Re: Port 10008

[<jlewis () lewis org>]

On Tue, 15 May 2001 jlewis () lewis org wrote:

> I got some scans on port 10008 as well.  The really odd thing is this.  If
> you port scan them back, you'll find that on some high TCP port, if you
> connect and send a few newlines, it'll reply with a uuencoded cheese.tgz
> file.  I took a very brief look at the contents of cheese.tgz.  The
> comments say it's a cleaner, written to remove root shells from
> inetd.conf.  There's alot more than that in the code though.  Looks like a
> trojan that's really a scanner.

I got a bunch of requests "please send me the file" and felt kind of silly
having said "looks like a trojan" without really taking a close look at
it...so I just did take a few minutes to take a closer look.

This thing is pretty funny.  It's not really a trojan.  I don't think they
expect anyone to download and run this willingly.  I'm not sure what the
best term for it is.  Maybe a parasitic worm.  It's a scanner that looks
for systems already broken into by someone else using a package that put a
root shell on port 10008.  When it finds a host with a root shell on
10008/tcp, it forks a server that serves cheese.uue, connects to the
remote host, has that host download cheese.uue from the host that's
infecting it, uudecodes and untars the file, sets mtimes on its own files
on the new host to that of the local /bin/sh, perhaps to evade "find new
files" security scripts, tries to remove the root shell from inetd.conf,
then starts up a new scanner scanning a randomly selected /16 from a
predetermined range, and sets the process name to httpd.

The comment is kind of funny:

# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.

The funny thing is that unless there's code hidden in the scanner binary
(a Linux ELF binary that relies on libc version 6), that does some sort of
back door, I think the comment above is actually true.  This thing just
uses hacked boxes to look for other hacked boxes, undoes the root shell
via inetd backdoor someone else left, and spreads.  It's a kind of
pointless noble effort since those systems that were hacked will likely be
re-hacked...but I don't see anything really mailicious in cheese.

-- 
----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________