Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???
From: Thierry Haven <thierry.haven () xmcopartners com>
Date: Fri, 29 Oct 2004 12:27:42 +0200

It appears that the signature is

00000000 C6C22C                  mov dl, 2C
00000003 37                      aaa
00000004 60                      pushad
00000005 C1EFD4                  shr edi, D4
00000008 C4922264C66A            les edx, dword ptr [edx+6AC66422]
0000000E E10D                    loopz 0000001D
00000010 8A6A5F                  mov ch, byte ptr [edx+5F]
00000013 D44E                    aam (base78)
00000015 91                      xchg eax,ecx
00000016 10044D00000000          adc byte ptr [2*ecx+104D044D], al

The beginning & the end of the disassembly may be wrong if the signature is not complete. However it doesn't make much sense globally and this code is too short to see a potential attack : no memory is written here. By the way, where is this signature from ?

Thierry Haven - Xmco Partners
Consultant Sécurité / Test d'intrusion

tel  : 33 1 53 45 28 63
web  : http://www.xmcopartners.com
16 place Vendome 75001 PARIS

Elia Florio wrote:

Hi list,
I'm fighting again against an hackers crew
(I suppose the same mentioned in this link:
http://seclists.org/lists/incidents/2004/Jul/0056.html  )
which is installing various malware on many
compromised box to get group of zombies ready-to-run.
(follow my previous mail on "xpire.info" and "splitinfinity.info")

I've found in some logs that they use different exploits on port 80
but one exploit is specific for Apache 1.3.27 (with PHP/Perl
and other module installed).

It looks like an overflow, I know that 1.3.27 is a bugged version,
but I would to know if anyone have seen this code before:
Extracted from error log of Apache : - - [28/Oct/2004:10:54:37 +0200]
400 299 - - [08/Oct/2004:15:55:35 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
- - - [11/Oct/2004:03:58:05 +0200]
400 - - - [13/Oct/2004:20:48:23 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
- - - [28/Oct/2004:09:55:02 +0200]
400 - "-" "-" - - [28/Oct/2004:09:55:58 +0200]
400 - "-" "-"

I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
from their hosts, cause all attacks are coming from these machines :

(...and obvious "xpire.info")

Someone suggests to me that they are related to :

Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1) -
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1) -

The exploits left this signatures (i have to translate the opcodes into asm)

xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
x6A x5F xD4 x4E x91 x10 x04 4D

The last bytes are changing in every attempt, so this seems to be a
bruteforce attempt to get a valid return address to execute the exploit.

Probably the exploit works for a specific version of Apache/Linux Kernel,
so the hacker have to try many times with different ret. address to
find the right way to execute it.

Any comments?


Messaggio inviato da
Edizioni Master Webmail

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]