hi, this is my first post and i am sorry that i had to be the bearer of bad news. while doing my monthly audit today on my company's external boxes (gateways, external mail forwarders/...) i came across some *strang* files, which after inspection turned out to be source code to a new internet worm... the headers are as follows: /*** Skelleton for an INET-worm. Plug-in the exploitcode and the *** scan-routine and it works! *** You propably have to change the sleep-seconds from 10 to a higher value. *** Worms must be linked statically in this case. *** For educational purposes only! Don't use it in a bad manner. ***/ in fact the exploitcode was a ssh exploit by someone going by the name of "zip" and inspecting the source of this "skelleton" worm it seems it is cross platform, harbouring shellcode for *bsd, linux and solaris. i was totally dismayed and i saved a copy of this and another file, then i reformatted...i was not going to let my mail server be used to launch attacks on sites. the other file in which i found was not a worm but a "autorooter" for ssh, as ssh-1.2.26 was running on a mail server out of my audit space, the attackers had obviously abused a trusted relationship. the headers are as follows: a kernerl module: // // (ssmod.c) by _dave // // Kernel module that bypasses the password check on the x2 // sshd crc32 exploit. // // gcc -c -O3 ssmod.c -I/usr/src/linux/include // /sbin/insmod ssmod.o // a scanning module: /* ** pscan.c - Originally by Volatile ** modified by _dave ** */ another file, i am not sure what this does /* oops.c, part of the autossh package... by _dave */ /* nodupe2.c .... by _dave */ /* ssvuln.c */ /* by _dave */ as you can see this exploit is being exploited in the wild...i am too afraid to think of the possibilities if that "skelleton" is released. i just hope i have got to the public in time... - david evlis reign, PhD compsci, CCISP ps: any further details will be provided to reserachers _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 09:05:18 PST