Re: awstats holes being exploited in the wild

From: Skip Carter (skip_at_mira.taygeta.com)
Date: 03/15/05

Next message: Harlan Carvey: "Re: strange software > winsupdater.exe"

Previous message: John Pettitt: "Re: awstats holes being exploited in the wild"
In reply to: Jeremy Anderson: "awstats holes being exploited in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: Tue, 15 Mar 2005 14:01:49 -0800

> I did a find on 's', and it turned up a new directory: /var/tmp/.cache
> this directory had the following files:
>
> -rwxr-xr-x 1 apache apache 433332 Mar 13 10:12 0*
> -rwxr-xr-x 1 apache apache 147 Jul 29 2004 clear.sh*
> -rw-r--r-- 1 apache apache 253 Mar 14 08:22 ftp
> -rw-r--r-- 1 apache apache 0 Mar 14 08:22 Garion.seen
> -rwxr-xr-x 1 apache apache 160867 Mar 21 2005 httpd*
> -rwxr-xr-x 1 apache apache 24747 Mar 13 10:12 j*
> -rwxr-xr-x 1 apache apache 31757 Mar 13 10:12 k*
> -rw-r--r-- 1 apache apache 22983 Jul 29 2004 mech.help
> -rw-r--r-- 1 apache apache 1064 Mar 14 08:22 mech.levels
> -rw-r--r-- 1 apache apache 6734 Mar 13 10:12 mech.pid
> -rw-r--r-- 1 apache apache 522 Mar 14 08:22 mech.session
> -rw-r--r-- 1 apache apache 827 Mar 21 2005 mech.set
> -rwxr-xr-x 1 apache apache 22158 Mar 13 09:42 s*
> -rwxr-xr-x 1 apache apache 61 Mar 21 2005 start.sh*
> -rwxr-xr-x 1 apache apache 22446 Mar 13 10:12 v1*
> -rwxr-xr-x 1 apache apache 23414 Mar 13 10:12 v2*
> -rwxr-xr-x 1 apache apache 26958 Mar 13 10:12 x*

>j is juno.c by Sorceror of DALnet
>k is the ptrace program by anszom@v-lo.krakow.pl
>v1 is vadim v.Ibeta
>v2 is vadim v.IIbeta
>x is apparently a ptrace program by Wojciech Purcynski (referenced at
>http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-03/0201.html )

I recently tracked down a phishing site to a compromised server
in Japan. Interestingly, several of the above files
(in particular the mech files and the ptrace program)
were installed there; it also had the tuxkit rootkit installed
on it. That system appears to have been compromised by a
vulnerable sshd.

-- 
 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Network Security Services   email: skip@taygeta.net
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940

application/pgp-signature attachment: stored

Next message: Harlan Carvey: "Re: strange software > winsupdater.exe"

Previous message: John Pettitt: "Re: awstats holes being exploited in the wild"
In reply to: Jeremy Anderson: "awstats holes being exploited in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]