tech-security: rumors about remote *BSD exploits

Subject: rumors about remote *BSD exploits
To: None <tech-security@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: tech-security
Date: 06/17/2002 17:38:12
--9UV9rz0O2dU/yYYn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi,

just seen on vuln-dev mailing list:

  Date: 17 Jun 2002 08:37:45 -0000
  From: "Van Cloude Jandame" <vancloudejandame@lemonheads.com>
  To: vuln-dev@securityfocus.com
  Subject: openbse rumours
 =20
  Deer readers,=20
 =20
  Few days ago, while i was at the #darknet, i saw three ScRiPtKidIeZ
  (within the rest of them) talking about the 7350-crocodile.c,
  7350-obsdftpd.c and the 7350-pf.c exploit code by team teso made with
  support of GOBBLES Security, who gave them the advisories.=20
 =20
  The good news:=20
 =20
  the exploits aint that much spreaded and they've been kept on the
  underground for about 1month. This ain't really a good new, but it is
  better than the ones that follow.=20
 =20
  The bad news:=20
 =20
  - openbsd ftp/cvs have been compromised and backdoored by the kidies,
    that hang mostly on #!hack.the.turkey at efnet.=20
  - the technique is new and very obscure, the three exploits abuse em and
    is applicable only on *BSD flavors (afaik).=20
 =20
 =20
  the a really short part of the logs show this:=20
 =20
  <m0rgan> ./a.out=20
  <m0rgan> 7350-crocodile - x86/OpenBSD apache/telnetd/sshd=20
  *** pr0ix (pr0ix@def-con.org) has joined #darknet=20
  <m0rgan> by lorian and scut / TESO=20
  <m0rgan>=20
  <m0rgan> ./7350-crocodile [options] [host] [port] [misc-option]=20
  <m0rgan>=20
  <m0rgan> -d <daemon> (1=3D apache, 2=3D telnetd, 3=3D sshd)=20
  <m0rgan> -b bruteforce=20
  <m0rgan> -c check only=20
  <m0rgan> -s <0xaddr> start address=20
  <m0rgan> -S shellcode (? to show the list)=20
  <pr0ix> wtf?=20
  <m0rgan>=20
  <m0rgan> greetz: synnergy, GOBBLES Security, ElectronicSoulz, shiftee, bn=
uts, skyper.=20
  <m0rgan> sidenote: nasa.gov was really easy ;>=20
  <m0rgan> muahah fear.=20
  <xxx> could you send me that?=20
  *** pr0ix sets mode: +b xxx!*@200.*=20
  *** xxx was kicked by pr0ix (0day-lurker)=20
 =20
  keep an eye open at your logs, as they said the exploit makes a lot of
  noise on the system and "private" logs and thus it is easy to spot, put
  your ids on.=20
 =20
  Cheers,=20
  Martin (VanCloudeJandame)


we encountered strange dirs on openbsd.cz ftp few days ago:

/home/ftp/                                                                 =
                                            =20
/home/ftp/ /200kb                                                          =
                                            =20
/home/ftp/ /TAggEd                                                         =
                                            =20
/home/ftp/ /TAggEd/       ;;;                                              =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for                                       =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;                              =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT                     =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by                  =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/w3l              =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/w3l/    ;;;;;;   =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/w3l/t1           =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/ProSATANos       =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/ProSATANos/5c33n3=
D                                           =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/ProSATANos/5c33n3=
D/      ;;;; ; ;  ;                         =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/ProSATANos/5c33n3=
D/      ;;;; ; ;  ;   /by-W3lt1             =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /TargeT/by/ProSATANos/5c33n3=
D/      ;;;; ; ;  ;   /by-W3lt1/  ;         =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /       ;;;                 =
                                            =20
/home/ftp/ /TAggEd/       ;;;   /for/   ;;                                 =
                                            =20
/home/ftp/ /TAggEd/       ;;;                                              =
                                            =20
/home/ftp/ /TAggEd/  ;;;                                                   =
                                            =20

as far as we can tell, nothing else was changed in the system and ftp
was running in chroot().

does anyone else have similar experience or anyone has more information
on what's going on?  anyone seen something like this on NetBSD or
FreeBSD?

regards,

--=20
-- Lubomir Sedlacik <salo@Xtrmntr.org>   ASCII Ribbon campaign against  /"\=
 --
--                  <salo@silcnet.org>   e-mail in gratuitous HTML and  \ /=
 --
--                                       Microsoft proprietary formats   X =
 --
-- PGPkey: http://Xtrmntr.org/salo.pgp                                  / \=
 --
-- Key Fingerprint: DBEC 8BEC 9A90 ECEC 0FEF  716E 59CE B70B 7E3B 70E2     =
 --

--9UV9rz0O2dU/yYYn
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)

iD8DBQE9DgJkWc63C347cOIRAp7qAJ46R3pUc/ix69ttjdsa47rkDSdxGgCgsO9s
xX0YErxO4eEK9qKtE5RpDhs=
=GKvR
-----END PGP SIGNATURE-----

--9UV9rz0O2dU/yYYn--