Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

cancerserver

From: Burak DAYIOGLU <dayioglu () METU EDU TR>
Date: Mon, 19 Mar 2001 14:46:08 +0200
Hello,
We have had found out that, at least one box hereabouts running RedHat
6.2 has been compromised by some kind of a worm. This quick writeup is
to share our initial findings with the community and ask for any
previous information regarding the issue. The attackers have installed
a tarball named duarawkz.tgz on the victim box under /usr/bin. This
tarball contains some software to connect to IRC and get commands from
it. There is one other binary to become a CancerServer (not yet sure
what it does), sauber (to clean up log files) and some others. The full
list of the tarball is below:

-rw-r--r--    1 XXXXX    XXXXXX       20 Feb 19 02:58 autoexec
-rwx------    1 XXXXX    XXXXXX     3232 Feb 19 02:58 dua.ethclean
-rwx------    1 XXXXX    XXXXXX    15324 Feb 19 02:58 dua.glox
-rwx------    1 XXXXX    XXXXXX   102400 Feb 19 02:58 dua.mf
-rwx------    1 XXXXX    XXXXXX    10796 Feb 19 02:58 dua.strobe
-rwx------    1 XXXXX    XXXXXX    28572 Feb 19 02:58 dua.synscan
-rwx------    1 XXXXX    XXXXXX     6547 Feb 19 02:58 dua.udp
-rwxr-xr-x    1 XXXXX    XXXXXX    20132 Feb 19 02:58 login
-rw-r--r--    1 XXXXX    XXXXXX        8 Feb 19 02:58 loginpass
-rwxr-xr-x    1 XXXXX    XXXXXX    49844 Feb 19 02:58 ls
-rw-r--r--    1 XXXXX    XXXXXX       20 Feb 19 02:58 ls.hidden
-rwxr-xr-x    1 XXXXX    XXXXXX    29608 Feb 19 02:58 portmap
-rwxr-xr-x    1 XXXXX    XXXXXX    54196 Feb 19 02:58 ps
-rw-r--r--    1 XXXXX    XXXXXX       61 Feb 19 02:58 ps.hidden
-rwx------    1 XXXXX    XXXXXX     1345 Feb 19 02:58 sauber
drwx------    2 XXXXX    XXXXXX     4096 Feb 19 02:58 sploits

Strings from the binaries contain tHE mIRKfORCE and CancerServer.

We are going to investigate the compomised box as well as the found
binaries further. Before digging in any deeper, does anybody have any
experiences to share with us? I have found some messages regarding
CancerServer in some mid-20 INCIDENT messages but they were just
notifications of early findings are this msg is. All vulnerable
software on the box seem to be fixed up as well. :) They've done
a good job...

cheers,
Burak DAYIOGLU / Ahmet Burak CAN
Previous By Date Next
Previous By Thread Next

Current thread: