RE: More /sumthin

From: Jonathan A. Zdziarski (jonathanat_private)
Date: Wed Feb 26 2003 - 13:14:37 PST

Next message: D.C. van Moolenbroek: "Re: More /sumthin"

Previous message: Philipp Hug: "Re: More /sumthin"
In reply to: Philipp Hug: "Re: More /sumthin"
Next in thread: D.C. van Moolenbroek: "Re: More /sumthin"
Reply: D.C. van Moolenbroek: "Re: More /sumthin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well whatever bugs this exploits, it seems that from the source code, it is
more related to the version of Apache than it is the version of SSL; perhaps
something to do with the way they interact.  It doesn't even use port 443.

Also being that ./openssl was called and not just plain old openssl, and
that -a doesn't appear to be a valid openssl command, it's probably calling
a script of sorts and we have no idea what that script does.  

> -----Original Message-----
> From: Philipp Hug [mailto:securityfocusat_private]
> Sent: Wednesday, February 26, 2003 9:23 AM
> To: Sverre H. Huseby; incidentsat_private
> Subject: Re: More /sumthin
> 
> I found the root of all evil ;-)
> 
> the /sumthin tool is attached. I got it from an "owned" server.
> 
> Philipp
> ----- Original Message -----
> From: "Sverre H. Huseby" <shhat_private>
> To: <incidentsat_private>
> Sent: Monday, February 03, 2003 9:52 AM
> Subject: More /sumthin, maybe
> 
> 
> > I got a couple of E-mails from a guy that _may_ have more info on the
> > /sumthin case.  One of his servers was "owned", and he _thinks_ the
> > /sumthin request was the start of the attack.  His E-mails follow:
> >
> >     ==================================================================
> >
> >     I got hit with the same thing.  /sumthin is exactly what everyone
> >     thinks it is - a probe.  Someone used my version info to exploit a
> >     bug in SSL.  I still don't know what the bugs are yet, but it's
> >     really evident.  From there, he looged in as my webserver, and
> >     totally F$%^&D my server.  He set up some kind of irc server, and
> >     compromised so much of my server I'm having to rebuild from the
> >     ground up.  He redirected the root .bash_history to /dev/nul and
> >     redirected the mail logs and he set up an account called tcp so he
> >     could log in through ssh.  Most of the services were shut down
> >     (that's how I figured something was up - I couldn't get my mail).
> >
> >     even though he did wipe the root history, he forgot to wipe
> >     wwwrun's history, it's too long to post, but it will be up for a
> >     short while at http://XXX [Sverre sais: URL removed.  log file
> >     attached.]
> >
> >     He also replaced bash and set the default runlevel to halt, so
> >     when I restarted the system just stopped (what a pisser).
> >
> >     When I went back and grepped all the logs, the /sumthin only shows
> >     up in the logs of one domain (despite the fact we host around [N])
> >     and starts sometime around mid October as everyone else has
> >     noticed.
> >
> >     ==================================================================
> >
> >     I found things like this in /tmp and /var/tmp:
> >
> >     drwxr-xr-x   3 wwwrun   nogroup       153 Jan 26 04:10 a
> >     -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz
> >     -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz.1
> >     -rw-r--r--   1 wwwrun   nogroup     14138 Jan  4 20:32 a.tgz.2
> >     -rwxr-xr-x   1 wwwrun   nogroup     19577 Nov 28 15:55 alarmd
> >     drwxr-xr-x   5 wwwrun   nogroup       635 Dec 22 17:00 orbit-root
> >     drwxr-xr-x   9 wwwrun   nogroup       553 Jan 12 09:52 psybnc
> >     -rw-r--r--   1 wwwrun   nogroup    596571 Oct 17 23:19 psybnc.tar.gz
> >
> >     after that I did a find / -user wwwrun and found a bunch of stuff
> >     and then discovered several other uids involved.
> >
> >     ==================================================================
> >
> > The attached shell history file shows what appears to be a manual
> > attacker downloading and installing several files using wget.  Some of
> > the files are no longer available, but the few I managed to download
> > seem to be either related to IRC (server and bot), or to Linux local
> > exploits.  (I only spent a couple of minutes downloading and glancing
> > at the files.)
> >
> >
> > Sverre.
> >
> > --
> > shhat_private Computer Geek?  Try my Nerd Quiz
> > http://shh.thathost.com/ http://nerdquiz.thathost.com/
> >
> 
> 
> --------------------------------------------------------------------------
> --
> ----
> 
> 
> > ------------------------------------------------------------------------
> --
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: D.C. van Moolenbroek: "Re: More /sumthin"
Previous message: Philipp Hug: "Re: More /sumthin"
In reply to: Philipp Hug: "Re: More /sumthin"
Next in thread: D.C. van Moolenbroek: "Re: More /sumthin"
Reply: D.C. van Moolenbroek: "Re: More /sumthin"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 15:48:40 PST