Incidents
More /sumthin, maybe Feb 03 2003 08:52AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: More /sumthin Feb 26 2003 02:23PM
Philipp Hug (securityfocus hugit ch) (1 replies)
RE: More /sumthin Feb 26 2003 09:14PM
Jonathan A. Zdziarski (jonathan networkdweebs com) (1 replies)
Re: More /sumthin Feb 27 2003 12:59AM
D.C. van Moolenbroek (dc van moolenbroek chello nl)
It's safe to assume that this "./openssl" is the openssl-too-open[1] mod_ssl
exploit by Solar Eclipse. The "-a" switch is used to specify a target type.
These target types are indeed listed by OS and apache version, not by
OpenSSL version, because the exploit needs offset information for the
specific target platform, for which the SSL version only is not sufficient.
On the other hand, the combination of OS (or actually, distribution) and
apache version is usually sufficient to guess the SSL version, although I
don't know whether the exploit actually needs the exact SSL version number
at all, in order to exploit it successfully.

Anyway, the error text in the handle_timeout() function (I quote, "Fuck it.
Next..."), and the fact that stderr is used for output throughout the whole
program, suggest that this http version grabber is being used as part of
some mass scanner, which of course explains why so many people have seen the
/sumthin stuff in their logs.

It looks like a very inefficient tool indeed, as it starts the exploit
without doing a simple mod_ssl version check - especially considering the
fact that mentioned exploit opens thirty connections to the target host by
default, before even verifying that the target is vulnerable. Note, though,
that the exploit terminates immediately if port 443 is not open; also, my
guess is that the attacker or masshack program would have mass-synscanned
for port 443 before actually trying to use this tool on potential targets.

Regards,

David

[1] http://packetstormsecurity.org/0209-exploits/openssl-too-open.tar.gz

----- Original Message -----
From: "Jonathan A. Zdziarski" <jonathan (at) networkdweebs (dot) com [email concealed]>
To: "'Philipp Hug'" <securityfocus (at) hugit (dot) ch [email concealed]>; "'Sverre H. Huseby'"
<shh (at) thathost (dot) com [email concealed]>; <incidents (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, February 26, 2003 10:14 PM
Subject: RE: More /sumthin

Well whatever bugs this exploits, it seems that from the source code, it is
more related to the version of Apache than it is the version of SSL; perhaps
something to do with the way they interact. It doesn't even use port 443.

Also being that ./openssl was called and not just plain old openssl, and
that -a doesn't appear to be a valid openssl command, it's probably calling
a script of sorts and we have no idea what that script does.

> -----Original Message-----
> From: Philipp Hug [mailto:securityfocus (at) hugit (dot) ch [email concealed]]
> Sent: Wednesday, February 26, 2003 9:23 AM
> To: Sverre H. Huseby; incidents (at) securityfocus (dot) com [email concealed]
> Subject: Re: More /sumthin
>
> I found the root of all evil ;-)
>
> the /sumthin tool is attached. I got it from an "owned" server.
>
> Philipp
> ----- Original Message -----
> From: "Sverre H. Huseby" <shh (at) thathost (dot) com [email concealed]>
> To: <incidents (at) securityfocus (dot) com [email concealed]>
> Sent: Monday, February 03, 2003 9:52 AM
> Subject: More /sumthin, maybe
>
>
> > I got a couple of E-mails from a guy that _may_ have more info on the
> > /sumthin case. One of his servers was "owned", and he _thinks_ the
> > /sumthin request was the start of the attack. His E-mails follow:
> >
> > ==================================================================
> >
> > I got hit with the same thing. /sumthin is exactly what everyone
> > thinks it is - a probe. Someone used my version info to exploit a
> > bug in SSL. I still don't know what the bugs are yet, but it's
> > really evident. From there, he looged in as my webserver, and
> > totally F$%^&D my server. He set up some kind of irc server, and
> > compromised so much of my server I'm having to rebuild from the
> > ground up. He redirected the root .bash_history to /dev/nul and
> > redirected the mail logs and he set up an account called tcp so he
> > could log in through ssh. Most of the services were shut down
> > (that's how I figured something was up - I couldn't get my mail).
> >
> > even though he did wipe the root history, he forgot to wipe
> > wwwrun's history, it's too long to post, but it will be up for a
> > short while at http://XXX [Sverre sais: URL removed. log file
> > attached.]
> >
> > He also replaced bash and set the default runlevel to halt, so
> > when I restarted the system just stopped (what a pisser).
> >
> > When I went back and grepped all the logs, the /sumthin only shows
> > up in the logs of one domain (despite the fact we host around [N])
> > and starts sometime around mid October as everyone else has
> > noticed.
> >
> > ==================================================================
> >
> > I found things like this in /tmp and /var/tmp:
> >
> > drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
> > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
> > -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
> > drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
> > drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
> > -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
> >
> > after that I did a find / -user wwwrun and found a bunch of stuff
> > and then discovered several other uids involved.
> >
> > ==================================================================
> >
> > The attached shell history file shows what appears to be a manual
> > attacker downloading and installing several files using wget. Some of
> > the files are no longer available, but the few I managed to download
> > seem to be either related to IRC (server and bot), or to Linux local
> > exploits. (I only spent a couple of minutes downloading and glancing
> > at the files.)
> >
> >
> > Sverre.
> >
> > --
> > shh (at) thathost (dot) com [email concealed] Computer Geek? Try my Nerd Quiz
> > http://shh.thathost.com/ http://nerdquiz.thathost.com/
> >
>

------------------------------------------------------------------------
----

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus