Security Incidents mailing list archives
Re: Rooted, .haos on system
From: Damian Gerow <damian () sentex net>
Date: 16 Dec 2002 12:38:33 -0500
On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?
Just a quick update to this...
It looks like it was an IRC bot. I found these interesting tidbits
throughout the various source trees left on the system (definitely a
script kiddie hack):
" /.../ /m/src/Makefile":
#
# Starglider Class EnergyMech, IRC bot software
# Copyright (c) 1997-2000 proton
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
" /.../ /m/emech.users":
handle Silviu
mask *!*@Scoobyy.users.undernet.org
prot 4
aop
channel *
access 100
handle Malice
mask *!*@malice.users.undernet.org
prot 4
aop
channel *
access 100
handle Mihai
mask *!*@p00f.users.undernet.org
prot 4
aop
channel *
access 100
handle Doggy
mask *!*@Catelushu.users.undernet.org
prot 4
aop
channel *
access 100
handle mortu
mask *!*@mortux.users.undernet.org
prot 4
aop
channel #DhT
access 100
".../[wxz].users":
handle dxd
mask *!*dxd@*.*
pass nI-duWuaJw
prot 4
aop
channel *
access 100
handle kappy
mask *!*kappy@*.*
pass 0jgmlVQspb
prot 4
aop
channel *
access 100
handle essence
mask *!*essence@*.*
pass wHC0Pmbfux
prot 4
aop
channel *
access 100
handle karamel
mask *!*KarameL@*.*
pass kdiF0eQFYv
prot 4
aop
channel *
access 100
handle DJcontact
mask *!*anathema@*.*
pass uSfKIJhaCS
prot 4
aop
channel *
access 100
Other notes:
- a number of 'sendmail.c', 'modutils.sh', 'efstool.c', etc. files
kicking around
- a couple of binaries called 'httpd'
- an empty file called
"????????1?1?1??F??1?Q?8eshf5VJP?eebif5JJP??QS??1?1?????.eng"
- a couple of other system binaries (i.e. bash)
I still have the original 'haos' and 'haos2' tarballs, if anyone is
interested in looking at them. They both contain libpcap, and look to
be some sort of an automated SSH exploiter, given by the contents of the
files "targets" and 'targets.txt":
<snip>
Big - SSH-1.5-OpenSSH-1.2.2,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Small - SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-1.2.3,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00000000,0x08400000,0x96,0x0805,0
Small - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.2.0,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
</snip>
If anyone wants more info, I'm willing to pass it on. But I'm going to
guess they got in via OpenSSH, given the nature of the scanners and the
version of the daemon running on the box. I'm not sure where the group
came from, but here's a quick quote from one of the shell scripts
("haosx"), and I'll leave you all at that:
echo "$rver haosx for Linuxz"
else
echo ""
echo "$rver Asteapta cateva secunde sa ma linistesc.."
echo "Ia o pauza de o laba pana scanam ceva."
echo "www.haos2.com"
echo "Thanks 2 friends : in #haos channel."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Mike Katz (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)
- Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Message not available
- Re: Rooted, .haos on system Julian Young (Dec 17)
- New CIFS (port 445) worm? David Gillett (Dec 17)
- Re: New CIFS (port 445) worm? Zen (Dec 17)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)