Security Incidents mailing list archives
cancerserver
From: Burak DAYIOGLU <dayioglu () METU EDU TR>
Date: Mon, 19 Mar 2001 14:46:08 +0200
Hello, We have had found out that, at least one box hereabouts running RedHat 6.2 has been compromised by some kind of a worm. This quick writeup is to share our initial findings with the community and ask for any previous information regarding the issue. The attackers have installed a tarball named duarawkz.tgz on the victim box under /usr/bin. This tarball contains some software to connect to IRC and get commands from it. There is one other binary to become a CancerServer (not yet sure what it does), sauber (to clean up log files) and some others. The full list of the tarball is below: -rw-r--r-- 1 XXXXX XXXXXX 20 Feb 19 02:58 autoexec -rwx------ 1 XXXXX XXXXXX 3232 Feb 19 02:58 dua.ethclean -rwx------ 1 XXXXX XXXXXX 15324 Feb 19 02:58 dua.glox -rwx------ 1 XXXXX XXXXXX 102400 Feb 19 02:58 dua.mf -rwx------ 1 XXXXX XXXXXX 10796 Feb 19 02:58 dua.strobe -rwx------ 1 XXXXX XXXXXX 28572 Feb 19 02:58 dua.synscan -rwx------ 1 XXXXX XXXXXX 6547 Feb 19 02:58 dua.udp -rwxr-xr-x 1 XXXXX XXXXXX 20132 Feb 19 02:58 login -rw-r--r-- 1 XXXXX XXXXXX 8 Feb 19 02:58 loginpass -rwxr-xr-x 1 XXXXX XXXXXX 49844 Feb 19 02:58 ls -rw-r--r-- 1 XXXXX XXXXXX 20 Feb 19 02:58 ls.hidden -rwxr-xr-x 1 XXXXX XXXXXX 29608 Feb 19 02:58 portmap -rwxr-xr-x 1 XXXXX XXXXXX 54196 Feb 19 02:58 ps -rw-r--r-- 1 XXXXX XXXXXX 61 Feb 19 02:58 ps.hidden -rwx------ 1 XXXXX XXXXXX 1345 Feb 19 02:58 sauber drwx------ 2 XXXXX XXXXXX 4096 Feb 19 02:58 sploits Strings from the binaries contain tHE mIRKfORCE and CancerServer. We are going to investigate the compomised box as well as the found binaries further. Before digging in any deeper, does anybody have any experiences to share with us? I have found some messages regarding CancerServer in some mid-20 INCIDENT messages but they were just notifications of early findings are this msg is. All vulnerable software on the box seem to be fixed up as well. :) They've done a good job... cheers, Burak DAYIOGLU / Ahmet Burak CAN
Current thread:
- cancerserver Burak DAYIOGLU (Mar 19)
- Re: cancerserver dor (Mar 19)