Re: [0day] RPC-DCOM as a vector for DDoS - RPC IS DEVASTATING

["Donnie Werner" <[EMAIL PROTECTED]>]

-= 0day - Freedom of Voice - Freedom of Choice =-

>  I would not stress this if it wasnt the absolute worst i have ever seen
...
> as a matter of fact, let us explore just one example that ( other than the
> BANK PEN-TEST )
>
>  RPC-DCOM has already been used as an attack vector
> in a mass DDoS.... read the folowing
> http://exploitlabs.com/attack/RPC-DCOM-DD0S-attack.txt
>
> Donnie Werner
> co-founder e2-labs
> [EMAIL PROTECTED]
> http://e2-labs.com
>

in conjunction with the co-operation of my isp exploitlabs.com will not be
attatched to a httpd service in the short future because of the continued
attacks, as such the information pertaining to this is not publicly
available and i am posting it here in its original, un edited form.

D. Werner
[EMAIL PROTECTED]

====== original document follows ==========

========================================================
RPC-DCOM Worm Infection Vectors
========================================================

"Security Reseachers use latest RPC exploit to conduct
  a Coridinated Distributed Denial of Service Attack"

or,  my network has been attacked by security reseachers
     a factual analysis

-----------------------------------------------------------





Donnie Werner
http;//exploitlabs.com
http://e2-labs.com



cc: to

[EMAIL PROTECTED]  - Road Runner
[EMAIL PROTECTED] - Charter Networks
[EMAIL PROTECTED] - ( InPhonic, Inc. (INPHONIC3-DOM)
[EMAIL PROTECTED] - BellSouth



preface:
--------

1000's of host within a central infection region compromized
 via RPC-DCOM exploit ( all tested samples scan as "vunerable" )

all atacking parties are in the infosec / security arena and are
 contributers to Full Disclosure and Bugtraq

the mass localization of zombied hosts will match to the basic
 home locale of the main characters outlined within , this aids
 in the forensics and investigation to find the guilty parties

the "perps" made a souviner of thier own attack

http://pimp.ladyofwisdom.edu/morning_wood-fun.txt





INVESTIGATIVE ANALYSIS
======================


atacking "enities"
----------------------
the "nopninjas" and "majestik"
hacking / bot / effnet kiddies groups


method of attack:
-----------------
SDbot 05b via compromised ( zombie ) systems


executable / virus filename:
----------------------------
trojan: SdBot 05b
executable: proc32.exe

note: every infected system containd this file
with the attack target set to "exploitlabs.com"  ( see link bot.txt )
sdbot has the ability to change the names of the executable after
instalation

controllers of attacking urls:
------------------------------
http://66.151.154.251/  <----- 66.151.xxx.xxx one major source of attacking
bots
irc 66.151.154.251:6667
pimp.ladyofwisdom.edu

http://64.203.4.70/
http://user-10cm126.cable.mindspring.com/

irc 24.118.20.172:6667


exploited networks used as zombies:
-----------------------------------
68.154.xxx.xxx  - BellSouth
68.158.xxx.xxx
24.71.xxx.xxx  - Road Runner, Tampa Bay
24.241.xxx.xxx  - Charter


network under attack:
---------------------
exploitlabs.com


background / analysis
---------------------



"majestic" irc ( 24.118.20.172:6667 ) shows "sdbot" type of activity

------------- snip --------------

#majestic lwbiv H [EMAIL PROTECTED]
:0 lwbiv
#majestic jeshmq H [EMAIL PROTECTED] :0 jeshmq
#majestic njgu H [EMAIL PROTECTED] :0 njgu
#majestic ppqg H [EMAIL PROTECTED] :0 ppqg
#majestic bekf H [EMAIL PROTECTED] :0 bekf
#majestic HaX H [EMAIL PROTECTED] :0 john doe
#majestic

lwbiv Owner sam jeshmq njgu ppqg wEc[4336] bekf Warren73 gxdtqf Joey
 Chibata38 TERRI PochiX1512 pietroush5113 HaX majestic_ wEc[63397]

----------- snip ---------------



Factual Statement:
------------------

My support center at ( exploitlabs.com ) was "invaded" by aprox 20 live
hosts from a
 "hacking" group from efenet, "nopninjas"



note: i am <XssKing> and <morning_wood> 192.168.0.*
the folowing was provided to me from the atacking crew itself ( i guess
their proud )

---------- snip ----------

*** poofie ([EMAIL PROTECTED]) has joined #0sec
<XssKing> wb
*** b0f ([EMAIL PROTECTED]) has joined #0sec
<poofie> hi
<XssKing> heh
<buRdeN> everything you'd need to uncap yer modem
<XssKing> sup b0f
<buRdeN> in one product
*** karkark ([EMAIL PROTECTED])
has joined #0sec
<XssKing> yea
<XssKing> i was looking fopr a tftp
<b0f> hi
<XssKing> and founfd that
<karkark> hello
*** demiurge ([EMAIL PROTECTED]) has joined #0sec
<XssKing> long time
<buRdeN> hi everyone
<XssKing> b0f
<b0f> yah ?
*** phaze ([EMAIL PROTECTED]) has joined #0sec
<XssKing> i rember you from like 2 years ago
<karkark> hey morning_wood why don't you answer my emails?
<demiurge> yo w00d
<demiurge> back
<demiurge> sup man?
<XssKing> wat mails?
<b0f> any xss 0day for trade ?
<karkark> XssKing hang on
<XssKing> not todayu i been busy
<karkark> hey morning_wood why don't you answer my emails?

<morning_wood> wat mails?

<karkark> this one
http://lists.netsys.com/pipermail/full-disclosure/2003-July/011927.html


--------- snip ------------


after much lame chat we see
the DoS begin



--------- snip ------------


<kokanin> my god morning_wood you're so retarded you don't even get it when
you're being insulted
<phaze>
uid=0(root)
gid=0(root)
groups=0(root)
,1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(
tape),27(video)
<phaze> I am prolly very vuln this is ooooold version


[kokanin:#0sec MORNING_WOOD] is a fag
<kokanin> [morning_wood Invalid reply]: CTCP command.
<kokanin> jeez
<phaze> lol
<b0f> lol
[kokanin:#0sec REPLY_TO_THIS_IF_YER_GAY]
<kokanin> yay morning_wood is gay
<kokanin> but we knew that
<kokanin> you trade a lot of 0day xss?
<kokanin> lol


ùíù SignOff kokanin: #0sec (Quit: kiss my ass)

ùíù SignOff demiurge: #0sec (Quit: [BX] Leggo my Eggo!)


<b0f> yah ill give u apache 0day for xss in lame.com

ùíù phaze [EMAIL PROTECTED] has left #0sec
[Xchizat for the real hommies]


<b0f> moo

<b0f> exploitlabs.com is vuln to remote exploit

<b0f> ***** suprise *****


ùíù ysmcju [EMAIL PROTECTED] has joined #0sec

ùíù nlfwky [EMAIL PROTECTED] has joined #0sec

ùíù aojx [EMAIL PROTECTED] has joined #0sec

ùíù htpdd [EMAIL PROTECTED] has joined #0sec

ùíù tlhyic [EMAIL PROTECTED] has joined #0sec

ùíù tqubox [EMAIL PROTECTED] has joined #0sec

ùíù cmqcpn [EMAIL PROTECTED] has joined #0sec

ùíù vvkr [EMAIL PROTECTED] has joined #0sec

ùíù replwe [EMAIL PROTECTED] has joined #0sec

ùíù zkmc [EMAIL PROTECTED] has joined #0sec
ùíù ffea [EMAIL PROTECTED] has joined #0sec

ùíù uqlk [EMAIL PROTECTED] has joined #0sec

ùíù SignOff xternal_: #0sec (Excess Flood)

<buRdeN> wtf

<b0f> haha


----------------- snip -----------------


at which time I am invaded by over 1000 connecting hosts
from 24.241.xxx.xxx , 24.73.xxx.xxx and the 68. occets





IDENTEFICATION:
===============


who is karkark:
---------------
Knud Erik Højgaard [EMAIL PROTECTED]

http://www.google.com/keyword/Knud+Erik+H%C3%B8jgaard



perpetrator "nicks" on this attack:
----------------------------------------



1.

sloth ([EMAIL PROTECTED])  /  [EMAIL PROTECTED]
http://www.ircnick.com/index.php?sloth
http://www.b0red.com/people/sloth-starbucks.jpg

http://packetstormsecurity.nl/worms/mindjail.txt
http://hack.datafort.net/~newlevel8/  <----  this style looks a bit familar
from FD


2.

b0f [EMAIL PROTECTED]
http://www.b0f.com/

3.
Matthew McGehrin ([EMAIL PROTECTED])
http://mail.gnu.org/archive/html/help-emacs-windows/2002-08/msg00017.html


4.

int80 ([EMAIL PROTECTED])
poofie [EMAIL PROTECTED]
http://www.jeah.net/
http://blitzed.org/linkapp.phtml?linkapp=pan.wi.us

he has had trouble in the past as we can see by..

http://www.acky.net/forums/DCForumID14/21.html



5.

liamfoy ([EMAIL PROTECTED])
http://www.sepulcrum.org/
http://virtus.ath.cx/~liam/me2.jpg

Liam-Foy
United Kingdom
Age: 15
[EMAIL PROTECTED]

http://www.btinternet.com/~liam_foy/newss.jpg
http://www.btinternet.com/~liam_foy/about/network.jpg.JPG



6.

yobeee ([EMAIL PROTECTED])

Nik Reiman // [EMAIL PROTECTED]
http://12.109.93.111 = http://aboleo.net



7.

opy ([EMAIL PROTECTED])
http://www.dtors.net



8.
dvdman ([EMAIL PROTECTED])
http://l33tsecurity.com/



dead ([EMAIL PROTECTED])

soot ([EMAIL PROTECTED])

([EMAIL PROTECTED])

wood_sux ([EMAIL PROTECTED])

demiurge ([EMAIL PROTECTED])

Defiance ([EMAIL PROTECTED])

timberland ([EMAIL PROTECTED])

ekom ([EMAIL PROTECTED])



this was a log not recorded by me
---------------------------------

http://exploitlabs.com/attack/morning_wood-fun.txt


this was logged by me with some help:
-------------------------------------

<xxxxxx> talked to Hax
<xxxxxx> from majestic
<MrWood> whats up with mak?
<xxxxxx> he showed me his new bot
<MrWood> get it the fuck off me
<xxxxxx> ne way... u see mayj
<xxxxxx> on the site...
<xxxxxx> just a kid!
<MrWood> why is he fucking with me?
<xxxxxx> and I qutoe "he doesn't know shit" end quote
<xxxxxx> quote "he needs to shut his piehole" end quote
<MrWood> i c


sdbot string analysis:
----------------------

http://exploitlabs.com/attack/sdbot.txt


live sdbot binary from infected system:
---------------------------------------

http://exploitlabs.com/attack/proc32.zip


this is a netstat dump
-----------------------

http://exploitlabs.com/attack/netstat.txt


this is a screenshot of bot connections on an infected server
provided with the cooperation of an infected customer i contacted
and worked closely with
------------------------

http://exploitlabs.com/attack/screenshot.jpg




furthermore, the only "exploit" i am vuln to is 1000's of sdbots on infected
 hosts directed at my network



analysis by:
------------

Donnie Werner
[EMAIL PROTECTED]
http://e2-labs.com


 I would like to thank the cooperation of "Bob" the businessman
for helping me analyse his compromised system in the 24.73.xxx.xxx address
and his network tech for working with me in this investigation.


_______________________________________________
0day mailing list
[EMAIL PROTECTED]
http://nothackers.org/mailman/listinfo/0day