Did hax0rs lab leave a backdoor?
Results 1 to 8 of 8

Thread: Did hax0rs lab leave a backdoor?

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    102

    Question Did hax0rs lab leave a backdoor?

    I'm not to sure how many of you noticed the headline over at Infosyssec.org. Last week the group
    hacked over 5000 websites. The articles is
    Here
    I couldn't believe how many there were so I picked some out and started
    nmap to see if I could find anything interesting. The first one I picked was www.cybergecko.com

    [root@localhost July]# ping www.cybergecko.com
    PING cybergecko.com (216.120.238.3) from 192.168.0.100 : 56(84) bytes of data.
    64 bytes from 216.120.238.3: icmp_seq=1 ttl=49 time=64.4 ms

    --- cybergecko.com ping statistics ---
    1 packets transmitted, 1 received, 0% loss, time 0ms
    rtt min/avg/max/mdev = 64.488/64e.488/64.488/0.000 ms
    [root@localhost July]# nmap -v -sS -O 216.120.238.3

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Host (216.120.238.3) appears to be up ... good.
    Initiating SYN Stealth Scan against (216.120.238.3)
    Adding open port 111/tcp
    Adding open port 993/tcp
    Adding open port 25/tcp
    Adding open port 6666/tcp
    Adding open port 21/tcp
    Adding open port 3306/tcp
    Adding open port 1/tcp
    Adding open port 22/tcp
    Adding open port 110/tcp
    Adding open port 80/tcp
    Adding open port 443/tcp
    Adding open port 465/tcp
    Adding open port 143/tcp
    Adding open port 995/tcp
    The SYN Stealth Scan took 24 seconds to scan 1601 ports.
    For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled
    Interesting ports on (216.120.238.3):
    (The 1587 ports scanned but not shown below are in state: closed)
    Port State Service
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    111/tcp open sunrpc
    143/tcp open imap2
    443/tcp open https
    465/tcp open smtps
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
    Uptime 0.481 days (since Fri Mar 7 23:49:01 2003)
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=3688669 (Good luck!)
    IPID Sequence Generation: All zeros

    Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds
    [root@localhost July]# telnet 216.120.238.3 6666
    Trying 216.120.238.3...
    Connected to 216.120.238.3 (216.120.238.3).
    Escape character is '^]'.
    +++Online
    >> Melange Chat Server (Version 1.10), Apr-25-1999

    Welcome ! (Type /HELP for a list of commands)
    /HELP
    >> Melange Chat Server (Version 1.10), Apr-25-1999
    >> ----------------------------------------------------------
    >> List of available commands (Commands start with '/')
    >> ----------------------------------------------------------
    >> /MSG <line> <msg> ..... Send private msg to user at <line>
    >> /YELL ....... Cross channel yelling, everyone can listen !
    >> /SQUELCH <id> ... Squelch/Unsquelch user with user id <id>
    >> /JOIN <channel id> ................... Change/open channel
    >> /TOPIC <channel name> .............. Change channel's name
    >> /NICK <name> ........................ Change your own name
    >> /LIST ........................ List all available channels
    >> /LOCK ........................... Lock/unlock your channel
    >> /OWN <id> ............... Change the owner of your channel
    >> /KICK <id> ...................... Kick user out of channel
    >> /INVITE <id> ............ Invite user <id> to your channel
    >> /WHOIS .................... Show all users in your channel
    >> /FINGER ........................ Show all user in the chat
    >> /VER ............................................. Version
    >> /ME ........................................... Who am I ?
    >> /HELP ............................................... Help
    >> /TIME ................................ Display date & time
    >> /QUIT ............................................. Logout
    /LIST
    >> List of open channels:
    >> ----------------------------------------------------------------------
    >> Channel 0 ( MAIN ), Owner: 1001
    >> Channel 1 ( ANONYM ), Owner: 1001
    >> ----------------------------------------------------------------------
    /FINGER
    >> List of users currently in this chat:
    >> ----------------------------------------------------------------------
    >> Line 0: unknown (212.17.98.131), Channel 0 (MAIN)
    >> ----------------------------------------------------------------------
    /ME
    >> You are user [0] unknown, you are in channel 0 (MAIN) and in group 1001.
    /QUIT
    >> Goodbye, cu !

    +++Quit
    The thing that really interested me and caught my eye was that port 6666 irc-serv was open
    so I telnet to it and find that little menu above. The weirdest part is that I find the same server
    running on the majority of the websites that are on the hacked list. If this is a back door how could
    they be using it ? Looking from the helpmenu I find that it does look like an irc server.
    Another one that I found that had the same service running

    [July@localhost July]$ ping www.yosvan.com
    PING yosvan.com (216.120.238.3) from 192.168.0.100 : 56(84) bytes of data.
    64 bytes from 216.120.238.3: icmp_seq=1 ttl=49 time=60.2 ms
    64 bytes from 216.120.238.3: icmp_seq=2 ttl=49 time=64.1 ms

    --- yosvan.com ping statistics ---
    2 packets transmitted, 2 received, 0% loss, time 1008ms
    rtt min/avg/max/mdev = 60.257/62.210/64.164/1.969 ms
    [July@localhost July]$ nmap -v -sS -O 216.120.238.3

    [root@localhost July]# nmap -v -sS -O 216.120.238.3

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    Host (216.120.238.3) appears to be up ... good.
    Initiating SYN Stealth Scan against (216.120.238.3)
    Adding open port 3306/tcp
    Adding open port 143/tcp
    Adding open port 22/tcp
    Adding open port 995/tcp
    Adding open port 1/tcp
    Adding open port 443/tcp
    Adding open port 111/tcp
    Adding open port 80/tcp
    Adding open port 993/tcp
    Adding open port 6666/tcp
    Adding open port 110/tcp
    Adding open port 21/tcp
    Adding open port 465/tcp
    Adding open port 25/tcp
    The SYN Stealth Scan took 22 seconds to scan 1601 ports.
    For OSScan assuming that port 1 is open and port 2 is closed and neither are firewalled
    Interesting ports on (216.120.238.3):
    (The 1587 ports scanned but not shown below are in state: closed)
    Port State Service
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    111/tcp open sunrpc
    143/tcp open imap2
    443/tcp open https
    465/tcp open smtps
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
    Uptime 0.485 days (since Fri Mar 7 23:49:02 2003)
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=4541093 (Good luck!)
    IPID Sequence Generation: All zeros

    Nmap run completed -- 1 IP address (1 host up) scanned in 32 seconds
    [July@localhost July]#
    I have not sent out a notice to the webmasters of these sites yet only because I am unsure of what this irc-serv is really
    doing. Anyone got any ideas? It looks to me like a backdoor for the hackers to use. Also it seems that the Melange Chat Server has alot of exploits I only did a google search and the results came back here
    Maybe I'm wrong maybe this was a serivce that was installed by the webmasters and then exploited by the hacker group.
    Thought it was something pretty interesting that I would share with the rest of AO.
    Good Grief

  2. #2
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    they where generating a Bot-Net..
    using high-end servers to Packet IP's or to serve Warez...you should Notify all webmasters that u find this on...

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  3. #3
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    Heya July

    Quote from the article:
    something like 5000 websites located on four different servers
    If I read it right they had to crack 4 servers. With a script and with decent acces the defacing of the 5000 websites on that server could be automated. It would be ALOT of work to do that one by one.

    The question I have is if that chat system was installed before or after the defacement. It would be stupid of that admins to install the chat server because it's 1: useless 2: there are better ways of communication 3: it says on the developers website the project was abandoned and it has many bugs and exploits.
    Also there are better backdoors then this one. A simple scan makes it show up, so the admins won't have a big job fixing it. There are backdoors wich can be as stealth as a ... whatever. Even though it doesn't directly appear as a backdoor a admin won't let it be just because it appears to be "just" a chat server. I think they did put it up for fun after the defacement or as a way of defacing. Maybe indeed as a backdoor to come back, because a admin with a server with 5000 websites won't easily "reinstall" the server. Hrm... Guess guess guess. There are more open ports with interesting stuff.

    edit:
    Sorry for the drunk post... well I am drunk.
    The things could be used as a net for warez or something like Noia said. They could also be used as some kind of drones or bots or whatever for DDoS attacks.
    Double Dutch

  4. #4
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    I'v seen these things before....
    They install an IRC bot program, then the bot joins a chan, where they can give mass instructions....I'v seen masses of Bot's move from one chan to the next.....they move them like sheep or cow's.....it's really strange.....

    It's difficult to find these places.....they are in hidden chan's in Networks that like to move around, the way I got my info was to take on the name of a normal bot (BOT-****) and enter....then try to follow the commands issued, like
    !Move [Chan]
    !Part
    !Attack [IP] - Didn't follow this one
    !Stopattack
    etc etc etc

    In short....the Bot log's on, hidden from view, connects to a server and joins a preset chan.
    A user can then !Login with a password and start giving commands to the bot's....

    as for Warez, it takes more time, because you need to Log-in set up a bot or FTP then upload files, etc etc etc......as Neel said, there is no need for them to be running an IRC server so chanses are they where put there for a BOT net.

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    102
    Ok I've found 165 other servers on that list with all things in common, they all have the irc service running.
    This does look now like it was from the hax0rs lab group. I've seen Warez run on iRC before but I don't think
    that's what they are there for. What exactly is a Bot Net? I've never heard of that before, I know about eggdrop
    and some iRC bots, is a bot net just linking iRC bots together?
    Good Grief

  6. #6
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    a Bot net is generaly a network of bot's, a bunch of computers that can be remotly controled and told to preform tasks remotly, they fall into two main groups, one is for Warez serving, for this, only the fastest bot's are selected, and for packating, in which it's the number of bot's you have that counts, not the speed of them...

    If you'r still blurry on this, PM me with some Q's and I'll try to answer

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  7. #7
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    I'd just like to point out that botnet's aren't always used for devious and malicious activities. I still frequent efnet from time to time.. an IRC Network that still lacks services.. On networks like this botnets are maintained to hold channels against those that would try to take them over.. I have a few of my bots idling in this sort of botnet...
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    That's right, but these are bots on defaced webservers. There's a difference between a bot idling in a channel to keep it owned if there is a netsplit or a services failure, and a bot that is up for the sole purpose of trashing a connection so the users get kicked of the web, after wich the channel can be taken by others. Wich one of these two would those most likely be ? You can't say that really...
    Double Dutch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •