Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: The x.c worm

Re: The x.c worm

From: Dave Dittrich <dittrich_at_cac.washington.edu>
Date: Tue, 4 Sep 2001 12:37:37 -0700 (PDT)

On Tue, 4 Sep 2001 niels.heinen_at_ubizen.com wrote:

> I was wondering if anyone has more information about this worm. I mean
> source, log files anything ;]
>
> For those that have not heard about this worm: x.c expoits the recently
> discovered buffer
> overflow in bsd derived telnet daemons. More information can be found
> here:
>
> http://www.nipc.gov/warnings/assessments/2001/01-019.htm
> http://www.incidents.org/diary/diary.php#012

Niels,

Since the details I've seen on this are not yet public, I'll stick to
what is to give some hints on how to detect this on the wire.

If you want a fingerprint for your IDS, take a look at the following
shellcode:

        http://msgs.securepoint.com/cgi-bin/get/bugtraq0107/293.html

/* x86/bsd(i)+solaris execve shellcode
 * by lorian/teso
 */
 unsigned char x86_bsd_compaexec[] =
     "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
     "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
     "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
     "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";

For more details on what to look for using nmap, see Bill Stearn's
"xcfind" program:

        http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm

        AddedLine /etc/rc.local '/usr/sbin/cron '
        AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$'
        AddedLine /etc/hosts.allow '^sh: ALL$'

        ServicesStopped \
          inetd

        echo Please note that your system may have had a root shell opened
        echo on tcp port 145. You should check the system for any additional
        echo damage caused via incoming connections on that port.

(Use Bill's "xcfind" tool for local host detection, but realize that
it may, in future, give false positive results if a rootkit or
loadable kernel module is used in conjunction with an exploit like
this.) 

--
Dave Dittrich                           Computing & Communications
dittrich_at_cac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington
PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Sep 04 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos