Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The x.c worm

From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 4 Sep 2001 12:37:37 -0700 (PDT)
On Tue, 4 Sep 2001 niels.heinen () ubizen com wrote:


I was wondering if anyone has more information about this worm. I mean
source, log files anything ;]

For those that have not heard about this worm: x.c  expoits the recently
discovered buffer
overflow in bsd derived telnet daemons. More information can be found
here:

http://www.nipc.gov/warnings/assessments/2001/01-019.htm
http://www.incidents.org/diary/diary.php#012


Niels,

Since the details I've seen on this are not yet public, I'll stick to
what is to give some hints on how to detect this on the wire.

If you want a fingerprint for your IDS, take a look at the following
shellcode:

        http://msgs.securepoint.com/cgi-bin/get/bugtraq0107/293.html

/* x86/bsd(i)+solaris execve shellcode
 * by lorian/teso
 */
 unsigned char   x86_bsd_compaexec[] =
     "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0"
     "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b"
     "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
     "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7";


For more details on what to look for using nmap, see Bill Stearn's
"xcfind" program:

        http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm


        AddedLine /etc/rc.local '/usr/sbin/cron '
        AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$'
        AddedLine /etc/hosts.allow '^sh: ALL$'

        ServicesStopped \
          inetd

        echo Please note that your system may have had a root shell opened
        echo on tcp port 145.  You should check the system for any additional
        echo damage caused via incoming connections on that port.

(Use Bill's "xcfind" tool for local host detection, but realize that
it may, in future, give false positive results if a rootkit or
loadable kernel module is used in conjunction with an exploit like
this.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: