Re: More /sumthin

From: D.C. van Moolenbroek (
Date: 02/27/03

  • Next message: "Interesting"
    From: "D.C. van Moolenbroek" <>
    To: <>
    Date: Thu, 27 Feb 2003 01:59:08 +0100

    It's safe to assume that this "./openssl" is the openssl-too-open[1] mod_ssl
    exploit by Solar Eclipse. The "-a" switch is used to specify a target type.
    These target types are indeed listed by OS and apache version, not by
    OpenSSL version, because the exploit needs offset information for the
    specific target platform, for which the SSL version only is not sufficient.
    On the other hand, the combination of OS (or actually, distribution) and
    apache version is usually sufficient to guess the SSL version, although I
    don't know whether the exploit actually needs the exact SSL version number
    at all, in order to exploit it successfully.

    Anyway, the error text in the handle_timeout() function (I quote, "Fuck it.
    Next..."), and the fact that stderr is used for output throughout the whole
    program, suggest that this http version grabber is being used as part of
    some mass scanner, which of course explains why so many people have seen the
    /sumthin stuff in their logs.

    It looks like a very inefficient tool indeed, as it starts the exploit
    without doing a simple mod_ssl version check - especially considering the
    fact that mentioned exploit opens thirty connections to the target host by
    default, before even verifying that the target is vulnerable. Note, though,
    that the exploit terminates immediately if port 443 is not open; also, my
    guess is that the attacker or masshack program would have mass-synscanned
    for port 443 before actually trying to use this tool on potential targets.




    ----- Original Message -----
    From: "Jonathan A. Zdziarski" <>
    To: "'Philipp Hug'" <>; "'Sverre H. Huseby'"
    <>; <>
    Sent: Wednesday, February 26, 2003 10:14 PM
    Subject: RE: More /sumthin

    Well whatever bugs this exploits, it seems that from the source code, it is
    more related to the version of Apache than it is the version of SSL; perhaps
    something to do with the way they interact. It doesn't even use port 443.

    Also being that ./openssl was called and not just plain old openssl, and
    that -a doesn't appear to be a valid openssl command, it's probably calling
    a script of sorts and we have no idea what that script does.

    > -----Original Message-----
    > From: Philipp Hug []
    > Sent: Wednesday, February 26, 2003 9:23 AM
    > To: Sverre H. Huseby;
    > Subject: Re: More /sumthin
    > I found the root of all evil ;-)
    > the /sumthin tool is attached. I got it from an "owned" server.
    > Philipp
    > ----- Original Message -----
    > From: "Sverre H. Huseby" <>
    > To: <>
    > Sent: Monday, February 03, 2003 9:52 AM
    > Subject: More /sumthin, maybe
    > > I got a couple of E-mails from a guy that _may_ have more info on the
    > > /sumthin case. One of his servers was "owned", and he _thinks_ the
    > > /sumthin request was the start of the attack. His E-mails follow:
    > >
    > > ==================================================================
    > >
    > > I got hit with the same thing. /sumthin is exactly what everyone
    > > thinks it is - a probe. Someone used my version info to exploit a
    > > bug in SSL. I still don't know what the bugs are yet, but it's
    > > really evident. From there, he looged in as my webserver, and
    > > totally F$%^&D my server. He set up some kind of irc server, and
    > > compromised so much of my server I'm having to rebuild from the
    > > ground up. He redirected the root .bash_history to /dev/nul and
    > > redirected the mail logs and he set up an account called tcp so he
    > > could log in through ssh. Most of the services were shut down
    > > (that's how I figured something was up - I couldn't get my mail).
    > >
    > > even though he did wipe the root history, he forgot to wipe
    > > wwwrun's history, it's too long to post, but it will be up for a
    > > short while at http://XXX [Sverre sais: URL removed. log file
    > > attached.]
    > >
    > > He also replaced bash and set the default runlevel to halt, so
    > > when I restarted the system just stopped (what a pisser).
    > >
    > > When I went back and grepped all the logs, the /sumthin only shows
    > > up in the logs of one domain (despite the fact we host around [N])
    > > and starts sometime around mid October as everyone else has
    > > noticed.
    > >
    > > ==================================================================
    > >
    > > I found things like this in /tmp and /var/tmp:
    > >
    > > drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
    > > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
    > > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
    > > -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
    > > -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
    > > drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
    > > drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
    > > -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
    > >
    > > after that I did a find / -user wwwrun and found a bunch of stuff
    > > and then discovered several other uids involved.
    > >
    > > ==================================================================
    > >
    > > The attached shell history file shows what appears to be a manual
    > > attacker downloading and installing several files using wget. Some of
    > > the files are no longer available, but the few I managed to download
    > > seem to be either related to IRC (server and bot), or to Linux local
    > > exploits. (I only spent a couple of minutes downloading and glancing
    > > at the files.)
    > >
    > >
    > > Sverre.
    > >
    > > --
    > > Computer Geek? Try my Nerd Quiz
    > >
    > >


    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href=""> </A>

    Relevant Pages

    • Re: Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement
      ... Web server attacks are seldom specifically targeting enhanced web ... Apache often has enough access to run code (hopefully you've already ... invoke it on the target server, it's "%SYSTEM-F-GAMEOVER, all your base ...
    • Re: Integration through Environment-Specific Inter-ORB Protocols
      ... > The problem is that the target must be a TAO server, not an Apache ... Which are the limitations that no other object request broker can be a target so far in ...
    • Re: Apache Security Issue: File Access
      ... > I just recognized that with Apache configured for VirtualHosts, ... > - no one can ready files using a file system call in CGI or ASP ... Does the target program name have a / or .. ... Does the user who owns the target script exist on the system? ...
    • Re: Concealed carry in Arizona
      ... When the Apache flies, troops don't die. ... visual contact with the target. ... more dependable than Wi-Fi. ... know soldiers & get information from those who use it. ...
    • Re: Concealed carry in Arizona
      ... When the Apache flies, troops don't die. ... visual contact with the target. ... more dependable than Wi-Fi. ... human soldiers all of the time. ...