mailing list archives
Re: Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???
From: "Elia Florio" <eflorio () edmaster it>
Date: Fri, 29 Oct 2004 12:37:10 +0200
It appears that the signature is
00000000 C6C22C mov dl, 2C
00000003 37 aaa
00000004 60 pushad
00000005 C1EFD4 shr edi, D4
00000008 C4922264C66A les edx, dword ptr [edx+6AC66422]
0000000E E10D loopz 0000001D
00000010 8A6A5F mov ch, byte ptr [edx+5F]
00000013 D44E aam (base78)
00000015 91 xchg eax,ecx
00000016 10044D00000000 adc byte ptr [2*ecx+104D044D], al
The beginning & the end of the disassembly may be wrong if the signature
is not complete. However it doesn't make much sense globally and this
code is too short to see a potential attack : no memory is written here.
By the way, where is this signature from ?
Someon (Peter Kosinar) suggests to me that this bytes pattern
is a potential command directed to "suckit" rootkit over port 80;
the firs bytes are a kind of autentication hash and the final bytes
are changing cause it's a port number....Still investigating on this...
Your work is great, but maybe this isn't an attack
pattern, so the bytes are not asm inscrutions! Thank you anyway...
The signature comes from different compromised
error logs of Apache 1.3.27 with PHP4.2.3.
I've contacted the sysadmins of IP originating this attacks,
cause someone else suggests to me that also the attacking hosts
are compromised boxes used by this hacker crew....
They own a lot of Apache *nix server worldwide :((((((
22.214.171.124 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor
OrgName: Everyones Internet, Inc.
126.96.36.199 : dschrahm3.univ.trieste.it .
descr: Universita' degli Studi di Trieste
188.8.131.52 : from France :
184.108.40.206 : Another old Cobalt server from Spain :
Hostname : 16.red-212-78-145.user.auna.net
descr: Cable i Televisio de Catalunya
descr: Internet de Banda Ampla
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
220.127.116.11 - 18.104.22.168
Messaggio inviato da
Edizioni Master Webmail
Full-Disclosure - We believe in it.