Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.

from [Elia Florio] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???
Date: Fri, 29 Oct 2004 12:37:10 +0200 
Hi,
It appears that the signature is

00000000 C6C22C                  mov dl, 2C
00000003 37                      aaa
00000004 60                      pushad
00000005 C1EFD4                  shr edi, D4
00000008 C4922264C66A            les edx, dword ptr [edx+6AC66422]
0000000E E10D                    loopz 0000001D
00000010 8A6A5F                  mov ch, byte ptr [edx+5F]
00000013 D44E                    aam (base78)
00000015 91                      xchg eax,ecx
00000016 10044D00000000          adc byte ptr [2*ecx+104D044D], al

The beginning & the end of the disassembly may be wrong if the signature
is not complete. However it doesn't make much sense globally and this
code is too short to see a potential attack : no memory is written here.
By the way, where is this signature from ?


Someon (Peter Kosinar) suggests to me that this bytes pattern
is a potential command directed to "suckit" rootkit over port 80;
the firs bytes are a kind of autentication hash and the final bytes
are changing cause it's a port number....Still investigating on this...

Your work is great, but maybe this isn't an attack
pattern, so the bytes are not asm inscrutions! Thank you anyway...

The signature comes from different compromised
error logs of Apache 1.3.27 with PHP4.2.3.

I've contacted the sysadmins of IP originating this attacks,
cause someone else suggests to me that also the attacking hosts
are compromised boxes used by this hacker crew....
They own a lot of Apache *nix server worldwide :((((((

216.40.203.9 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor
security.
OrgName: Everyones Internet, Inc.
Country: US
-----
140.105.55.159 : dschrahm3.univ.trieste.it .
netname: TRIESTE-NET
descr: Universita' degli Studi di Trieste
-----
195.140.140.122 : from France :
netname: CTN-1
-----
212.78.145.16 : Another old Cobalt server from Spain :
Hostname : 16.red-212-78-145.user.auna.net
netname: MENTA-ECOM
descr: Cable i Televisio de Catalunya
descr: Internet de Banda Ampla
-----
65.125.235.250 :
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Joke.cpl ???, Tom Meier
Next by Date:  Re: [Full-Disclosure] Joke.cpl ???, Mihai Novitchi
Previous by Thread:  Re: [Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???, Thierry Haven
Next by Thread:  [Full-Disclosure] PuTTY IPv6 0.56 also updated, Jeroen Massar
Indexes:  [Date] [Thread] [Top] [All Lists]