Home - Articles - Messageboard

The Crack...Attempt
By: Greg on 2003-01-25 16:05:04
Section 1 - Discovery

< print >
< articles home > next >>

I mentioned that we're (Brian and me) both quite paranoid when it comes to security. In fact, I'd say that I'm borderline psychotic in this regard. And in many regards. Perhaps even in all regards. But anyway...

I'd just read about a rather nasty worm that fed on outdated SSL libraries and would easily spread using any SSL enabled version of the Apache webserver. We use one of those (an SSL enabled Apache, not a nasty worm) so I knew it was patch and compile time. I quickly upgraded the RPMs for OpenSSL and recompiled apache-ssl. Then, to calm my paranoia, I checked to verify that we'd not been infected.

The variant of the worm that was propagating at that time was pretty easy to detect and clean up. It would put a bit of hidden c source in /tmp/, namely ".bugtraq.c". And it would compile ".bugtraq.c" to ".bugtraq" creating a daemon that would attempt to propagate the worm. So I did a quick ls -la (this lists all files including hidden ones) in /tmp and was not very happy with what I saw.

No, I didn't find ".bugtraq.c." I found this:

drwxr-xr-x    2 nobody     nobody          48 Dec 16 18:27 .tmp

At that point, I got an icky, stomach wrenching feeling much like someone probabably gets when he knows that he just stepped on a mine. (before it blows him to bits, that is) Having never stepped on a mine myself, I can only presume. But it seems a reasonable presumtion, doesn't it? But anyway, I cded into .tmp and did another ls -la. Inside was a binary file called back and source files backwget.c and backlyn.c. Now I knew I was in trouble. And I reacted as any sane, competent admin would: I let out a relaxing string of curse words which, as this is a family friendly site, I'll not repeat here.

After I cursed for an hour or two, I opened backwget.c in my trusty text editor. (nano, not vi! vi is vile.) I'll not post the source for this file here, as I'd rather not make it any easier for someone to get started in the cracking world. I made specific note of these lines, which I will post:

#define PORT 55555
strcpy(argv[0],"/usr/local/apache/bin/httpd");
execl("/bin/sh","sh",(char *)0);

It was indeed a nice little backdoor, as its name let on, and later googling would show that it was a fairly common one, used by all sorts of different automated break in kits. This one would attach itself to port 55555 and attempt to masquerade as apache. Of course our apache install is not in /usr/local/ so that wouldn't have worked on rocket, but that's neither here nor there nor anywhere else.

The fact was, it was a backdoor, and a quick "netstat -l" showed that it was running. Now it is time to panic. So I called Brian, as he loves to laugh at me when I'm panicking.

< articles home > next >>