Re: [Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

From: Thierry Haven (thierry.haven_at_xmcopartners.com)
Date: 10/29/04

  • Next message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-31 ] Archive::Zip: Virus detection evasion" 
    To: Elia Florio <eflorio@edmaster.it>, full-disclosure@lists.netsys.com
Date: Fri, 29 Oct 2004 12:27:42 +0200

    Hi,
    It appears that the signature is

    00000000 C6C22C mov dl, 2C
    00000003 37 aaa
    00000004 60 pushad
    00000005 C1EFD4 shr edi, D4
    00000008 C4922264C66A les edx, dword ptr [edx+6AC66422]
    0000000E E10D loopz 0000001D
    00000010 8A6A5F mov ch, byte ptr [edx+5F]
    00000013 D44E aam (base78)
    00000015 91 xchg eax,ecx
    00000016 10044D00000000 adc byte ptr [2*ecx+104D044D], al

    The beginning & the end of the disassembly may be wrong if the signature
    is not complete. However it doesn't make much sense globally and this
    code is too short to see a potential attack : no memory is written here.
    By the way, where is this signature from ?

    _______________________________________
    Thierry Haven - Xmco Partners
    Consultant Sécurité / Test d'intrusion

    tel : 33 1 53 45 28 63
    web : http://www.xmcopartners.com
    16 place Vendome 75001 PARIS

    Elia Florio wrote:

    >Hi list,
    >I'm fighting again against an hackers crew
    >(I suppose the same mentioned in this link:
    >http://seclists.org/lists/incidents/2004/Jul/0056.html )
    >which is installing various malware on many
    >compromised box to get group of zombies ready-to-run.
    >(follow my previous mail on "xpire.info" and "splitinfinity.info")
    >
    >I've found in some logs that they use different exploits on port 80
    >but one exploit is specific for Apache 1.3.27 (with PHP/Perl
    >and other module installed).
    >
    >It looks like an overflow, I know that 1.3.27 is a bugged version,
    >but I would to know if anyone have seen this code before:
    >Extracted from error log of Apache :
    >
    >216.40.203.9 - - [28/Oct/2004:10:54:37 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd8(xcbtxa6xba"
    >400 299
    >
    >140.105.55.159 - - [08/Oct/2004:15:55:35 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
    >-
    >
    >195.140.140.122 - - [11/Oct/2004:03:58:05 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xc3x8cx8czxcfx19"
    >400 -
    >
    >212.78.145.16 - - [13/Oct/2004:20:48:23 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
    >-
    >
    >65.125.235.250 - - [28/Oct/2004:09:55:02 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe5"
    >400 - "-" "-"
    >
    >65.125.235.250 - - [28/Oct/2004:09:55:58 +0200]
    >"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe8"
    >400 - "-" "-"
    >
    >I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
    >from their hosts, cause all attacks are coming from these machines :
    >
    >216.40.203.*,
    >140.105.55.*,
    >195.140.140.*,
    >212.78.145.*,
    >65.125.235.*
    >(...and obvious "xpire.info")
    >
    >Someone suggests to me that they are related to :
    >
    >Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1)
    >65.112.0.0 - 65.127.255.255
    >EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
    >65.125.224.0 - 65.125.239.255
    >
    >The exploits left this signatures (i have to translate the opcodes into asm)
    >:
    >
    >xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
    >x6A x5F xD4 x4E x91 x10 x04 4D
    >
    >The last bytes are changing in every attempt, so this seems to be a
    >bruteforce attempt to get a valid return address to execute the exploit.
    >
    >Probably the exploit works for a specific version of Apache/Linux Kernel,
    >so the hacker have to try many times with different ret. address to
    >find the right way to execute it.
    >
    >Any comments?
    >
    >EF
    >
    >________________________________________________
    >Messaggio inviato da
    >Edizioni Master Webmail
    >http://mbox.edmaster.it
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-31 ] Archive::Zip: Virus detection evasion"

    Relevant Pages

    • Re: [Full-disclosure] Google Talk Denial of Service - BenjiBug
      ... its own signature so that Google Talk doesn't complain. ... >greater than the version currently running, Google Talk will download ... >the .exe and, after checking its authenticity, execute it to ...
      (Full-Disclosure)
    • Re: [work] RE: Active Directory Question
      ... The only way to make that work would be to have a signature for all ... programs users are allowed to execute, that way even if the user changes ... >Let's say I'm an Evil Guy trying to install a backdoor/privilege escalation ... Imaginary command prompt session follows (commmand prompt not really ...
      (Focus-Microsoft)
    • Re: [work] RE: Active Directory Question
      ... >programs users are allowed to execute, that way even if the user changes ... >that name of the the program he/she wants to execute the signature still ... issues) md5sum list / database that the user had no access to. ... it would need updating when setups were patched / altered etc ...
      (Focus-Microsoft)
    • Re: disk signature
      ... resource group generates error 21 in error log and cluster log on mving ... I belive this errors are due to diff disk signature .How can i check ...
      (microsoft.public.windows.server.clustering)
    • Re: The a.u.e FAQ
      ... readership is not restricted to any field of knowledge. ... Not knowing which of thousands of interpretations the poster ... signature of the writer, standing for "Turdhead". ... What good is being an executive if you never get to execute anyone? ...
      (alt.usage.english)
    • Quantcast