Re: Rooted, .haos on system

From: Damian Gerow (damian@sentex.net)
Date: 12/16/02

  • Next message: Kevin Bowman: "Re: Logs: Many hits with source port of 80" 
    From: Damian Gerow <damian@sentex.net>
To: incidents@securityfocus.com
Date: 16 Dec 2002 12:38:33 -0500

    On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
    > I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?

    Just a quick update to this...

    It looks like it was an IRC bot. I found these interesting tidbits
    throughout the various source trees left on the system (definitely a
    script kiddie hack):

    " /.../ /m/src/Makefile":

            #
            # Starglider Class EnergyMech, IRC bot software
            # Copyright (c) 1997-2000 proton
            #
            # This program is free software; you can redistribute it and/or modify
            # it under the terms of the GNU General Public License as published by
            # the Free Software Foundation; either version 2 of the License, or
            # (at your option) any later version.

    " /.../ /m/emech.users":

            handle Silviu
            mask *!*@Scoobyy.users.undernet.org
            prot 4
            aop
            channel *
            access 100

            handle Malice
            mask *!*@malice.users.undernet.org
            prot 4
            aop
            channel *
            access 100

            handle Mihai
            mask *!*@p00f.users.undernet.org
            prot 4
            aop
            channel *
            access 100

            handle Doggy
            mask *!*@Catelushu.users.undernet.org
            prot 4
            aop
            channel *
            access 100

            handle mortu
            mask *!*@mortux.users.undernet.org
            prot 4
            aop
            channel #DhT
            access 100

    ".../[wxz].users":

            handle dxd
            mask *!*dxd@*.*
            pass nI-duWuaJw
            prot 4
            aop
            channel *
            access 100

            handle kappy
            mask *!*kappy@*.*
            pass 0jgmlVQspb
            prot 4
            aop
            channel *
            access 100

            handle essence
            mask *!*essence@*.*
            pass wHC0Pmbfux
            prot 4
            aop
            channel *
            access 100

            handle karamel
            mask *!*KarameL@*.*
            pass kdiF0eQFYv
            prot 4
            aop
            channel *
            access 100

            handle DJcontact
            mask *!*anathema@*.*
            pass uSfKIJhaCS
            prot 4
            aop
            channel *
            access 100

    Other notes:

    - a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files
    kicking around
    - a couple of binaries called 'httpd'
    - an empty file called
    "????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
    - a couple of other system binaries (i.e. bash)

    I still have the original 'haos' and 'haos2' tarballs, if anyone is
    interested in looking at them. They both contain libpcap, and look to
    be some sort of an automated SSH exploiter, given by the contents of the
    files "targets" and 'targets.txt":

    <snip>
    Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
    Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
    Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
    Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
    Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
    Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
    Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
    Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
    Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
    Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
    Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
    </snip>

    If anyone wants more info, I'm willing to pass it on. But I'm going to
    guess they got in via OpenSSH, given the nature of the scanners and the
    version of the daemon running on the box. I'm not sure where the group
    came from, but here's a quick quote from one of the shell scripts
    ("haosx"), and I'll leave you all at that:

       echo "$rver haosx for Linuxz"
       else
       echo ""
       echo "$rver Asteapta cateva secunde sa ma linistesc.."
       echo "Ia o pauza de o laba pana scanam ceva."
       echo "www.haos2.com"
       echo "Thanks 2 friends : in #haos channel."

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com