Re: Strange Attack On A Webserver I Work On

From: Reimundo Heluani (heluani_at_MIT.EDU)
Date: 10/28/04

  • Next message: Keller, Tim: "RE: Strange Attack On A Webserver I Work On" 
    Date: Thu, 28 Oct 2004 10:08:41 -0400
To: focus-linux@securityfocus.com

    My guess is that this guy definitely was a script kiddie. A site that
    seems to have been hacked with the same script is

    www.che-lives.com/home/

    You can contact them and share information.

    If you Google for the e-mail addresses that appear in the flooder
    you're going to find a couple of "online role playing profiles"! You
    can trace them to a role playing site in Brasil and another in Russia!
    I guess you'll find those kids if you spend one or to days surfing IRC.

    R.

    On Oct 27, 2004, at 3:56 AM, TJ Easter wrote:

    > On Tue, 26 Oct 2004 20:30:37 -0400, Matthew J. Sahagian
    > <gent@dotink.org> wrote:
    >> Hello, I'm a long time reader of this list and have never really had
    >> the need to post here. However, recently a webserver that I do
    >> minimal administrative work for was attacked. We're still unsure
    >> exactly what had been done. Most of the logs have been either
    >> cleaned or wiped completely (either by log rotate or by the
    >> attacker). I was gone for the weekend so I sorta came back to this.
    >> I don't really have questions about the attack per se, we're doing
    >> pretty well at the recovery process.... one question I do have
    >> however is this.
    >>
    >> The attacker (either manually or using a program) replaced all
    >> index.html/htm and index.php files they had permission to replace
    >> with a UDP flooder. I extracted some of the information from the
    >> flooder using the strings program and heres what I get:
    >>
    >> !HELP! beta version.
    >> !HELP!
    >> !HELP! #brazil@efnet - eleet team
    >> !HELP! + code by bonny ::: bonny@hacker.com.br
    >>
    >> !CREDITS! * creditos aos amigos e a quem me ajudou.
    >> !CREDITS!
    >> !CREDITS! * none (root@suid.net) ::: Brazil
    >> !CREDITS! packet spoof
    >> !CREDITS! * cyclone (cyc@pop.com.br) ::: Brazil
    >> !CREDITS! parceiro das hackadas, aprende rapido
    >> !CREDITS! * mariana (mazinha@brasnet.org) ::: Brazil
    >> !CREDITS! minha leet girl, exclusiva :)
    >> !CREDITS! * alcaloide (root@***.net) ::: Brazil
    >> !CREDITS! super lamer, versao 3 pra pacotar ele
    >>
    >> * Opcao invalida! * %s para maiores informacoes.
    >>
    >> !AJUDA!: %s -help
    >>
    >> CREDITS: %s -credits
    >>
    >> !USAGE!: %s (host/ip) (size) (loops)
    >>
    >> (host/ip) == host do babaca a ser fudido.
    >> (size) == bytes a serem enviados.
    >> (loops) == tempo da fudecao/s.
    >>
    >> CTRL-C - ACAO CANCELADA!
    >>
    >> FUDEDOR (v3.0) by bonny - PRIVATE!@#!
    >> host desconhecido: %s
    >> Maximo de bytes permitodos: 65535.
    >>
    >> A maquina nao tem memoria suficiente.
    >>
    >> FUDENDO A VERA %s COM %s bytes...
    >>
    >> pronto maneh, o babaca foi fudido! :)
    >>
    >> My question to anyone out there who can answer it is this, do you
    >> know of any kind of automated attack that replaces index files for
    >> websites with such a flooder? It doesn't seem like this hack was
    >> extremely well thought out, or done by anything more than a script
    >> kiddy... if it was, why would they replace these files with this
    >> binary program? Why not replace it with a new index.html file saying
    >> we got hacked?
    >>
    >
    > Matthew,
    > I see two possible scenarios here.
    >
    > (a) Zombie network. This is unlikely due to the text/html and PHP
    > handlers either not executing code (html) or not being able to
    > correctly parse (php) the code.
    >
    > (b) An errant search/replace find(1) or similar. Its well within
    > reason to believe that the kiddie who rooted your box had a UDP
    > flooder AND a replacement HTML file, and accidently
    > keyed-in/tab-completed the wrong filename when doing the replace. I've
    > seen some horrid keying mistakes on compromised equipment.
    >
    > My guess lies with the latter. She probably realized the mistake,
    > said screw it, cleaned the logs with an automated cleaner and cut her
    > losses.
    >
    > Any hints in the .bash_history file? You'd be surprised how many
    > kiddies forget to clean that file.
    >
    > Regards,
    > TJ Easter
    >
    > --
    > "Television is not an education."
    > http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E

  • Next message: Keller, Tim: "RE: Strange Attack On A Webserver I Work On"
    • Quantcast