Re: Rooted, .haos on system

From: Damian Gerow (damianat_private)
Date: Mon Dec 16 2002 - 09:38:33 PST

Next message: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"

Previous message: Joe Stewart: "Re: Logs: Many hits with source port of 80"
In reply to: Damian Gerow: "Rooted, .haos on system"
Next in thread: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
Reply: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
Reply: Damian Gerow: "Re: Rooted, .haos on system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> I've just received word that one of our customers was rooted, and he's asking about the file ".haos".  Nothing rings any bells, has anyone heard of it?

Just a quick update to this...

It looks like it was an IRC bot.  I found these interesting tidbits
throughout the various source trees left on the system (definitely a
script kiddie hack):

"   /.../    /m/src/Makefile":

	#
	#   Starglider Class EnergyMech, IRC bot software
	#   Copyright (c) 1997-2000  proton
	#
	#   This program is free software; you can redistribute it and/or modify
	#   it under the terms of the GNU General Public License as published by
	#   the Free Software Foundation; either version 2 of the License, or
	#   (at your option) any later version.

"   /.../    /m/emech.users":

	handle          Silviu
	mask            *!*@Scoobyy.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Malice
	mask            *!*@malice.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Mihai
	mask            *!*@p00f.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Doggy
	mask            *!*@Catelushu.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          mortu
	mask            *!*@mortux.users.undernet.org
	prot            4
	aop
	channel         #DhT
	access          100

".../[wxz].users":


	handle          dxd
	mask            *!*dxd@*.*
	pass            nI-duWuaJw
	prot            4
	aop
	channel         *
	access          100

	handle          kappy
	mask            *!*kappy@*.*
	pass            0jgmlVQspb
	prot            4
	aop
	channel         *
	access          100

	handle          essence
	mask            *!*essence@*.*
	pass            wHC0Pmbfux
	prot            4
	aop
	channel         *
	access          100

	handle          karamel
	mask            *!*KarameL@*.*
	pass            kdiF0eQFYv
	prot            4
	aop
	channel         *
	access          100

	handle          DJcontact
	mask            *!*anathema@*.*
	pass            uSfKIJhaCS
	prot            4
	aop
	channel         *
	access          100

Other notes:

- a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files
kicking around
- a couple of binaries called 'httpd'
- an empty file called
"????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
- a couple of other system binaries (i.e. bash)


I still have the original 'haos' and 'haos2' tarballs, if anyone is
interested in looking at them.  They both contain libpcap, and look to
be some sort of an automated SSH exploiter, given by the contents of the
files "targets" and 'targets.txt":

<snip>
Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small -  SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
</snip>


If anyone wants more info, I'm willing to pass it on.  But I'm going to
guess they got in via OpenSSH, given the nature of the scanners and the
version of the daemon running on the box.  I'm not sure where the group
came from, but here's a quick quote from one of the shell scripts
("haosx"), and I'll leave you all at that:


   echo "$rver haosx for Linuxz"
   else
   echo ""
   echo "$rver Asteapta cateva secunde sa ma linistesc.."
   echo "Ia o pauza de o laba pana scanam ceva."
   echo "www.haos2.com"
   echo "Thanks 2 friends : in #haos channel."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
Previous message: Joe Stewart: "Re: Logs: Many hits with source port of 80"
In reply to: Damian Gerow: "Rooted, .haos on system"
Next in thread: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
Reply: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
Reply: Damian Gerow: "Re: Rooted, .haos on system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:08:01 PST