Security Incidents mailing list archives

Possible DDos Network Creation with ssh crc exploit

From: Mike Grantham <mikeg () ros co nz>
Date: 13 Nov 2001 23:28:17 -0000

Mailer: SecurityFocus

======================================
==================================
  SSH v1 Trojan Exploit, Nov 14, 2001
======================================
==================================

Victim:
  RH Linux 6.0, ssh1 v1.2.26

Incident:
  4:23am Nov 12, 2001 (NZDT)
  Using method described in 
http://www.securityfocus.com/archive/1/225543 
  "SSH crc32 compensation attack detector exploit"
  Machine was compromised at 4:52am Nov 12.
  At this point syslog stopped logging attack, last entry 
in log was
  Nov 12 04:52:18 sshd[10659]: connect from x.x.x.x
  Nov 12 04:52:18 sshd[10659]: log: Connection from 
x.x.x.x port 2564
  Nov 12 04:52:21 sshd[10659]: fatal: Local: crc32 
compensation attack: network attack detected 
  
Analysis:
  Source:
  Machine x.x.x.x was used in the attack, I have 
notified the owner of this machine, but due to it having 
a legitimate 
  DNS record and belonging to a registered US 
company I suspect this machine is a victim too.
  
  Activity:
  At the exact time that syslogd stopped logging the 
following file was altered
   /etc/rc.d/rc.sysinit:
   Two lines added to the bottom.
   --- 
   # Xntps (NTPv3 daemon) startup..
   /usr/sbin/xntps
   ---

  The following system files were added or replaced 
with hacked versions
  /bin/ps
  /bin/ls
  /bin/netstat
  /usr/sbin/xntps
  /lib/libproc.so.2.0.0
  /sbin/syslogd

  The following files/directories were added
  Trojan sshd setup to listen on port 33221
  /lib/liblip.so/con (ssh config file)
  /lib/liblip.so/hk (ssh private key)
  /lib/liblip.so/hk.pub (ssh public key)
  /lib/liblip.so/sd (binary)
  
  /lib/ldd.so/tkp (perl script, looks like a sorter for 
LinSniffer)
  /lib/ldd.so/tks (binary)
  /lib/ldd.so/tksb (sauber, looks like a log cleaner)

  /usr/man/man11/carko (ddos agent, binary)
  /usr/man/man11/cf (binary)
  /usr/man/man11/nc (binary)
  /usr/man/man11/sshd-etc (binary)
  /usr/man/man11/sshd-etc-ssh (binary)

  /dev/ttyy11 (binary)
  /dev/srd0 (text, but looks encrypted)

Conclusion:
  While I have not had time to disassemble these 
binaries or test to see what they do
  I suspect someone is setting up a DDos network, I 
also suspect that a script has done this
  due to the file times being all within the same minute.

If anyone would like to have a look at these files 
please email me and I will send them to you.

Regards, Mike
-----------------------------------------
Search Engineer, S.L.I. Systems, Inc

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Possible DDos Network Creation with ssh crc exploit Mike Grantham (Nov 13)
- Re: Possible DDos Network Creation with ssh crc exploit Jose Nazario (Nov 13)
- Re: Possible DDos Network Creation with ssh crc exploit Nick FitzGerald (Nov 13)
  - Re: Possible DDos Network Creation with ssh crc exploit Ryan Russell (Nov 14)