Hi Kirby,
great work!! is it possible to get the gzipped files? BTW as for doze4
... a scan with f-prot (linux cmd line edition) identifies it as
"Infection: Unix/RST.B". An online scan on
http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
Linux.RST.b
Here is Spohos description of RST.B (from
http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
------
Linux/Rst-B will attempt to infect all ELF executables in the current
working directory and the directory /bin
If Linux/Rst-B is executed by a privileged user then it may attempt to
create a backdoor on the system. This is achieved by opening a socket
and listening for a particular packet containing details about the
origin of the attacker and the command the attacker would like to
execute on the system.
-----------
There was a discussion on FD recently, where the original poster had
started a Debian machine with port 22 open and a non-priv user id of
guest/guest .... in order to be a victim of the recent SSH scans. The
crackers who got into this system had also downloaded RST.B infected
binary.
cheers,
--
Shashank Rai
------------
Network and Information Security Team,
Emirates Telecommunication Corporation,
Abu Dhabi, U.A.E.
Ph: +971-2-6182523 Office
+971-50-6670648 Cell
GPG key:
http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5
On Sat, 2004-09-04 at 03:37, Kirby Angell wrote:
snip...
doze4
- ------------
I downloaded the "doze4" program and found it to be an elf binary.
Google didn't turn up the source code, but I have disassmbled it. I'm
not one with Linux assembly language but its not terribly long and seems
to be a pretty basic DOS app. Not terribly sure why they didn't just
use the one built into the script, but there is probably a good reason.
~ doze4 identifies itself as:
* * doze4 - written by phyton
* * doze4 rOckz! evite hosts.. use ips!
Usage: %s <ip> <porta> <spoof>
<ip> : endereÃo que deseja f***r. (address that it desires to f***r)
<porta> : porta aperta (coloque 0, que à rOckz) (door presses (places
0, that he is rOckz))
<spoof> : um ip para ser spoofado (sua mascara). (a to be spoofado IP
(its masks))
doze4 as well as .egg2 was written by someone who speeks Portugese.
Summary
- -------------
The same IP was used to initiate the attack both times. I notified the
owner of that IP yesterday, but never received a response. Tonight I
will be going through the list of compromised machines and notifying as
many as possible of the problem.
The files:
doze4 elf binary of DOS tool
doze4.asm disassembled version of doze4
wget-doze4.cap tcpdump capture of IRC session
egg2-live dangerous version of IRC bot
egg2-neutered egg2 with portscan and DOS disabled
(but SHELL access is still live)
hkz.txt PHP injection script
irclog.txt text output of IRC connection
readme.txt this file
are available in a .tar.gz file for anyone who requests it. Tuesday
night my test server was attacked with a SYN flood; I expect worse this
time so I've locked it down so it will just log everything. We don't
put this kind of thing on our production web servers, so just shoot me
an email at kangell@alertra.com if you want the archive.
- --
Thank you,
Kirby Angell
