Hacked? (UPDATE)

From: Peter Elsner (peter_at_servplex.com)
Date: 05/10/03

  • Next message: Olivier Cherrier: "RE: Down the MPD road"
    Date: Sat, 10 May 2003 15:29:58 -0500
    To: freebsd-security@FreeBSD.ORG
    
    

    Update, for those that want to know...

    The attacker used a worm or bot that tried hundreds (if not thousands) of
    connections through SMBD. (Samba).
    I was running 2.2.7. I noticed the attempts for a week, but the log file
    always showed "access denied" so I wasn't
    too worried about it. Well, obviously, one of those attempts got through...

    At this time, the worm (or bot) modified the modification date with a
    program called systemf (in the /usr/bin directory).
    This prevented me from listing last modification dates (all dates in ls
    were replaced with the letter f ).

    Then he created an /etc/rc.local file and added an entry to start inetd and
    a trojaned sshd (on port 44444). I put everything in /usr/local/etc/rc.d
    so I didn't originally have an /etc/rc.local.

    netstat (in /usr/bin) was renamed to netstats and a new netstat (much
    smaller in size) was placed in the /usr/bin directory.
    I'm not really sure what this new netstat did.

    I believe only the /usr/bin directory and /usr/sbin directory were affected
    (after doing quite a bit of research), plus the 2 hidden directories
    that were created and the /etc/rc.local file.

    The trojaned sshd was stored in /dev/fd/.99 or in /usr/lib/.fx (not sure
    which).

    I suspect that the passwd and master.passwd files were then emailed or
    ftp'd to the hacker for later inspection.

    This way, even if I close the Samba hole (which I've done), the trojaned
    sshd that he/she put in place would allow
    the attacker to get back in using any of the passwords in the
    passwd/master.passwd list.

    Anyway,

    Thanks to all who answered my request for help and more info (both on this
    list and privately).

    I have completely fdisk'ed the drive and re-installed. I'm now restoring
    from last weeks master backup.

    Peter

    ----------------------------------------------------------------------------------------------------------
    Peter Elsner <peter@servplex.com>
    Vice President Of Customer Service (And System Administrator)
    1835 S. Carrier Parkway
    Grand Prairie, Texas 75051
    (972) 263-2080 - Voice
    (972) 263-2082 - Fax
    (972) 489-4838 - Cell Phone
    (425) 988-8061 - eFax

    I worry about my child and the Internet all the time, even though she's
    too young to have logged on yet. Here's what I worry about. I worry
    that 10 or 15 years from now, she will come to me and say "Daddy, where
    were you when they took freedom of the press away from the Internet?"
    -- Mike Godwin

    Unix IS user friendly... It's just selective about who its friends are.
    System Administration - It's a dirty job, but somebody said I had to do it.
    If you receive something that says 'Send this to everyone you know,
    pretend you don't know me.

    Standard $500/message proofreading fee applies for UCE.

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Olivier Cherrier: "RE: Down the MPD road"

    Relevant Pages

    • Fighting worms with honeypots : honeyd vs msblast.exe
      ... While trying to help the community to fight the evil worm MSBLAST, ... [Honeyd is a free software product by Niels Provos: ... from the attacker. ... every hosts owned by msblast that was ...
      (Focus-IDS)
    • CodeRed II ARIS Incident Analysis
      ... A new worm affecting unpatched Microsoft IIS web servers has been ... the author has embedded the string "CodeRedII" inside the code. ... this will allow any attacker (not just the ... worm author) access to the victim web server at a later date. ...
      (NT-Bugtraq)
    • Re: [Full-disclosure] Exploiting a Worm
      ... > I'm pentesting a client's network and I have found a Windows NT4 machine ... First, Agobot is not exactly a "worm", per se, although it can ... then you wouldn't know if the attacker has changed anything that would ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • CodeRed II ARIS Incident Analysis
      ... A new worm affecting unpatched Microsoft IIS web servers has been ... the author has embedded the string "CodeRedII" inside the code. ... this will allow any attacker (not just the ... worm author) access to the victim web server at a later date. ...
      (Incidents)
    • [Full-disclosure] iDefense Security Advisory 06.16.10: Samba 3.3.12 Memory Corruption Vulnerabil
      ... Remote exploitation of a buffer overflow vulnerability within Samba ... attacker could trigger a memory corruption by sending specially crafted ... iDefense has confirmed the existence of this vulnerability in Samba ...
      (Full-Disclosure)