I'm not to sure how many of you noticed the headline over at Infosyssec.org. Last week the group
hacked over 5000 websites. The articles is
Here
I couldn't believe how many there were so I picked some out and started
nmap to see if I could find anything interesting. The first one I picked was www.cybergecko.com

[root@localhost July]# ping www.cybergecko.com
PING cybergecko.com (216.120.238.3) from 192.168.0.100 : 56(84) bytes of data.
64 bytes from 216.120.238.3: icmp_seq=1 ttl=49 time=64.4 ms

--- cybergecko.com ping statistics ---
1 packets transmitted, 1 received, 0% loss, time 0ms
rtt min/avg/max/mdev = 64.488/64e.488/64.488/0.000 ms
[root@localhost July]# nmap -v -sS -O 216.120.238.3

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (216.120.238.3) appears to be up ... good.
Initiating SYN Stealth Scan against (216.120.238.3)
Adding open port 111/tcp
Adding open port 993/tcp
Adding open port 25/tcp
Adding open port 6666/tcp
Adding open port 21/tcp
Adding open port 3306/tcp
Adding open port 1/tcp
Adding open port 22/tcp
Adding open port 110/tcp
Adding open port 80/tcp
Adding open port 443/tcp
Adding open port 465/tcp
Adding open port 143/tcp
Adding open port 995/tcp
The SYN Stealth Scan took 24 seconds to scan 1601 ports.
For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled
Interesting ports on (216.120.238.3):
(The 1587 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.481 days (since Fri Mar 7 23:49:01 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3688669 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds
[root@localhost July]# telnet 216.120.238.3 6666
Trying 216.120.238.3...
Connected to 216.120.238.3 (216.120.238.3).
Escape character is '^]'.
+++Online
>> Melange Chat Server (Version 1.10), Apr-25-1999

Welcome ! (Type /HELP for a list of commands)
/HELP
>> Melange Chat Server (Version 1.10), Apr-25-1999
>> ----------------------------------------------------------
>> List of available commands (Commands start with '/')
>> ----------------------------------------------------------
>> /MSG <line> <msg> ..... Send private msg to user at <line>
>> /YELL ....... Cross channel yelling, everyone can listen !
>> /SQUELCH <id> ... Squelch/Unsquelch user with user id <id>
>> /JOIN <channel id> ................... Change/open channel
>> /TOPIC <channel name> .............. Change channel's name
>> /NICK <name> ........................ Change your own name
>> /LIST ........................ List all available channels
>> /LOCK ........................... Lock/unlock your channel
>> /OWN <id> ............... Change the owner of your channel
>> /KICK <id> ...................... Kick user out of channel
>> /INVITE <id> ............ Invite user <id> to your channel
>> /WHOIS .................... Show all users in your channel
>> /FINGER ........................ Show all user in the chat
>> /VER ............................................. Version
>> /ME ........................................... Who am I ?
>> /HELP ............................................... Help
>> /TIME ................................ Display date & time
>> /QUIT ............................................. Logout
/LIST
>> List of open channels:
>> ----------------------------------------------------------------------
>> Channel 0 ( MAIN ), Owner: 1001
>> Channel 1 ( ANONYM ), Owner: 1001
>> ----------------------------------------------------------------------
/FINGER
>> List of users currently in this chat:
>> ----------------------------------------------------------------------
>> Line 0: unknown (212.17.98.131), Channel 0 (MAIN)
>> ----------------------------------------------------------------------
/ME
>> You are user [0] unknown, you are in channel 0 (MAIN) and in group 1001.
/QUIT
>> Goodbye, cu !

+++Quit
The thing that really interested me and caught my eye was that port 6666 irc-serv was open
so I telnet to it and find that little menu above. The weirdest part is that I find the same server
running on the majority of the websites that are on the hacked list. If this is a back door how could
they be using it ? Looking from the helpmenu I find that it does look like an irc server.
Another one that I found that had the same service running

[July@localhost July]$ ping www.yosvan.com
PING yosvan.com (216.120.238.3) from 192.168.0.100 : 56(84) bytes of data.
64 bytes from 216.120.238.3: icmp_seq=1 ttl=49 time=60.2 ms
64 bytes from 216.120.238.3: icmp_seq=2 ttl=49 time=64.1 ms

--- yosvan.com ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 1008ms
rtt min/avg/max/mdev = 60.257/62.210/64.164/1.969 ms
[July@localhost July]$ nmap -v -sS -O 216.120.238.3

[root@localhost July]# nmap -v -sS -O 216.120.238.3

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (216.120.238.3) appears to be up ... good.
Initiating SYN Stealth Scan against (216.120.238.3)
Adding open port 3306/tcp
Adding open port 143/tcp
Adding open port 22/tcp
Adding open port 995/tcp
Adding open port 1/tcp
Adding open port 443/tcp
Adding open port 111/tcp
Adding open port 80/tcp
Adding open port 993/tcp
Adding open port 6666/tcp
Adding open port 110/tcp
Adding open port 21/tcp
Adding open port 465/tcp
Adding open port 25/tcp
The SYN Stealth Scan took 22 seconds to scan 1601 ports.
For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled
Interesting ports on (216.120.238.3):
(The 1587 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.485 days (since Fri Mar 7 23:49:02 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4541093 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 32 seconds
[July@localhost July]#
I have not sent out a notice to the webmasters of these sites yet only because I am unsure of what this irc-serv is really
doing. Anyone got any ideas? It looks to me like a backdoor for the hackers to use. Also it seems that the Melange Chat Server has alot of exploits I only did a google search and the results came back here
Maybe I'm wrong maybe this was a serivce that was installed by the webmasters and then exploited by the hacker group.
Thought it was something pretty interesting that I would share with the rest of AO.