reply with a uuencoded cheese.tgz > file. I took a very brief look at the contents of cheese.tgz. The > comments say it's a cleaner, written to remove root shells from > inetd.conf. There's alot more than that in the code though. Looks like a > trojan that's really a scanner. I got a bunch of requests "please send me the file" and felt kind of silly having said "looks like a trojan" without really taking a close look at it...so I just did take a few minutes to take a closer look. This thing is pretty funny. It's not really a trojan. I don't think they expect anyone to download and run this willingly. I'm not sure what the best term for it is. Maybe a parasitic worm. It's a scanner that looks for systems already broken into by someone else using a package that put a root shell on port 10008. When it finds a host with a root shell on 10008/tcp, it forks a server that serves cheese.uue, connects to the remote host, has that host download cheese.uue from the host that's infecting it, uudecodes and untars the file, sets mtimes on its own files on the new host to that of the local /bin/sh, perhaps to evade "find new files" security scripts, tries to remove the root shell from inetd.conf, then starts up a new scanner scanning a randomly selected /16 from a predetermined range, and sets the process name to httpd. The comment is kind of funny: # removes rootshells running from /etc/inetd.conf # after a l10n infection... (to stop pesky haqz0rs # messing up your box even worse than it is already) # This code was not written with malicious intent. # Infact, it was written to try and do some good. The funny thing is that unless there's code hidden in the scanner binary (a Linux ELF binary that relies on libc version 6), that does some sort of back door, I think the comment above is actually true. This thing just uses hacked boxes to look for other hacked boxes, undoes the root shell via inetd backdoor someone else left, and spreads. It's a kind of pointless noble effort since those systems that were hacked will likely be re-hacked...but I don't see anything really mailicious in cheese. -- ---------------------------------------------------------------------- Jon Lewis *jlewisat_private*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 08:20:02 PDT