Hello Damian, it was rooted via a linuxconf exploit presumably http://www.packetstormsecurity.com/0209-exploits/nslconf.c or similar. as this is a local exploit, it means they probably got on a different way, i assume mod_ssl The stuff you found was probably an autorooter, so they probably intended (or did) use the rooted host to scan from. regards Oliver Rochford Monday, December 16, 2002, 5:38:33 PM, you wrote: DG> On Thu, 2002-12-12 at 18:50, Damian Gerow wrote: >> I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it? DG> Just a quick update to this... DG> It looks like it was an IRC bot. I found these interesting tidbits DG> throughout the various source trees left on the system (definitely a DG> script kiddie hack): DG> " /.../ /m/src/Makefile": DG> # DG> # Starglider Class EnergyMech, IRC bot software DG> # Copyright (c) 1997-2000 proton DG> # DG> # This program is free software; you can redistribute it and/or modify DG> # it under the terms of the GNU General Public License as published by DG> # the Free Software Foundation; either version 2 of the License, or DG> # (at your option) any later version. DG> " /.../ /m/emech.users": DG> handle Silviu DG> mask *!*@Scoobyy.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Malice DG> mask *!*@malice.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Mihai DG> mask *!*@p00f.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle Doggy DG> mask *!*@Catelushu.users.undernet.org DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle mortu DG> mask *!*@mortux.users.undernet.org DG> prot 4 DG> aop DG> channel #DhT DG> access 100 DG> ".../[wxz].users": DG> handle dxd DG> mask *!*dxd@*.* DG> pass nI-duWuaJw DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle kappy DG> mask *!*kappy@*.* DG> pass 0jgmlVQspb DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle essence DG> mask *!*essence@*.* DG> pass wHC0Pmbfux DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle karamel DG> mask *!*KarameL@*.* DG> pass kdiF0eQFYv DG> prot 4 DG> aop DG> channel * DG> access 100 DG> handle DJcontact DG> mask *!*anathema@*.* DG> pass uSfKIJhaCS DG> prot 4 DG> aop DG> channel * DG> access 100 DG> Other notes: DG> - a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files DG> kicking around DG> - a couple of binaries called 'httpd' DG> - an empty file called DG> "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng" DG> - a couple of other system binaries (i.e. bash) DG> I still have the original 'haos' and 'haos2' tarballs, if anyone is DG> interested in looking at them. They both contain libpcap, and look to DG> be some sort of an automated SSH exploiter, given by the contents of the DG> files "targets" and 'targets.txt": DG> <snip> DG> Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0 DG> Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 DG> Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 DG> </snip> DG> If anyone wants more info, I'm willing to pass it on. But I'm going to DG> guess they got in via OpenSSH, given the nature of the scanners and the DG> version of the daemon running on the box. I'm not sure where the group DG> came from, but here's a quick quote from one of the shell scripts DG> ("haosx"), and I'll leave you all at that: DG> echo "$rver haosx for Linuxz" DG> else DG> echo "" DG> echo "$rver Asteapta cateva secunde sa ma linistesc.." DG> echo "Ia o pauza de o laba pana scanam ceva." DG> echo "www.haos2.com" DG> echo "Thanks 2 friends : in #haos channel." DG> ---------------------------------------------------------------------------- DG> This list is provided by the SecurityFocus ARIS analyzer service. DG> For more information on this free incident handling, management DG> and tracking system please see: http://aris.securityfocus.com -- Best regards, Oliver.C.Rochford mailto:bugtraqat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:28:45 PST