Security Incidents mailing list archives
Re: awstats holes being exploited in the wild
From: Skip Carter <skip () mira taygeta com>
Date: Tue, 15 Mar 2005 14:01:49 -0800
I did a find on 's', and it turned up a new directory: /var/tmp/.cache this directory had the following files: -rwxr-xr-x 1 apache apache 433332 Mar 13 10:12 0* -rwxr-xr-x 1 apache apache 147 Jul 29 2004 clear.sh* -rw-r--r-- 1 apache apache 253 Mar 14 08:22 ftp -rw-r--r-- 1 apache apache 0 Mar 14 08:22 Garion.seen -rwxr-xr-x 1 apache apache 160867 Mar 21 2005 httpd* -rwxr-xr-x 1 apache apache 24747 Mar 13 10:12 j* -rwxr-xr-x 1 apache apache 31757 Mar 13 10:12 k* -rw-r--r-- 1 apache apache 22983 Jul 29 2004 mech.help -rw-r--r-- 1 apache apache 1064 Mar 14 08:22 mech.levels -rw-r--r-- 1 apache apache 6734 Mar 13 10:12 mech.pid -rw-r--r-- 1 apache apache 522 Mar 14 08:22 mech.session -rw-r--r-- 1 apache apache 827 Mar 21 2005 mech.set -rwxr-xr-x 1 apache apache 22158 Mar 13 09:42 s* -rwxr-xr-x 1 apache apache 61 Mar 21 2005 start.sh* -rwxr-xr-x 1 apache apache 22446 Mar 13 10:12 v1* -rwxr-xr-x 1 apache apache 23414 Mar 13 10:12 v2* -rwxr-xr-x 1 apache apache 26958 Mar 13 10:12 x*
j is juno.c by Sorceror of DALnet k is the ptrace program by anszom () v-lo krakow pl v1 is vadim v.Ibeta v2 is vadim v.IIbeta x is apparently a ptrace program by Wojciech Purcynski (referenced at http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-03/0201.html )
I recently tracked down a phishing site to a compromised server in Japan. Interestingly, several of the above files (in particular the mech files and the ptrace program) were installed there; it also had the tuxkit rootkit installed on it. That system appears to have been compromised by a vulnerable sshd. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Network Security Services email: skip () taygeta net 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/ Monterey, CA. 93940
Attachment:
_bin
Description:
Current thread:
- awstats holes being exploited in the wild Jeremy Anderson (Mar 15)
- Re: awstats holes being exploited in the wild John Pettitt (Mar 16)
- Re: awstats holes being exploited in the wild Skip Carter (Mar 16)