Delta of woot-project attack, analysis and recovery
This tutorial attempts to cover everything I have learned about the
"delta of woot-project" web site defacing attack.
I believe that it scans the internet for sites with open port 22
ssh services. It then detects whether SSH1 is supported and attempts to
use vulnerabilities in SSH1 to gain root access and deface the site.
If it was just site defacement it might not be that bad but it installs many
trojan software binaries. I highly recommend a new software install from
scratch with a hard drive reformat. This tutorial attempts to cover a
system recovery but in no way guarantees that the system was sanitized.
In fact I would assume it did not but here is anyway.
Related YoLinux Tutorials:
I believe that the "delta of woot-project" attack exploits the SSH1 vulnerabilities. The following links describe the SSH1 exploit:
The attacker uses a C scanning program sshs.c (author Jenkins@madsite.org) which checks a list of IP addresses for the pressence of SSH-1.5-1.2.27 or SSH-1.99-OpenSSH_2.2.0p1. The vulnerabilities in SSH1 are exploited to gain root access.
It then installs new binaries so the commands "ps" and "pstree" used to monitor processes are useless when trying to find the hacker installed processes. It also installs new network monitoring binaries to replace "netstat" and many of the other commands you might use to diagnose system problems caused by the exploit. The exploit starts a few background processes, the purpose of which I do not fully understand. The exploit also creates a user "woot". This entry must be deleted from the files /etc/passwd and /etc/shadow. The attack results in a serious compromise of your system so extensive that I can not readily determine it's full extent. Again I recommend a full reinstall of your system and hard drive re-format (with new sector sizes).
See the YoLinux Internet Server Security Tutorial - Installing OpenSSH (using protocol SSH2) and avoid this problem!
If the web page defacement was not a big enough clue that you have been hit with the "delta of woot-project" attack, you can also use the "chkrootkit" tool to audit your system and find many of the known trojans.
Download chkrootkit from http://www.chkrootkit.org/
Un-tar the package and compile:
I am certain that this will NOT report all the trojans left on your system.
Hacker file discovery:
Let me start by saying that one may not be able to fully recover the system. I recommend that you reinstall the operating system and re-format your hard drive with new sector sizes. The following was more of an experiment to see how clean I could get the system after this attack. I also wanted to try and discover how extensive and damaging the "delta of woot-project" exploit was and gain insight into the attack.
My first attempt to remove trojan binaries failed:
The trojaned binaries could not be deleted at first. One must change the file attributes first using the chattr -i file-name command.
The following is a list of binaries I deleted and the Red Hat RPM used to replace them.
The "delta of woot-project" exploit also installed /sbin/ipchains-l and pt07 background processes and binaries.
It is important to use the command pstree -p or ps -auxw
to find rogue processes and kill them: kill -9 process-id
Also reset inetd/xinetd processes. View boot configurataion: chkconfig --list | grep on
To turn off anonymous FTP, edit /etc/ftpaccess:
The most obvious and important change is to the /etc/passwd and /etc/shadow files. Delete the entry "woot".
Update: The box was hacked again. Probably a trojan back door left behind after the first attack. A DOS (Denial Of Service) network load was generated by launching a process called slice2.
To further clean things up I updated the system with the latest kernel RPM. Lets see if these guys break in again. I'll keep you posted.
I discovered a very clever backdoor. The CGI program /home/httpd/cgi-bin/... was left behind. A very clever hiding of a backdoor I had not found the first time. Running the strings command against this executable reveals that it is a method of executing any command input by the user via the web. Of course it had the "Sticky" bit set to execute with the privilege of root. (Crafty buggers)
A DOS attack was launched from the host against its victims by the hacker. The misnamed process was called squid and it wouldn't die and was re-spawned each time. The top command was used to identify the process. I removed the line in the file: /etc/inittab
At this point, we had no more time to devote to this exercise so we gave up and put in the new drive with a new install.
Hacker IRC: irc.madsite.org:6667 #woot-project
Copyright © 2001 by Greg Ippolito