[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Mike Staver
staver at fimble.com
Mon Jan 28 22:26:55 MST 2002
Just my 2 cents, but I also had a Red Hat 6.1 system cracked, and 6.2.
The crackers got in through the ftp service. I had to blow the boxes
out because they changed the sticky bits on a lot of executables, and I
don't know enough about system security to resecure the box. But, once
I did redo the box with 6.2, I immediately downloaded the latest ftp rpm
from Red Hat, and ever since then, I've been paying very close attention
to security alerts all around, and haven't been cracked since.
Sean LeBlanc wrote:
>
> On 01-28 21:29, Randy Arabie wrote:
> > On Mon, 28 Jan 2002, Sean LeBlanc wrote:
> >
> > > tar xzvf adore.tgz
> > > cd adore
> > > ./configure
> > > make
> > > ./configure
> > > pico adore.h
> > > ls -a
> > > ./startadore
> >
> > The adore worm....perhaps? The info below is from:
> >
> > http://www.sans.org/y2k/adore.htm
>
> It looks like some of the symptoms - although the adorefind says nothing was
> there. My ps has a new time stamp on it - where can I find the tarball for
> this? I was trying to find suspect processes by hand in the /proc dir, but
> that's getting tedious. I also found a /usr/lib/locale/ro_RO that has some
> schtuff in it that I just blasted.
>
> >
> > <SNIP>
> >
> > Global Incident Analysis Center
> >
> > Adore Worm
> > Version 0.8 - April 12, 2001
> >
> > William Stearns of Dartmouth's ISTS has written a script Adorefind to
> > detect the Adore worm. Questions concerning this page or the Adorefind
> > tool should be directed to handler at incidents.org.
> >
> > This note is a preliminary characterization of the Adore worm. The
> > worm code can be modified by anyone at any time. We'll try to keep
> > this page updated as we learn more.
> >
> > Description
> >
> > Adore is a worm that we originally called the Red Worm. It is similar
> > to the Ramen and Lion worms. Adore scans the Internet checking Linux
> > hosts to determine whether they are vulnerable to any of the following
> > well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is
> > installed by default on Red Hat 7.0 systems. From the reports so far,
> > Adore appears to have started its spread on April 1.
> >
> > Adore worm replaces only one system binary (ps), with a trojaned
> > version and moves the original to /usr/bin/adore. It installs the
> > files in /usr/lib/lib . It then sends an email to the following
> > addresses: adore9000 at 21cn.com, adore9000 at sina.com, adore9001 at 21cn.com,
> > adore9001 at sina.com
> > Attempts have been made to get these addresses taken offline, but no
> > response so far from the provider. It attempts to send the following
> > information:
> > * /etc/ftpusers
> > * ifconfig
> > * ps -aux (using the original binary in /usr/bin/adore)
> > * /root/.bash_history
> > * /etc/hosts
> > * /etc/shadow
> >
> > Adore then runs a package called icmp. With the options provided with
> > the tarball, it by default sets the port to listen too, and the packet
> > length to watch for. When it sees this information it then sets a
> > rootshell to allow connections. It also sets up a cronjob in cron
> > daily (which runs at 04:02 am local time) to run and remove all traces
> > of its existence and then reboots your system. However, it does not
> > remove the backdoor.
> >
> > Variant
> >
> > There appears to be a new variant of the adore worm circulating about
> > the internet. Adorefind 0.2.4 now finds this variant. Only changes
> > from the original adore worm have been noted below:
> > * Adore.V.02
> >
> > * Butcher.gz
> > * Adds 2 users to passwd file
> > * echo "dead:x:1:1:anarchee:/:/bin/sh" >> /etc/passwd;
> > * echo "h:x:0:0:admin:/:/bin/sh" >> /etc/passwd;
> > * It installs itself in /dev/.shit
> > * http://www.geocities.com/butcherdvs/butcher.tgz
> > >/dev/.shit/red.tgz;
> > * Sends email to the following 2 address's dvsowned at gmx.net,
> > dvsowned at hotmail.com
> > * Unless you have GLIBC_2.1.3 installed, part of this worm does not
> > work
> > * Uses a program called Sock to try to setup another backdoor, and
> > calls /bin/login to allow for a root shell
> >
> > Detection
> >
> > Dartmouth's ISTS has developed a utility called adorefind that will
> > detect the adore files on an infected system. Simply download it,
> > uncompress it, and run adorefind. It will list which of the suspect
> > files is on the system.
> >
> > Download Adorefind Here from Dartmouth's ISTS site.
> >
> > Snort already detects most of these signatures:
> >
> > Removal
> >
> > As adorefind runs, it will give you the option to stop the running
> > worm jobs and remove the files from the filesystem.
> >
> > Protection
> >
> > You can take the document that Chris Brenton created for the Lion
> > worm, and modify it to look for the Adore worm. You can read it here.
> > You should also block for outbound emails to the 4 email address's and
> > block the website address go.163.com
> >
> > Analysis
> >
> > For an analysis of the adore package download this file:
> > http://www.sans.org/y2k/practical/Michael_Reiter_GCIH.zip. Please note
> > that this is an analysis done on the Adore rootkit which is a Loadable
> > Kernel Module (LKM) and is not specifically analysis done on the
> > red.tar adore worm.
> >
> > References
> >
> > Further information can be found at:
> > * http://www.sans.org/current.htm
> > * http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> > CA-2001-02, Multiple Vulnerabilities in BIND
> > * http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
> > overflow in transaction signature (TSIG) handling code
> > * http://www.sans.org/y2k/ramen.htm Information about the Ramen
> > worm.
> > * http://www.sans.org/y2k/DDoS.htm DDoS handling steps
> > * http://www.isc.org/products/BIND/bind-security.html Web site for
> > the creators of BIND
> >
> > The following vendor update pages may help you in fixing the original
> > BIND vulnerability:
> >
> > Vendor Description URL
> > Redhat Linux RHSA-2001:007-03 - BIND remote exploit
> > http://www.redhat.com/support/errata/RHSA-2001-007.html
> > RHSA-2000-065-06 - LPRng exploit
> > http://www.redhat.com/support/errata/RHSA-2000-065-06.html< /a>
> > RHSA-2000-039-02 - wuftpd remote exploit
> > http://www.redhat.com/support/errata/RHSA-2000-039-02.html< /a>
> > RHSA-2000-039-02 - Rpc statd exploit
> > http://www.redhat.com/support/errata/RHSA-2000-043-03.html< /a>
> > Debian GNU/Linux DSA-026-1 BIND
> > http://www.debian.org/security/2001/dsa-026
> > SuSE Linux SuSE-SA:2001:03 - BIND 8 remote root compromise.
> > http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> > Caldera Linux CSSA-2001-008.0 BIND buffer overflow
> > http://www.caldera.com/support/security/
> > advisories/CSSA-2001-008.0.txt
> > http://www.caldera.com/support/security/
> > advisories/CSSA-2001-008.1.txt
> > Slackware (linuxsecurity.com advisory) 1/30/2001 : Slackware: 'bind'
> > vulnerabilities http://www.linuxsecurity.com/advisories/
> > slackware_advisory-1121.html
> > Mandrake MDKSA-2001:017 BIND vulnerabilities
> > http://www.linuxmandrake.com/en/security/20 01/
> > MDKSA-2001-017.php3?dis=7.2
> > TurboLinux TLSA2001004-1 BIND vulnerabilities
> > http://www.turbolinux.com/pipermail/tl-security-announce/
> > 2001-February/000034.html
> > Immunix 6.2 and 7.0-beta IMNX-2001-70-001-01 BIND vulnerabilities
> > http://download.immunix.org/ImmunixOS/7.0-beta/
> > updates/IMNX-2001-70-001-01
> > Conectiva CLSA-2001:377 BIND vulnerabilities
> > http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377
> > Storm Linux (see Debian)
> >
> > Frequently Asked Questions - FAQ's
> >
> > I'm running Unix-like Operating System X on Processor Y. Am I
> > vulnerable to Adore?
> >
> > The only class of systems currently attacked by the sole known
> > adore variant are Linux systems running on the x86 processor
> > architecture. That said, the design allows for future variants to
> > be released that attack some other Unix lookalike or some other
> > processor type. At the very least, you should run adorefind to do a
> > quick check. Also, no matter what your flavor of Unix or CPU type,
> > you should be applying your vendor's patches!
> >
> > I'm running some version of Windows. Am I vulnerable?
> >
> > Almost certainly not. If that changes with some new worm release,
> > we'll update this page with new information.
> >
> > Credits
> >
> > This security advisory was prepared by Matt Fearnow of the SANS
> > Institute and William Stearns of the Dartmouth Institute for Security
> > Technology Studies.
> >
> > The Adorefind utility was written by William Stearns.William is an
> > Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> > day job at the Institute for Security Technology Studies at Dartmouth
> > College pays him to work on network security and Linux projects.
> >
> > Also contributing efforts go to SANS GIAC contributors, Todd Clark
> > from Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS,
> > and Alex Bates of ISTS.
> >
> > Mirrors
> >
> > This advisory page can be found at http://www.sans.org/y2k/adore.htm
> > and http://www.ists.dartmouth.edu/IRIA/knowledge_bas
> > e/tools/adorefind.htm
> >
> >
> > << Back to GIAC
> >
> >
> > Home | Events | Publications | Security Digests
> > Resources | Web-Based Training | Contact SANS
> >
> >
> > © 2001 SANS Institute : Office 301.951.0102 : Registration
> > 1.866.570.9927 : Web Contact scott at sans.org
> > </SNIP>
> > --
> >
> > Cheers!
> >
> > Randy
> >
> > ================================================================
> > Randy Arabie
> > GnuPG Key Info --
> >
> > Fingerprint: 7E25 DFA2 EF72 9551 9C6C 8AA6 6E8C A0F5 7E33 D981
> > Key ID: 7C603AEF
> > http://www.arabie.org/keys/rrarabie.gnupg
> > ================================================================
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > CLUE-Tech at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> --
> Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome
> ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome
> We will not know unless we begin.
> -Howard Zinn
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list