On Thu, 2002-12-12 at 18:50, Damian Gerow wrote: > I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it? Just a quick update to this... It looks like it was an IRC bot. I found these interesting tidbits throughout the various source trees left on the system (definitely a script kiddie hack): " /.../ /m/src/Makefile": # # Starglider Class EnergyMech, IRC bot software # Copyright (c) 1997-2000 proton # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. " /.../ /m/emech.users": handle Silviu mask *!*@Scoobyy.users.undernet.org prot 4 aop channel * access 100 handle Malice mask *!*@malice.users.undernet.org prot 4 aop channel * access 100 handle Mihai mask *!*@p00f.users.undernet.org prot 4 aop channel * access 100 handle Doggy mask *!*@Catelushu.users.undernet.org prot 4 aop channel * access 100 handle mortu mask *!*@mortux.users.undernet.org prot 4 aop channel #DhT access 100 ".../[wxz].users": handle dxd mask *!*dxd@*.* pass nI-duWuaJw prot 4 aop channel * access 100 handle kappy mask *!*kappy@*.* pass 0jgmlVQspb prot 4 aop channel * access 100 handle essence mask *!*essence@*.* pass wHC0Pmbfux prot 4 aop channel * access 100 handle karamel mask *!*KarameL@*.* pass kdiF0eQFYv prot 4 aop channel * access 100 handle DJcontact mask *!*anathema@*.* pass uSfKIJhaCS prot 4 aop channel * access 100 Other notes: - a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files kicking around - a couple of binaries called 'httpd' - an empty file called "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng" - a couple of other system binaries (i.e. bash) I still have the original 'haos' and 'haos2' tarballs, if anyone is interested in looking at them. They both contain libpcap, and look to be some sort of an automated SSH exploiter, given by the contents of the files "targets" and 'targets.txt": <snip> Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0 Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0 Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1 </snip> If anyone wants more info, I'm willing to pass it on. But I'm going to guess they got in via OpenSSH, given the nature of the scanners and the version of the daemon running on the box. I'm not sure where the group came from, but here's a quick quote from one of the shell scripts ("haosx"), and I'll leave you all at that: echo "$rver haosx for Linuxz" else echo "" echo "$rver Asteapta cateva secunde sa ma linistesc.." echo "Ia o pauza de o laba pana scanam ceva." echo "www.haos2.com" echo "Thanks 2 friends : in #haos channel." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:08:01 PST