Joshua Wulf

My fully updated RHEL 4 server was exploited. From what I can see they exploited apache, perhaps using a three-way handshake exploit, and uploaded some binaries to /tmp/httpd. The machine then started DOS'ing various hosts via protocol 11 (network voice protocol), and communicating with a number of IRC servers.

I did a

service httpd restart

, but it wouldn't start after stopping.

netstat -tup

revealed so-called httpd sessions running connected to IRC servers. I killed the pids associated with those sessions.

Here are the uploaded files.

[root@compromised host]$ ls -la /tmp/httpd
total 160
drwxr-xr-x  2 apache apache  4096 Dec 25 05:00 .
drwxrwxrwt  6 root   root   45056 Jan  2 07:39 ..
-rw-r--r--  1 apache apache 14535 Dec 30 10:51 ArRlZ.seen
----------  1 apache apache 18132 Feb 22  2005 f3
-rw-r--r--  1 apache apache   158 Dec 30 10:51 ftp
-rw-r--r--  1 apache apache 10392 Dec 30 10:51 HBC.seen
-rw-r--r--  1 apache apache  1064 Dec 30 10:51 mech.levels
-rw-r--r--  1 apache apache   345 Dec 30 10:51 mech.session
----------  1 apache apache 13399 Jul 29  2004 s

mech.session has the login information for IRC. The two .seen files are IRC logs.

The binaries s and f3 have been chmod'ed 000 by one of our sysadmins.

The binary s contains the following strings:

Stealth> %s : port %d
Stealth> Non-existant host: %s
twitch@Stealth:
This tool is extremely dangerous. Use at your own risk!
Usage: st-kill  

The binary f3 contains the following strings:

!AJUDA!: %s -help
CREDITS: %s -credits
!USAGE!: %s (host/ip) (size) (loops)
   (host/ip) == host do babaca a ser fudido.
   (size)    == bytes a serem enviados.
   (loops)   == tempo da fudecao/s.

CTRL-C - ACAO CANCELADA!

FUDEDOR (v3.0) by bonny - PRIVATE!@#!

It's written by a Brazilian Portuguese speaker, and is the DOS tool.

I'm still on holiday, so I'll chase this up more tomorrow when I'm back home.