Security Incidents mailing list archives
Re: The x.c worm
From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 4 Sep 2001 12:37:37 -0700 (PDT)
On Tue, 4 Sep 2001 niels.heinen () ubizen com wrote:
I was wondering if anyone has more information about this worm. I mean source, log files anything ;] For those that have not heard about this worm: x.c expoits the recently discovered buffer overflow in bsd derived telnet daemons. More information can be found here: http://www.nipc.gov/warnings/assessments/2001/01-019.htm http://www.incidents.org/diary/diary.php#012
Niels, Since the details I've seen on this are not yet public, I'll stick to what is to give some hints on how to detect this on the wire. If you want a fingerprint for your IDS, take a look at the following shellcode: http://msgs.securepoint.com/cgi-bin/get/bugtraq0107/293.html /* x86/bsd(i)+solaris execve shellcode * by lorian/teso */ unsigned char x86_bsd_compaexec[] = "\xbf\xee\xee\xee\x08\xb8\xff\xf8\xff\x3c\xf7\xd0" "\xfd\xab\x31\xc0\x99\xb0\x9a\xab\xfc\xab\xb0\x3b" "\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89" "\xe3\x52\x53\x89\xe1\x52\x51\x53\xff\xd7"; For more details on what to look for using nmap, see Bill Stearn's "xcfind" program: http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm AddedLine /etc/rc.local '/usr/sbin/cron ' AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$' AddedLine /etc/hosts.allow '^sh: ALL$' ServicesStopped \ inetd echo Please note that your system may have had a root shell opened echo on tcp port 145. You should check the system for any additional echo damage caused via incoming connections on that port. (Use Bill's "xcfind" tool for local host detection, but realize that it may, in future, give false positive results if a rootkit or loadable kernel module is used in conjunction with an exploit like this.) -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- The x.c worm niels . heinen (Sep 04)
- Re: The x.c worm Dave Dittrich (Sep 04)
- Re: The x.c worm Dave Dittrich (Sep 04)
- Re: The x.c worm Martin Roesch (Sep 05)
- Re: The x.c worm Dave Dittrich (Sep 04)