My company's webserver began attacking our firewall yesterday; upon close inspection I discovered a daemon running on it that definitely shouldn't have been there, and I'm curious if anyone has seen it before or can provide any info on it. Disclaimer: I'm just a web programmer, not a security expert. The server it was on is my responsibility, but it hasn't been locked down very tightly. It's running Apache 1.3.12 and BIND 8.2.3, among other services. It is a cobalt raq4, pretty much unpatched. The daemon can be downloaded from my personal web server: http://orbistertius.net/sd.tar.gz (I'm going to take this down in a day or so.) It was installed to /usr/local/sd. Inside that directory were two files, 'sd' (the daemon) and 'pass'. Running "strings sd" produces some interesting output, including: Access Denied /usr/local/sd/shadow.bak /etc/shadow admin root echo -n `/sbin/ifconfig eth0 | /bin/grep 'inet addr' | /usr/bin/cut -f 2 -d':' | /usr/bin/cut -f 1 -d' '` > /tmp/ipfile /tmp/ipfile socket bind listen connected Challenge: send Access Denied failed to authenticate authenticated Access Granted /usr/local/sd/shadow.bak Password reset You have 10 seconds to access the server Password restored When it is started, it immediately forks and binds itself to port 7001. When connected to via nc, it opens up /usr/local/sd/pass (this is hard coded it seems) and prints out some sort of challenge with a random string, like: Challenge: FX 7d9af5627d1fb4d80b5f4803d2e61bf1 FX I then guess a password, and it prints "Access Denied" and closes the connection. My guess is that if I got the password right it would place a backup /etc/shadow on the system and allow me to log in as root. I tried changing the contents of the "pass" file to see if I could log in with it on my own workstation but had no success. I read through the last month or so of this list's traffic, and saw nothing about this, so I figured I'd go ahead and ask. I'm still not sure how the intruder got into the system and placed this there, so any pointers would be appreciated. Thanks, Matthew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 17:23:59 PDT