Incidents
More /sumthin, maybe Feb 03 2003 08:52AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: More /sumthin Feb 26 2003 02:23PM
Philipp Hug (securityfocus hugit ch) (1 replies)
RE: More /sumthin Feb 26 2003 09:14PM
Jonathan A. Zdziarski (jonathan networkdweebs com) (1 replies)
Well whatever bugs this exploits, it seems that from the source code, it is
more related to the version of Apache than it is the version of SSL; perhaps
something to do with the way they interact. It doesn't even use port 443.

Also being that ./openssl was called and not just plain old openssl, and
that -a doesn't appear to be a valid openssl command, it's probably calling
a script of sorts and we have no idea what that script does.

> -----Original Message-----
> From: Philipp Hug [mailto:securityfocus (at) hugit (dot) ch [email concealed]]
> Sent: Wednesday, February 26, 2003 9:23 AM
> To: Sverre H. Huseby; incidents (at) securityfocus (dot) com [email concealed]
> Subject: Re: More /sumthin
>
> I found the root of all evil ;-)
>
> the /sumthin tool is attached. I got it from an "owned" server.
>
> Philipp
> ----- Original Message -----
> From: "Sverre H. Huseby" <shh (at) thathost (dot) com [email concealed]>
> To: <incidents (at) securityfocus (dot) com [email concealed]>
> Sent: Monday, February 03, 2003 9:52 AM
> Subject: More /sumthin, maybe
>
>
> > I got a couple of E-mails from a guy that _may_ have more info on the
> > /sumthin case. One of his servers was "owned", and he _thinks_ the
> > /sumthin request was the start of the attack. His E-mails follow:
> >
> > ==================================================================
> >
> > I got hit with the same thing. /sumthin is exactly what everyone
> > thinks it is - a probe. Someone used my version info to exploit a
> > bug in SSL. I still don't know what the bugs are yet, but it's
> > really evident. From there, he looged in as my webserver, and
> > totally F$%^&D my server. He set up some kind of irc server, and
> > compromised so much of my server I'm having to rebuild from the
> > ground up. He redirected the root .bash_history to /dev/nul and
> > redirected the mail logs and he set up an account called tcp so he
> > could log in through ssh. Most of the services were shut down
> > (that's how I figured something was up - I couldn't get my mail).
> >
> > even though he did wipe the root history, he forgot to wipe
> > wwwrun's history, it's too long to post, but it will be up for a
> > short while at http://XXX [Sverre sais: URL removed. log file
> > attached.]
> >
> > He also replaced bash and set the default runlevel to halt, so
> > when I restarted the system just stopped (what a pisser).
> >
> > When I went back and grepped all the logs, the /sumthin only shows
> > up in the logs of one domain (despite the fact we host around [N])
> > and starts sometime around mid October as everyone else has
> > noticed.
> >
> > ==================================================================
> >
> > I found things like this in /tmp and /var/tmp:
> >
> > drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
> > -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
> > drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
> > drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
> > -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
> >
> > after that I did a find / -user wwwrun and found a bunch of stuff
> > and then discovered several other uids involved.
> >
> > ==================================================================
> >
> > The attached shell history file shows what appears to be a manual
> > attacker downloading and installing several files using wget. Some of
> > the files are no longer available, but the few I managed to download
> > seem to be either related to IRC (server and bot), or to Linux local
> > exploits. (I only spent a couple of minutes downloading and glancing
> > at the files.)
> >
> >
> > Sverre.
> >
> > --
> > shh (at) thathost (dot) com [email concealed] Computer Geek? Try my Nerd Quiz
> > http://shh.thathost.com/ http://nerdquiz.thathost.com/
> >
>
>
> ------------------------------------------------------------------------
--
> --
> ----
>
>
> > ------------------------------------------------------------------------

> --
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com

------------------------------------------------------------------------
----

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

[ reply ]
Re: More /sumthin Feb 27 2003 12:59AM
D.C. van Moolenbroek (dc van moolenbroek chello nl)


 

Privacy Statement
Copyright 2010, SecurityFocus