Full Disclosure mailing list archives
dikline suspected to be behind repository hacking.
From: "Jason Savora" <jsavora () ipspace com>
Date: Mon, 6 Mar 2006 22:14:42 +0000
dikline suspected to be behind repository hacking. Recently we have discovered a severe code modification in the Ruby programming language downloaded from various debian based non-official apt-repositories. Ruby is the interpreted scripting language for quick and easy object-oriented programming available from ruby-lang . org Please be advised the official release of ruby from ruby-lang.org is not hacked. During normal application development in the ruby language at our firm our developers actively use Ruby as a language. We are currently developing a smart system for badge access scanning at door entry points in our building using HID cards. In the process of development we have had to downgrade, modify, and remove many instances of ruby for testing (including non POSIX versions of Ruby for Win32API development via ruby.exe for windows system's). Steven Colbert of HID INC. Has been working with us on various projects for the past year on and off, and we are now working with debian-sarge and ubuntu linux system's. During a recent ritual of removal/re-installation of Ruby using debian's apt-get we discovered a very big flaw in the files installed for Ruby. A hacked version of ruby is wondering around apt repositories everywhere. The file that's infected is /usr/lib/ruby/Env.rb. This file imports environment variables as global variables when called. But dont plan on seeing a change in that file, for it is replaced upon trojan infection. The original Env.rb file look's like: require 'importenv' if __FILE__ == $0 p $TERM $TERM = nil p $TERM p ENV["TERM"] $TERM = "foo" p ENV["TERM"] end Our development called for a change in the constant ENV, and we had to edit the file for a new declaration for our software. When we opened Env.rb (after the new apt-get) it was modified in many different ways. The Original Env file was overwritten to install and activate a program called Apatch. A-Patch is software that is used to trojan the SSH daemon on a machine. It was set so that any time an environment variable was called for a ruby program in the backround a file was downloaded from a website, un archived and then installed to the machine. The software downloaded one time, and then replaced the hacked version of Env.rb back to the original. Very Very sneaky backdoor. The machine also sent a series of packets to a remote host. We are guessing that this was to notify the attacker that a new system has been compromised. The file that was downloaded: http://www.dikline.com/n0tm366/apd.tgz For those of you who don't know, after a lot of searching we found out that dikline.com is a underground terrorist anti-security hacking group that haunts the "white hat" community who's target's have included Government Agencies, SCO Linux, Kevin Mitnick Security, FRSIRT, Packet Storm Security, Securina & Many other hacking groups and people. There website is down now, we are probably not the first to expose what they do. The packets were sent to the same domain but on port 56611.
From line 26:
SET ENV $GHOSTKAT "http://dikline.com:56611" We were able to wget apd.tgz from dikline.com and here is it's contents: justin@adev1$ ls apatch-openssh-*.*.* apatch-openssh-3.*-mod apatch-ssh-1.*-sure apatch-openssh-2.*-mod apatch-ruby-packetmod-dikline justin@adev1$ After looking into the different files we discovered that it is a modified version of apatch, also including the packet software to tell them who is infected. We tested our development machines, and 8 out of 10 were infected with APATCH. We are not sure how in god's name this has happened, or where the source is. If you are unsure about your machines having apatch, it look's like dikline's default backdoor installation creates a file in /usr/lib/ called libdofas.so.5.4.9. If you have this file in /usr/lib backup and re-install your O/S RIGHT NOW. After we ripped apart our machine that was infected with apatch, we found a special password that can be used for any account via ssh remote for any user (including root) the password dikline uses for apatch is: b0w.1z.1984&N0W Lookz like we got you dikline! It may be official apt repositories or non-supported UN-official, no matter the source we now know who is behind this scandal. How do we go after them? Contact the repository administrators? Who knows how many are infected. Any good ideas to get these guys tell me. -Justin Savora Global Interaction Software System's INC. Office: 310-286-2013 jsavora () ipspace com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- dikline.com suspected to be behind repository hacking. Jason Savora (Mar 06)
- dikline suspected to be behind repository hacking. Jason Savora (Mar 06)
- Re: dikline suspected to be behind repository hacking. Thierry Zoller (Mar 07)
- dikline suspected to be behind repository hacking. Jason Savora (Mar 06)