[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rooted, .haos on system

To: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Rooted, .haos on system
From: Damian Gerow <damian@xxxxxxxxxx>
Date: 16 Dec 2002 12:38:33 -0500
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Delivery-date: Mon, 16 Dec 2002 19:20:19 +0100
Envelope-to: incidents@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <20021212234529.29690.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Sentex Data Communications
References: <20021212234529.29690.qmail@xxxxxxxxxxxxxxxxx>

On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> I've just received word that one of our customers was rooted, and he's asking about the file ".haos".  Nothing rings any bells, has anyone heard of it?

Just a quick update to this...

It looks like it was an IRC bot.  I found these interesting tidbits
throughout the various source trees left on the system (definitely a
script kiddie hack):

"   /.../    /m/src/Makefile":

	#
	#   Starglider Class EnergyMech, IRC bot software
	#   Copyright (c) 1997-2000  proton
	#
	#   This program is free software; you can redistribute it and/or modify
	#   it under the terms of the GNU General Public License as published by
	#   the Free Software Foundation; either version 2 of the License, or
	#   (at your option) any later version.

"   /.../    /m/emech.users":

	handle          Silviu
	mask            *!*@Scoobyy.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Malice
	mask            *!*@malice.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Mihai
	mask            *!*@p00f.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          Doggy
	mask            *!*@Catelushu.users.undernet.org
	prot            4
	aop
	channel         *
	access          100

	handle          mortu
	mask            *!*@mortux.users.undernet.org
	prot            4
	aop
	channel         #DhT
	access          100

".../[wxz].users":


	handle          dxd
	mask            *!*dxd@*.*
	pass            nI-duWuaJw
	prot            4
	aop
	channel         *
	access          100

	handle          kappy
	mask            *!*kappy@*.*
	pass            0jgmlVQspb
	prot            4
	aop
	channel         *
	access          100

	handle          essence
	mask            *!*essence@*.*
	pass            wHC0Pmbfux
	prot            4
	aop
	channel         *
	access          100

	handle          karamel
	mask            *!*KarameL@*.*
	pass            kdiF0eQFYv
	prot            4
	aop
	channel         *
	access          100

	handle          DJcontact
	mask            *!*anathema@*.*
	pass            uSfKIJhaCS
	prot            4
	aop
	channel         *
	access          100

Other notes:

- a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files
kicking around
- a couple of binaries called 'httpd'
- an empty file called
"????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
- a couple of other system binaries (i.e. bash)


I still have the original 'haos' and 'haos2' tarballs, if anyone is
interested in looking at them.  They both contain libpcap, and look to
be some sort of an automated SSH exploiter, given by the contents of the
files "targets" and 'targets.txt":

<snip>
Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small -  SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
</snip>


If anyone wants more info, I'm willing to pass it on.  But I'm going to
guess they got in via OpenSSH, given the nature of the scanners and the
version of the daemon running on the box.  I'm not sure where the group
came from, but here's a quick quote from one of the shell scripts
("haosx"), and I'll leave you all at that:


   echo "$rver haosx for Linuxz"
   else
   echo ""
   echo "$rver Asteapta cateva secunde sa ma linistesc.."
   echo "Ia o pauza de o laba pana scanam ceva."
   echo "www.haos2.com"
   echo "Thanks 2 friends : in #haos channel."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Follow-Ups:
- Re: Rooted, .haos on system
  - From: Damian Gerow
- Re[2]: Rooted, .haos on system
  - From: Oliver.C.Rochford CFH

References:
- Rooted, .haos on system
  - From: Damian Gerow

Prev by Date: Re: DNS help
Next by Date: Re: Logs: Many hits with source port of 80
Previous by thread: Rooted, .haos on system
Next by thread: Re: Rooted, .haos on system
Index(es):
- Date
- Thread